[PATCH] sepolgen: adjust parse for refpolicy

Christian Göttsche <cgzones@xxxxxxxxxxxxxx> · Thu, 22 Feb 2024 20:31:12 +0100

Currently sepolgen fails to parse the reference policy:

    Parsing interface files:
    %--10---20---30---40---50---60---70---80---90--100
    #############/tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: Syntax error on line 1737 - [type=MINUS]
    /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: Syntax error on line 1755 - [type=MINUS]
    error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: Syntax error on line 1755 - [type=MINUS]"
    /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error on line 43 - [type=MINUS]
    error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error on line 43 - [type=MINUS]"
    ############################/tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: Syntax error on line 183 $1_port_forwarding [type=IDENTIFIER]
    /tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: Syntax error on line 293 ' [type=SQUOTE]
    error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: Syntax error on line 293 ' [type=SQUOTE]"
    ######/tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2137 true [type=TRUE]
    /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2148 ' [type=SQUOTE]
    /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2152 ' [type=SQUOTE]
    /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2163 ' [type=SQUOTE]
    /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2167 ' [type=SQUOTE]
    error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2167 ' [type=SQUOTE]"
    ##failed to parse some headers: /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if, /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if, /tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if, /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if
    Missing interface definition for init_startstop_service
    Missing interface definition for init_startstop_service
    ...

Accept chained ifelse blocks, genfscon statements with file specifiers,
and booleans with unquoted identifiers.

Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
 python/sepolgen/src/sepolgen/refparser.py | 74 +++++++++++++++++------
 python/sepolgen/src/sepolgen/refpolicy.py |  8 +++
 2 files changed, 65 insertions(+), 17 deletions(-)

diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
index 1bb90564..e261d3f7 100644
--- a/python/sepolgen/src/sepolgen/refparser.py
+++ b/python/sepolgen/src/sepolgen/refparser.py
@@ -418,19 +418,41 @@ def p_tunable_policy(p):
         collect(p[12], x, val=False)
     p[0] = [x]
 
-def p_ifelse(p):
-    '''ifelse : IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
-              | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
-              | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+def p_ifelse_compare_value(p):
+    '''ifelse_compare_value : TICK IDENTIFIER SQUOTE
+                            | TICK TRUE       SQUOTE
+                            | TICK FALSE      SQUOTE
+                            | TICK            SQUOTE
+                            | empty
     '''
-#    x = refpolicy.IfDef(p[4])
-#    v = True
-#    collect(p[8], x, val=v)
-#    if len(p) > 12:
-#        collect(p[12], x, val=False)
-#    p[0] = [x]
-    pass
+    if len(p) == 4:
+        p[0] = p[2]
+    else:
+        p[0] = None
+
+def p_ifelse_section(p):
+    '''ifelse_section : TICK IDENTIFIER SQUOTE COMMA ifelse_compare_value COMMA TICK interface_stmts SQUOTE
+    '''
+    x = refpolicy.IfElse(p[2])
+    collect(p[8], x, val=True)
+    p[0] = [x]
+
+def p_ifelse_sections(p):
+    '''ifelse_sections : ifelse_sections COMMA ifelse_section
+                       | ifelse_section
+    '''
+    if len(p) == 4:
+        p[0] = p[1] + p[3]
+    else:
+        p[0] = p[1]
 
+def p_ifelse(p):
+    '''ifelse : IFELSE OPAREN ifelse_sections COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+    '''
+    x = refpolicy.IfElse(p[3])
+    collect(p[3], x, val=True)
+    collect(p[6], x, val=False)
+    p[0] = [x]
 
 def p_ifdef(p):
     '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
@@ -460,6 +482,7 @@ def p_interface_call(p):
 def p_interface_call_param(p):
     '''interface_call_param : IDENTIFIER
                             | IDENTIFIER MINUS IDENTIFIER
+                            | MINUS IDENTIFIER
                             | nested_id_set
                             | TRUE
                             | FALSE
@@ -469,6 +492,8 @@ def p_interface_call_param(p):
     # List means set, non-list identifier
     if len(p) == 2:
         p[0] = p[1]
+    elif len(p) == 3:
+        p[0] = "-" + p[2]
     else:
         p[0] = [p[1], "-" + p[3]]
 
@@ -558,6 +583,8 @@ def p_requires(p):
                 | requires require
                 | ifdef
                 | requires ifdef
+                | ifelse
+                | requires ifelse
     '''
     pass
 
@@ -609,12 +636,17 @@ def p_initial_sid(p):
     p[0] = s
 
 def p_genfscon(p):
-    '''genfscon : GENFSCON IDENTIFIER PATH context'''
-    
+    '''genfscon : GENFSCON IDENTIFIER PATH context
+                | GENFSCON IDENTIFIER PATH MINUS IDENTIFIER context
+                | GENFSCON IDENTIFIER PATH MINUS MINUS context
+    '''
     g = refpolicy.GenfsCon()
     g.filesystem = p[2]
     g.path = p[3]
-    g.context = p[4]
+    if len(p) == 5:
+        g.context = p[4]
+    else:
+        g.context = p[6]
 
     p[0] = g
 
@@ -848,11 +880,19 @@ def p_bool(p):
     p[0] = b
 
 def p_gen_tunable(p):
-    '''gen_tunable : GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE CPAREN
+    '''gen_tunable : GEN_TUNABLE OPAREN IDENTIFIER COMMA TRUE CPAREN
+                   | GEN_TUNABLE OPAREN IDENTIFIER COMMA FALSE CPAREN
+                   | GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE CPAREN
                    | GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA FALSE CPAREN'''
     b = refpolicy.Bool()
-    b.name = p[4]
-    if p[7] == "true":
+    if len(p) == 7:
+        id_pos = 3
+        state_pos = 5
+    else:
+        id_pos = 4
+        state_pos = 7
+    b.name = p[id_pos]
+    if p[state_pos] == "true":
         b.state = True
     else:
         b.state = False
diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
index 9cac1b95..f139dde4 100644
--- a/python/sepolgen/src/sepolgen/refpolicy.py
+++ b/python/sepolgen/src/sepolgen/refpolicy.py
@@ -899,6 +899,14 @@ class IfDef(Node):
     def to_string(self):
         return "[Ifdef name: %s]" % self.name
 
+class IfElse(Node):
+    def __init__(self, name="", parent=None):
+        Node.__init__(self, parent)
+        self.name = name
+
+    def to_string(self):
+        return "[Ifelse name: %s]" % self.name
+
 class InterfaceCall(Leaf):
     def __init__(self, ifname="", parent=None):
         Leaf.__init__(self, parent)
-- 
2.43.0








