From patchwork Sun Apr 12 08:09:59 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 11484453 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C5AD8186E for ; Sun, 12 Apr 2020 08:10:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A9B5220709 for ; Sun, 12 Apr 2020 08:10:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726658AbgDLIKO (ORCPT ); Sun, 12 Apr 2020 04:10:14 -0400 Received: from mx1.polytechnique.org ([129.104.30.34]:45332 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725812AbgDLIKO (ORCPT ); Sun, 12 Apr 2020 04:10:14 -0400 Received: from localhost.localdomain (85-168-38-217.rev.numericable.fr [85.168.38.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id DE37B5600AC for ; Sun, 12 Apr 2020 10:10:10 +0200 (CEST) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 1/3] libselinux: add missing glue code to grab errno in Python bindings Date: Sun, 12 Apr 2020 10:09:59 +0200 Message-Id: <20200412081001.23246-1-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.26.0 MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sun Apr 12 10:10:11 2020 +0200 (CEST)) X-Spam-Flag: No, tests=bogofilter, spamicity=0.000000, queueID=1F0105600AF X-Org-Mail: nicolas.iooss.2010@polytechnique.org Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org The Python bindings for libselinux expose functions such as avc_has_perm(), get_ordered_context_list(), etc. When these functions encounter an error, they set errno accordingly and return a negative value. In order to get the value of errno from Python code, it needs to be "forwarded" in a way. This is achieved by glue code in selinuxswig_python_exception.i, which implement raising an OSError exception from the value of errno. selinuxswig_python_exception.i was only generating glue code from functions declared in selinux.h and not in other headers. Add other headers. selinuxswig_python_exception.i is generated by "bash exception.sh". Mark the fact that exception.sh is a Bash script by adding a shebang. This makes "shellcheck" not warn about the Bash array which is used to list header files. Signed-off-by: Nicolas Iooss Acked-by: William Roberts --- libselinux/src/exception.sh | 18 +- libselinux/src/selinuxswig_python_exception.i | 396 ++++++++++++++++++ 2 files changed, 412 insertions(+), 2 deletions(-) diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh index 33ceef804af5..644c7a05ec54 100755 --- a/libselinux/src/exception.sh +++ b/libselinux/src/exception.sh @@ -1,3 +1,5 @@ +#!/bin/bash + function except() { case $1 in selinux_file_context_cmp) # ignore @@ -15,10 +17,22 @@ echo " ;; esac } -if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h + +# Make sure that selinux.h is included first in order not to depend on the order +# in which "#include " appears in other files. +FILE_LIST=( + ../include/selinux/selinux.h + ../include/selinux/avc.h + ../include/selinux/context.h + ../include/selinux/get_context_list.h + ../include/selinux/get_default_type.h + ../include/selinux/label.h + ../include/selinux/restorecon.h +) +if ! cat "${FILE_LIST[@]}" | ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux then # clang does not support -aux-info so fall back to gcc - gcc -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h + cat "${FILE_LIST[@]}" | gcc -x c -c -I../include -o temp.o - -aux-info temp.aux fi for i in `awk '/.*extern int/ { print $6 }' temp.aux`; do except $i ; done rm -f -- temp.aux temp.o diff --git a/libselinux/src/selinuxswig_python_exception.i b/libselinux/src/selinuxswig_python_exception.i index cf6582595ee7..9f1f86a5564d 100644 --- a/libselinux/src/selinuxswig_python_exception.i +++ b/libselinux/src/selinuxswig_python_exception.i @@ -952,3 +952,399 @@ } } + +%exception avc_sid_to_context { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_sid_to_context_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_context_to_sid { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_context_to_sid_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception sidget { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception sidput { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_get_initial_sid { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_init { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_open { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_reset { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_has_perm_noaudit { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_has_perm { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_compute_create { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_compute_member { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_add_callback { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_netlink_open { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_netlink_acquire_fd { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception avc_netlink_check_nb { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_status_open { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_status_updated { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_status_getenforce { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_status_policyload { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_status_deny_unknown { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception context_type_set { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception context_range_set { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception context_role_set { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception context_user_set { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception get_ordered_context_list { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception get_ordered_context_list_with_level { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception get_default_context { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception get_default_context_with_level { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception get_default_context_with_role { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception get_default_context_with_rolelevel { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception query_user_context { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception manual_user_enter_context { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception get_default_type { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selabel_lookup { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selabel_lookup_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selabel_lookup_best_match { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selabel_lookup_best_match_raw { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selabel_digest { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_restorecon { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_restorecon_set_alt_rootpath { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + + +%exception selinux_restorecon_xattr { + $action + if (result < 0) { + PyErr_SetFromErrno(PyExc_OSError); + SWIG_fail; + } +} + From patchwork Sun Apr 12 08:10:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 11484449 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1DAC4174A for ; Sun, 12 Apr 2020 08:10:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0073720708 for ; Sun, 12 Apr 2020 08:10:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726689AbgDLIKN (ORCPT ); Sun, 12 Apr 2020 04:10:13 -0400 Received: from mx1.polytechnique.org ([129.104.30.34]:37295 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726614AbgDLIKN (ORCPT ); Sun, 12 Apr 2020 04:10:13 -0400 Received: from localhost.localdomain (85-168-38-217.rev.numericable.fr [85.168.38.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 291C95600AC for ; Sun, 12 Apr 2020 10:10:12 +0200 (CEST) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 2/3] libselinux: copy the reason why selinux_status_open() returns 1 Date: Sun, 12 Apr 2020 10:10:00 +0200 Message-Id: <20200412081001.23246-2-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200412081001.23246-1-nicolas.iooss@m4x.org> References: <20200412081001.23246-1-nicolas.iooss@m4x.org> MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sun Apr 12 10:10:12 2020 +0200 (CEST)) X-Spam-Flag: No, tests=bogofilter, spamicity=0.000000, queueID=60ACF5600AF X-Org-Mail: nicolas.iooss.2010@polytechnique.org Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org The function comment of selinux_status_open() states: It returns 0 on success, or -1 on error. However the implementation of this function can also return 1. This is documented in its manpage (libselinux/man/man3/selinux_status_open.3) as intended. Copy the reason near the function definition in order to make the code more auditable. Signed-off-by: Nicolas Iooss --- libselinux/src/sestatus.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c index ede5a28980bf..86267ff89646 100644 --- a/libselinux/src/sestatus.c +++ b/libselinux/src/sestatus.c @@ -250,7 +250,9 @@ static int fallback_cb_policyload(int policyload) * Since Linux 2.6.37 or later supports this feature, we may run * fallback routine using a netlink socket on older kernels, if * the supplied `fallback' is not zero. - * It returns 0 on success, or -1 on error. + * It returns 0 on success, -1 on error or 1 when we are ready to + * use these interfaces, but netlink socket was opened as fallback + * instead of the kernel status page. */ int selinux_status_open(int fallback) { From patchwork Sun Apr 12 08:10:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 11484451 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 42608912 for ; Sun, 12 Apr 2020 08:10:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2559E20708 for ; Sun, 12 Apr 2020 08:10:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726614AbgDLIKO (ORCPT ); Sun, 12 Apr 2020 04:10:14 -0400 Received: from mx1.polytechnique.org ([129.104.30.34]:49100 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726658AbgDLIKN (ORCPT ); Sun, 12 Apr 2020 04:10:13 -0400 Received: from localhost.localdomain (85-168-38-217.rev.numericable.fr [85.168.38.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id E68A15600AC for ; Sun, 12 Apr 2020 10:10:12 +0200 (CEST) From: Nicolas Iooss To: selinux@vger.kernel.org Subject: [PATCH 3/3] libselinux: make context_*_set() return -1 when an error occurs Date: Sun, 12 Apr 2020 10:10:01 +0200 Message-Id: <20200412081001.23246-3-nicolas.iooss@m4x.org> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200412081001.23246-1-nicolas.iooss@m4x.org> References: <20200412081001.23246-1-nicolas.iooss@m4x.org> MIME-Version: 1.0 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sun Apr 12 10:10:13 2020 +0200 (CEST)) X-Spam-Flag: No, tests=bogofilter, spamicity=0.000001, queueID=2E4DC5600AF X-Org-Mail: nicolas.iooss.2010@polytechnique.org Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org In libselinux, most functions set errno and return -1 when an error occurs. But some functions return 1 instead, such as context_type_set(), context_role_set(), etc. This increases the difficulty of writing Python bindings of these functions without much benefit. Return -1 instead (errno was already set). Signed-off-by: Nicolas Iooss --- libselinux/src/context.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libselinux/src/context.c b/libselinux/src/context.c index 090264a49eb1..ce4258806c53 100644 --- a/libselinux/src/context.c +++ b/libselinux/src/context.c @@ -151,14 +151,14 @@ static int set_comp(context_private_t * n, int idx, const char *str) if (str) { t = (char *)malloc(strlen(str) + 1); if (!t) { - return 1; + return -1; } for (p = str; *p; p++) { if (*p == '\t' || *p == '\n' || *p == '\r' || ((*p == ':' || *p == ' ') && idx != COMP_RANGE)) { free(t); errno = EINVAL; - return 1; + return -1; } } strcpy(t, str);