All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 1/2] sepolgen: Make sepolgen-ifgen output deterministic with Python>=3.3
@ 2016-01-16 11:33 Nicolas Iooss
  2016-01-16 11:33 ` [PATCH 2/2] sepolgen: Support latest refpolicy interfaces Nicolas Iooss
  2016-02-01 14:13 ` [PATCH 1/2] sepolgen: Make sepolgen-ifgen output deterministic with Python>=3.3 Steve Lawrence
  0 siblings, 2 replies; 3+ messages in thread
From: Nicolas Iooss @ 2016-01-16 11:33 UTC (permalink / raw)
  To: selinux

Since Python 3.3, dictionary hashes are randomized and iterating over
them is no longer deterministic.  This makes it difficult to compare
outputs of sepolgen-ifgen command.

Make sepolgen-ifgen deterministic again with Python>=3.3 by always
sorting the dictonaries and sets which are used to produce output.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 sepolgen/src/sepolgen/access.py     | 2 +-
 sepolgen/src/sepolgen/interfaces.py | 6 +++---
 sepolgen/src/sepolgen/refpolicy.py  | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/sepolgen/src/sepolgen/access.py b/sepolgen/src/sepolgen/access.py
index 1f89ecde5fd9..a5d86982c0b1 100644
--- a/sepolgen/src/sepolgen/access.py
+++ b/sepolgen/src/sepolgen/access.py
@@ -128,7 +128,7 @@ class AccessVector(util.Comparison):
         is represented in a list.
         """
         l = [self.src_type, self.tgt_type, self.obj_class]
-        l.extend(self.perms)
+        l.extend(sorted(self.perms))
         return l
 
     def __str__(self):
diff --git a/sepolgen/src/sepolgen/interfaces.py b/sepolgen/src/sepolgen/interfaces.py
index 0b688bfd4072..48ae4f27a414 100644
--- a/sepolgen/src/sepolgen/interfaces.py
+++ b/sepolgen/src/sepolgen/interfaces.py
@@ -341,12 +341,12 @@ class InterfaceSet:
             self.output.write(str + "\n")
 
     def to_file(self, fd):
-        for iv in self.interfaces.values():
+        for iv in sorted(self.interfaces.values(), key=lambda x: x.name):
             fd.write("[InterfaceVector %s " % iv.name)
-            for param in iv.params.values():
+            for param in sorted(iv.params.values(), key=lambda x: x.name):
                 fd.write("%s:%s " % (param.name, refpolicy.field_to_str[param.type]))
             fd.write("]\n")
-            avl = iv.access.to_list()
+            avl = sorted(iv.access.to_list())
             for av in avl:
                 fd.write(",".join(av))
                 fd.write("\n")
diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py
index 737f95624d48..31b40d8fee00 100644
--- a/sepolgen/src/sepolgen/refpolicy.py
+++ b/sepolgen/src/sepolgen/refpolicy.py
@@ -251,10 +251,10 @@ class IdSet(set):
         self.compliment = False
 
     def to_space_str(self):
-        return list_to_space_str(self)
+        return list_to_space_str(sorted(self))
 
     def to_comma_str(self):
-        return list_to_comma_str(self)
+        return list_to_comma_str(sorted(self))
 
 class SecurityContext(Leaf):
     """An SELinux security context with optional MCS / MLS fields."""
-- 
2.7.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [PATCH 2/2] sepolgen: Support latest refpolicy interfaces
  2016-01-16 11:33 [PATCH 1/2] sepolgen: Make sepolgen-ifgen output deterministic with Python>=3.3 Nicolas Iooss
@ 2016-01-16 11:33 ` Nicolas Iooss
  2016-02-01 14:13 ` [PATCH 1/2] sepolgen: Make sepolgen-ifgen output deterministic with Python>=3.3 Steve Lawrence
  1 sibling, 0 replies; 3+ messages in thread
From: Nicolas Iooss @ 2016-01-16 11:33 UTC (permalink / raw)
  To: selinux

Some refpolicy interfaces use:

* "$" character in paths, for example in kernel/selinux.if:

    genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)

* empty members in ifelse statement, for example in system/init.if:

    ifelse(`$5',`',`',`
        ...
    ')

Modify sepolgen/refparser grammar accordingly.

This fixes the following syntax errors reported by sepolgen-ifgen:

    /usr/share/selinux/refpolicy/include/kernel/selinux.if: Syntax error
    on line 43 gen_context [type=GEN_CONTEXT]
    /usr/share/selinux/refpolicy/include/system/init.if: Syntax error on
    line 1416 ' [type=SQUOTE]
    /usr/share/selinux/refpolicy/include/system/init.if: Syntax error on
    line 1422 ' [type=SQUOTE]

