On Sun, Apr 12, 2020 at 3:12 AM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote:
>
> The Python bindings for libselinux expose functions such as
> avc_has_perm(), get_ordered_context_list(), etc. When these functions
> encounter an error, they set errno accordingly and return a negative
> value. In order to get the value of errno from Python code, it needs to
> be "forwarded" in a way. This is achieved by glue code in
> selinuxswig_python_exception.i, which implement raising an OSError
> exception from the value of errno.
>
> selinuxswig_python_exception.i was only generating glue code from
> functions declared in selinux.h and not in other headers. Add other
> headers.
>
> selinuxswig_python_exception.i is generated by "bash exception.sh". Mark
> the fact that exception.sh is a Bash script by adding a shebang. This
> makes "shellcheck" not warn about the Bash array which is used to list
> header files.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
> ---
> libselinux/src/exception.sh | 18 +-
> libselinux/src/selinuxswig_python_exception.i | 396 ++++++++++++++++++
> 2 files changed, 412 insertions(+), 2 deletions(-)
>
> diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh
> index 33ceef804af5..644c7a05ec54 100755
> --- a/libselinux/src/exception.sh
> +++ b/libselinux/src/exception.sh
> @@ -1,3 +1,5 @@
> +#!/bin/bash
> +
> function except() {
> case $1 in
> selinux_file_context_cmp) # ignore
> @@ -15,10 +17,22 @@ echo "
> ;;
> esac
> }
> -if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h
> +
> +# Make sure that selinux.h is included first in order not to depend on the order
> +# in which "#include <selinux/selinux.h>" appears in other files.
> +FILE_LIST=(
> + ../include/selinux/selinux.h
> + ../include/selinux/avc.h
> + ../include/selinux/context.h
> + ../include/selinux/get_context_list.h
> + ../include/selinux/get_default_type.h
> + ../include/selinux/label.h
> + ../include/selinux/restorecon.h
> +)
> +if ! cat "${FILE_LIST[@]}" | ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux
> then
> # clang does not support -aux-info so fall back to gcc
> - gcc -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h
> + cat "${FILE_LIST[@]}" | gcc -x c -c -I../include -o temp.o - -aux-info temp.aux
> fi
> for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done
> rm -f -- temp.aux temp.o
> diff --git a/libselinux/src/selinuxswig_python_exception.i b/libselinux/src/selinuxswig_python_exception.i
> index cf6582595ee7..9f1f86a5564d 100644
> --- a/libselinux/src/selinuxswig_python_exception.i
> +++ b/libselinux/src/selinuxswig_python_exception.i
> @@ -952,3 +952,399 @@
> }
> }
>
> +
> +%exception avc_sid_to_context {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_sid_to_context_raw {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_context_to_sid {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_context_to_sid_raw {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception sidget {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception sidput {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_get_initial_sid {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_init {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_open {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_reset {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_has_perm_noaudit {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_has_perm {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_compute_create {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_compute_member {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_add_callback {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_netlink_open {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_netlink_acquire_fd {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_netlink_check_nb {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_status_open {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_status_updated {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_status_getenforce {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_status_policyload {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_status_deny_unknown {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception context_type_set {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception context_range_set {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception context_role_set {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception context_user_set {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception get_ordered_context_list {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception get_ordered_context_list_with_level {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception get_default_context {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception get_default_context_with_level {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception get_default_context_with_role {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception get_default_context_with_rolelevel {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception query_user_context {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception manual_user_enter_context {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception get_default_type {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selabel_lookup {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selabel_lookup_raw {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selabel_lookup_best_match {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selabel_lookup_best_match_raw {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selabel_digest {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_restorecon {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_restorecon_set_alt_rootpath {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_restorecon_xattr {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> --
> 2.26.0
>
A few comments:
- overall looks fine, builds and works as expected.
- Why the double newline space on the exception swig file? The other
.i files seem to do a single newline?
is their something I am missing with syntax?
- I have the following whitespace warning:
Applying: libselinux: add missing glue code to grab errno in Python bindings
.git/rebase-apply/patch:444: new blank line at EOF.
+
warning: 1 line adds whitespace errors.
