On Wed, Mar 20, 2024 at 2:01 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > On Thu, Feb 22, 2024 at 2:31 PM Christian Göttsche > <cgzones@xxxxxxxxxxxxxx> wrote: > > > > Currently sepolgen fails to parse the reference policy: > > > > Parsing interface files: > > %--10---20---30---40---50---60---70---80---90--100 > > #############/tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: Syntax error on line 1737 - [type=MINUS] > > /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: Syntax error on line 1755 - [type=MINUS] > > error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if: Syntax error on line 1755 - [type=MINUS]" > > /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error on line 43 - [type=MINUS] > > error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error on line 43 - [type=MINUS]" > > ############################/tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: Syntax error on line 183 $1_port_forwarding [type=IDENTIFIER] > > /tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: Syntax error on line 293 ' [type=SQUOTE] > > error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if: Syntax error on line 293 ' [type=SQUOTE]" > > ######/tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2137 true [type=TRUE] > > /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2148 ' [type=SQUOTE] > > /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2152 ' [type=SQUOTE] > > /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2163 ' [type=SQUOTE] > > /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2167 ' [type=SQUOTE] > > error parsing file /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: could not parse text: "/tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if: Syntax error on line 2167 ' [type=SQUOTE]" > > ##failed to parse some headers: /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/kernel.if, /tmp/destdir/usr/share/selinux/refpolicy/include/kernel/selinux.if, /tmp/destdir/usr/share/selinux/refpolicy/include/services/ssh.if, /tmp/destdir/usr/share/selinux/refpolicy/include/system/init.if > > Missing interface definition for init_startstop_service > > Missing interface definition for init_startstop_service > > ... > > > > Accept chained ifelse blocks, genfscon statements with file specifiers, > > and booleans with unquoted identifiers. > > > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > Acked-by: James Carter <jwcart2@xxxxxxxxx> > Merged. Thanks, Jim > > --- > > python/sepolgen/src/sepolgen/refparser.py | 74 +++++++++++++++++------ > > python/sepolgen/src/sepolgen/refpolicy.py | 8 +++ > > 2 files changed, 65 insertions(+), 17 deletions(-) > > > > diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py > > index 1bb90564..e261d3f7 100644 > > --- a/python/sepolgen/src/sepolgen/refparser.py > > +++ b/python/sepolgen/src/sepolgen/refparser.py > > @@ -418,19 +418,41 @@ def p_tunable_policy(p): > > collect(p[12], x, val=False) > > p[0] = [x] > > > > -def p_ifelse(p): > > - '''ifelse : IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi > > - | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi > > - | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi > > +def p_ifelse_compare_value(p): > > + '''ifelse_compare_value : TICK IDENTIFIER SQUOTE > > + | TICK TRUE SQUOTE > > + | TICK FALSE SQUOTE > > + | TICK SQUOTE > > + | empty > > ''' > > -# x = refpolicy.IfDef(p[4]) > > -# v = True > > -# collect(p[8], x, val=v) > > -# if len(p) > 12: > > -# collect(p[12], x, val=False) > > -# p[0] = [x] > > - pass > > + if len(p) == 4: > > + p[0] = p[2] > > + else: > > + p[0] = None > > + > > +def p_ifelse_section(p): > > + '''ifelse_section : TICK IDENTIFIER SQUOTE COMMA ifelse_compare_value COMMA TICK interface_stmts SQUOTE > > + ''' > > + x = refpolicy.IfElse(p[2]) > > + collect(p[8], x, val=True) > > + p[0] = [x] > > + > > +def p_ifelse_sections(p): > > + '''ifelse_sections : ifelse_sections COMMA ifelse_section > > + | ifelse_section > > + ''' > > + if len(p) == 4: > > + p[0] = p[1] + p[3] > > + else: > > + p[0] = p[1] > > > > +def p_ifelse(p): > > + '''ifelse : IFELSE OPAREN ifelse_sections COMMA TICK interface_stmts SQUOTE CPAREN optional_semi > > + ''' > > + x = refpolicy.IfElse(p[3]) > > + collect(p[3], x, val=True) > > + collect(p[6], x, val=False) > > + p[0] = [x] > > > > def p_ifdef(p): > > '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi > > @@ -460,6 +482,7 @@ def p_interface_call(p): > > def p_interface_call_param(p): > > '''interface_call_param : IDENTIFIER > > | IDENTIFIER MINUS IDENTIFIER > > + | MINUS IDENTIFIER > > | nested_id_set > > | TRUE > > | FALSE > > @@ -469,6 +492,8 @@ def p_interface_call_param(p): > > # List means set, non-list identifier > > if len(p) == 2: > > p[0] = p[1] > > + elif len(p) == 3: > > + p[0] = "-" + p[2] > > else: > > p[0] = [p[1], "-" + p[3]] > > > > @@ -558,6 +583,8 @@ def p_requires(p): > > | requires require > > | ifdef > > | requires ifdef > > + | ifelse > > + | requires ifelse > > ''' > > pass > > > > @@ -609,12 +636,17 @@ def p_initial_sid(p): > > p[0] = s > > > > def p_genfscon(p): > > - '''genfscon : GENFSCON IDENTIFIER PATH context''' > > - > > + '''genfscon : GENFSCON IDENTIFIER PATH context > > + | GENFSCON IDENTIFIER PATH MINUS IDENTIFIER context > > + | GENFSCON IDENTIFIER PATH MINUS MINUS context > > + ''' > > g = refpolicy.GenfsCon() > > g.filesystem = p[2] > > g.path = p[3] > > - g.context = p[4] > > + if len(p) == 5: > > + g.context = p[4] > > + else: > > + g.context = p[6] > > > > p[0] = g > > > > @@ -848,11 +880,19 @@ def p_bool(p): > > p[0] = b > > > > def p_gen_tunable(p): > > - '''gen_tunable : GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE CPAREN > > + '''gen_tunable : GEN_TUNABLE OPAREN IDENTIFIER COMMA TRUE CPAREN > > + | GEN_TUNABLE OPAREN IDENTIFIER COMMA FALSE CPAREN > > + | GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA TRUE CPAREN > > | GEN_TUNABLE OPAREN TICK IDENTIFIER SQUOTE COMMA FALSE CPAREN''' > > b = refpolicy.Bool() > > - b.name = p[4] > > - if p[7] == "true": > > + if len(p) == 7: > > + id_pos = 3 > > + state_pos = 5 > > + else: > > + id_pos = 4 > > + state_pos = 7 > > + b.name = p[id_pos] > > + if p[state_pos] == "true": > > b.state = True > > else: > > b.state = False > > diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py > > index 9cac1b95..f139dde4 100644 > > --- a/python/sepolgen/src/sepolgen/refpolicy.py > > +++ b/python/sepolgen/src/sepolgen/refpolicy.py > > @@ -899,6 +899,14 @@ class IfDef(Node): > > def to_string(self): > > return "[Ifdef name: %s]" % self.name > > > > +class IfElse(Node): > > + def __init__(self, name="", parent=None): > > + Node.__init__(self, parent) > > + self.name = name > > + > > + def to_string(self): > > + return "[Ifelse name: %s]" % self.name > > + > > class InterfaceCall(Leaf): > > def __init__(self, ifname="", parent=None): > > Leaf.__init__(self, parent) > > -- > > 2.43.0 > > > >