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 sepolgen/src/sepolgen/refparser.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
index 3132c6fe7109..9b1d0c8f458d 100644
--- a/sepolgen/src/sepolgen/refparser.py
+++ b/sepolgen/src/sepolgen/refparser.py
@@ -219,7 +219,7 @@ t_BAR       = r'\|'
 t_EXPL      = r'\!'
 t_EQUAL     = r'\='
 t_NUMBER    = r'[0-9\.]+'
-t_PATH      = r'/[a-zA-Z0-9)_\.\*/]*'
+t_PATH      = r'/[a-zA-Z0-9)_\.\*/\$]*'
 #t_IPV6_ADDR = r'[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:([a-fA-F0-9]{0,4}:)*'
 
 # Ignore whitespace - this is a special token for ply that more efficiently
@@ -417,6 +417,7 @@ def p_tunable_policy(p):
 def p_ifelse(p):
     '''ifelse : IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
               | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+              | IFELSE OPAREN TICK IDENTIFIER SQUOTE COMMA TICK SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
     '''
 #    x = refpolicy.IfDef(p[4])
 #    v = True
-- 
2.7.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] sepolgen: Make sepolgen-ifgen output deterministic with Python>=3.3
  2016-01-16 11:33 [PATCH 1/2] sepolgen: Make sepolgen-ifgen output deterministic with Python>=3.3 Nicolas Iooss
  2016-01-16 11:33 ` [PATCH 2/2] sepolgen: Support latest refpolicy interfaces Nicolas Iooss
@ 2016-02-01 14:13 ` Steve Lawrence
  1 sibling, 0 replies; 3+ messages in thread
From: Steve Lawrence @ 2016-02-01 14:13 UTC (permalink / raw)
  To: Nicolas Iooss, selinux

On 01/16/2016 06:33 AM, Nicolas Iooss wrote:
> Since Python 3.3, dictionary hashes are randomized and iterating over
> them is no longer deterministic.  This makes it difficult to compare
> outputs of sepolgen-ifgen command.
> 
> Make sepolgen-ifgen deterministic again with Python>=3.3 by always
> sorting the dictonaries and sets which are used to produce output.
> 
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

Both patches applied. Thanks!

- Steve

> ---
>  sepolgen/src/sepolgen/access.py     | 2 +-
>  sepolgen/src/sepolgen/interfaces.py | 6 +++---
>  sepolgen/src/sepolgen/refpolicy.py  | 4 ++--
>  3 files changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/sepolgen/src/sepolgen/access.py b/sepolgen/src/sepolgen/access.py
> index 1f89ecde5fd9..a5d86982c0b1 100644
> --- a/sepolgen/src/sepolgen/access.py
> +++ b/sepolgen/src/sepolgen/access.py
> @@ -128,7 +128,7 @@ class AccessVector(util.Comparison):
>          is represented in a list.
>          """
>          l = [self.src_type, self.tgt_type, self.obj_class]
> -        l.extend(self.perms)
> +        l.extend(sorted(self.perms))
>          return l
>  
>      def __str__(self):
> diff --git a/sepolgen/src/sepolgen/interfaces.py b/sepolgen/src/sepolgen/interfaces.py
> index 0b688bfd4072..48ae4f27a414 100644
> --- a/sepolgen/src/sepolgen/interfaces.py
> +++ b/sepolgen/src/sepolgen/interfaces.py
> @@ -341,12 +341,12 @@ class InterfaceSet:
>              self.output.write(str + "\n")
>  
>      def to_file(self, fd):
> -        for iv in self.interfaces.values():
> +        for iv in sorted(self.interfaces.values(), key=lambda x: x.name):
>              fd.write("[InterfaceVector %s " % iv.name)
> -            for param in iv.params.values():
> +            for param in sorted(iv.params.values(), key=lambda x: x.name):
>                  fd.write("%s:%s " % (param.name, refpolicy.field_to_str[param.type]))
>              fd.write("]\n")
> -            avl = iv.access.to_list()
> +            avl = sorted(iv.access.to_list())
>              for av in avl:
>                  fd.write(",".join(av))
>                  fd.write("\n")
> diff --git a/sepolgen/src/sepolgen/refpolicy.py b/sepolgen/src/sepolgen/refpolicy.py
> index 737f95624d48..31b40d8fee00 100644
> --- a/sepolgen/src/sepolgen/refpolicy.py
> +++ b/sepolgen/src/sepolgen/refpolicy.py
> @@ -251,10 +251,10 @@ class IdSet(set):
>          self.compliment = False
>  
>      def to_space_str(self):
> -        return list_to_space_str(self)
> +        return list_to_space_str(sorted(self))
>  
>      def to_comma_str(self):
> -        return list_to_comma_str(self)
> +        return list_to_comma_str(sorted(self))
>  
>  class SecurityContext(Leaf):
>      """An SELinux security context with optional MCS / MLS fields."""
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-02-01 14:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-16 11:33 [PATCH 1/2] sepolgen: Make sepolgen-ifgen output deterministic with Python>=3.3 Nicolas Iooss
2016-01-16 11:33 ` [PATCH 2/2] sepolgen: Support latest refpolicy interfaces Nicolas Iooss
2016-02-01 14:13 ` [PATCH 1/2] sepolgen: Make sepolgen-ifgen output deterministic with Python>=3.3 Steve Lawrence

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.