On Thu, Feb 22, 2024 at 2:31 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > Currently sepolgen fails to parse the reference policy: > > Parsing interface files: > %--10---20---30---40---50---60---70---80---90--100 > #############/tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: Syntax error on line 1737 - [type=MINUS] > /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: Syntax error on line 1755 - [type=MINUS] > error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: Syntax error on line 1755 - [type=MINUS]" > /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error on line 43 - [type=MINUS] > error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error on line 43 - [type=MINUS]" > ############################/tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: Syntax error on line 183 $1_port_forwarding [type=IDENTIFIER] > /tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: Syntax error on line 293 ' [type=SQUOTE] > error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: Syntax error on line 293 ' [type=SQUOTE]" > ######/tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2137 true [type=TRUE] > /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2148 ' [type=SQUOTE] > /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2152 ' [type=SQUOTE] > /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2163 ' [type=SQUOTE] > /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2167 ' [type=SQUOTE] > error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2167 ' [type=SQUOTE]" > ##failed to parse some headers: /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if, /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if, /tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if, /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if > Missing interface definition for init_startstop_service > Missing interface definition for init_startstop_service > ... > > Accept chained ifelse blocks, genfscon statements with file specifiers, > and booleans with unquoted identifiers. > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> Acked-by: James Carter <jwcart2@xxxxxxxxx> > --- > python/sepolgen/src/sepolgen/refparser.py | 74 +++++++++++++++++------ > python/sepolgen/src/sepolgen/refpolicy.py | 8 +++ > 2 files changed, 65 insertions(+), 17 deletions(-) > > diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py > index 1bb90564..e261d3f7 100644 > --- a/python/sepolgen/src/sepolgen/refparser.py > +++ b/python/sepolgen/src/sepolgen/refparser.py > @@ -418,19 +418,41 @@ def p_tunable_policy(p): > collect(p[12], x, val=False) > p[0] = [x] > > -def p_ifelse(p): > - '''ifelse : IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi > - | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi > - | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi > +def p_ifelse_compare_value(p): > + '''ifelse_compare_value : TICK IDENTIFIER SQUOTE > + | TICK TRUE SQUOTE > + | TICK FALSE SQUOTE > + | TICK SQUOTE > + | empty > ''' > -# x = refpolicy.IfDef(p[4]) > -# v = True > -# collect(p[8], x, val=v) > -# if len(p) > 12: > -# collect(p[12], x, val=False) > -# p[0] = [x] > - pass > + if len(p) == 4: > + p[0] = p[2] > + else: > + p[0] = None > + > +def p_ifelse_section(p): > + '''ifelse_section : TICK IDENTIFIER SQUOTE COMMA ifelse_compare_value COMMA TICK interface_stmts SQUOTE > + ''' > + x = refpolicy.IfElse(p[2]) > + collect(p[8], x, val=True) > + p[0] = [x] > + > +def p_ifelse_sections(p): > + '''ifelse_sections : ifelse_sections COMMA ifelse_section > + | ifelse_section > + ''' > + if len(p) == 4: > + p[0] = p[1] + p[3] > + else: > + p[0] = p[1] > > +def p_ifelse(p): > + '''ifelse : IFELSE OPAREN ifelse_sections COMMA TICK interface_stmts SQUOTE CPAREN optional_semi > + ''' > + x = refpolicy.IfElse(p[3]) > + collect(p[3], x, val=True) > + collect(p[6], x, val=False) > + p[0] = [x] > > def p_ifdef(p): > '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi > @@ -460,6 +482,7 @@ def p_interface_call(p): > def p_interface_call_param(p): > '''interface_call_param : IDENTIFIER > | IDENTIFIER MINUS IDENTIFIER > + | MINUS IDENTIFIER > | nested_id_set > | TRUE > | FALSE > @@ -469,6 +492,8 @@ def p_interface_call_param(p): > # List means set, non-list identifier > if len(p) == 2: > p[0] = p[1] > + elif len(p) == 3: > + p[0] = "-" + p[2] > else: > p[0] = [p[1], "-" + p[3]] > > @@ -558,6 +583,8 @@ def p_requires(p): > | requires require > | ifdef > | requires ifdef > + | ifelse > + | requires ifelse > ''' > pass > > @@ -609,12 +636,17 @@ def p_initial_sid(p): > p[0] = s > > def p_genfscon(p): > - '''genfscon : GENFSCON IDENTIFIER PATH context''' > - > + '''genfscon : GENFSCON IDENTIFIER PATH context > + | GENFSCON IDENTIFIER PATH MINUS IDENTIFIER context > + | GENFSCON IDENTIFIER PATH MINUS MINUS context > + ''' > g = refpolicy.GenfsCon() > g.filesystem = p[2] > g.path = p[3] > - g.context = p[4] > + if len(p) == 5: > + g.context = p[4] > + else: > + g.context = p[6] > > p[0] = g > > @@ -848,11 +880,19 @@ def p_bool(p): > p[0] = b > > def p_gen_tunable(p): > - '''gen_tunable : GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE CPAREN > + '''gen_tunable : GEN_TUNABLE OPAREN IDENTIFIER COMMA TRUE CPAREN > + | GEN_TUNABLE OPAREN IDENTIFIER COMMA FALSE CPAREN > + | GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE CPAREN > | GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA FALSE CPAREN''' > b = refpolicy.Bool() > - b.name = p[4] > - if p[7] == "true": > + if len(p) == 7: > + id_pos = 3 > + state_pos = 5 > + else: > + id_pos = 4 > + state_pos = 7 > + b.name = p[id_pos] > + if p[state_pos] == "true": > b.state = True > else: > b.state = False > diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py > index 9cac1b95..f139dde4 100644 > --- a/python/sepolgen/src/sepolgen/refpolicy.py > +++ b/python/sepolgen/src/sepolgen/refpolicy.py > @@ -899,6 +899,14 @@ class IfDef(Node): > def to_string(self): > return "[Ifdef name: %s]" % self.name > > +class IfElse(Node): > + def __init__(self, name="", parent=None): > + Node.__init__(self, parent) > + self.name = name > + > + def to_string(self): > + return "[Ifelse name: %s]" % self.name > + > class InterfaceCall(Leaf): > def __init__(self, ifname="", parent=None): > Leaf.__init__(self, parent) > -- > 2.43.0 > >
