[PATCH 1/3] Makefile: fix cleaning files that starts with "-"

[PATCH 1/3] Makefile: fix cleaning files that starts with "-"

[Nicolas Iooss]

libselinux/src/exception.sh creates a file named "-.o". This file is
usually removed at the end of this script, but some failures in it could
left it on the filesystem. "make clean" is then supposed to remove this
file, but fails instead with:

    rm: invalid option -- '.'
    Try 'rm ./-.o' to remove the file '-.o'.
    Try 'rm --help' for more information.

This is due to "rm -f *.o" being expanded to "rm -f -.o". Prevent this
buggy expansion by using "./*.o" in the command line. While at it, do so
for other patterns like "*~".

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 checkpolicy/test/Makefile                | 2 +-
 libselinux/src/Makefile                  | 4 ++--
 libselinux/utils/Makefile                | 2 +-
 libsemanage/src/Makefile                 | 2 +-
 libsepol/utils/Makefile                  | 2 +-
 mcstrans/Makefile                        | 2 +-
 mcstrans/man/Makefile                    | 2 +-
 mcstrans/src/Makefile                    | 2 +-
 mcstrans/utils/Makefile                  | 2 +-
 policycoreutils/load_policy/Makefile     | 2 +-
 policycoreutils/newrole/Makefile         | 2 +-
 policycoreutils/po/Makefile              | 2 +-
 policycoreutils/run_init/Makefile        | 2 +-
 policycoreutils/secon/Makefile           | 2 +-
 policycoreutils/semodule/Makefile        | 2 +-
 policycoreutils/sestatus/Makefile        | 2 +-
 policycoreutils/setfiles/Makefile        | 2 +-
 policycoreutils/setsebool/Makefile       | 2 +-
 python/audit2allow/Makefile              | 2 +-
 python/sepolgen/Makefile                 | 2 +-
 python/sepolgen/src/Makefile             | 2 +-
 python/sepolgen/src/sepolgen/Makefile    | 2 +-
 python/sepolgen/src/share/Makefile       | 2 +-
 python/sepolgen/tests/Makefile           | 2 +-
 python/sepolicy/Makefile                 | 2 +-
 restorecond/Makefile                     | 2 +-
 sandbox/Makefile                         | 2 +-
 semodule-utils/semodule_expand/Makefile  | 2 +-
 semodule-utils/semodule_link/Makefile    | 2 +-
 semodule-utils/semodule_package/Makefile | 2 +-
 30 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
index 89e7557c7aa6..ec8cc7299e4b 100644
--- a/checkpolicy/test/Makefile
+++ b/checkpolicy/test/Makefile
@@ -19,4 +19,4 @@ dismod: dismod.o $(LIBSEPOLA)
 	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
 
 clean:
-	-rm -f dispol dismod *.o 
+	-rm -f dispol dismod ./*.o
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 2b1696a0c17b..63d6b0eda270 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -187,13 +187,13 @@ relabel:
 clean-pywrap:
 	-rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO)
 	$(PYTHON) setup.py clean
-	-rm -rf build *~ \#* *pyc .#*
+	-rm -rf build ./*~ \#* ./*pyc .#*
 
 clean-rubywrap:
 	-rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
 
 clean: clean-pywrap clean-rubywrap
-	-rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) *.o *.lo *~
+	-rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) ./*.o ./*.lo ./*~
 
 distclean: clean
 	rm -f $(GENERATED) $(SWIGFILES)
diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index 361506384d08..1ac6f7dfd9f7 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -65,7 +65,7 @@ install: all
 	install -m 755 $(TARGETS) $(DESTDIR)$(SBINDIR)
 
 clean:
-	rm -f $(TARGETS) *.o *~
+	rm -f $(TARGETS) ./*.o ./*~
 
 distclean: clean
 
diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
index e029f0988dd8..7dcf4715878e 100644
--- a/libsemanage/src/Makefile
+++ b/libsemanage/src/Makefile
@@ -155,7 +155,7 @@ relabel:
 	/sbin/restorecon $(DESTDIR)$(LIBDIR)/$(LIBSO)
 
 clean: 
-	-rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGSO) $(SWIGRUBYSO) $(TARGET) conf-parse.c conf-parse.h conf-scan.c *.o *.lo *~
+	-rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGSO) $(SWIGRUBYSO) $(TARGET) conf-parse.c conf-parse.h conf-scan.c ./*.o ./*.lo ./*~
 
 distclean: clean
 	rm -f $(GENERATED) $(SWIGFILES)
diff --git a/libsepol/utils/Makefile b/libsepol/utils/Makefile
index 31932c111026..26f7a02476a6 100644
--- a/libsepol/utils/Makefile
+++ b/libsepol/utils/Makefile
@@ -16,7 +16,7 @@ install: all
 	install -m 755 $(TARGETS) $(DESTDIR)$(BINDIR)
 
 clean:
-	-rm -f $(TARGETS) *.o 
+	-rm -f $(TARGETS) ./*.o
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
diff --git a/mcstrans/Makefile b/mcstrans/Makefile
index c993a9f52713..c3e4a148c66d 100644
--- a/mcstrans/Makefile
+++ b/mcstrans/Makefile
@@ -8,7 +8,7 @@ install:
 	$(MAKE) -C man install
 
 clean:
-	rm -f *~ \#*
+	rm -f ./*~ ./\#*
 	$(MAKE) -C src clean
 	$(MAKE) -C utils clean
 	$(MAKE) -C man clean
diff --git a/mcstrans/man/Makefile b/mcstrans/man/Makefile
index 71713818c621..696430155c9f 100644
--- a/mcstrans/man/Makefile
+++ b/mcstrans/man/Makefile
@@ -26,6 +26,6 @@ install: all
 	done
 
 clean:
-	-rm -f *~ \#*
+	-rm -f ./*~ \#*
 	-rm -f man5/*~ man5/\#*
 	-rm -f man8/*~ man8/\#*
diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
index 76ef055714e9..b7f14654889f 100644
--- a/mcstrans/src/Makefile
+++ b/mcstrans/src/Makefile
@@ -34,5 +34,5 @@ install: all
 	install -m 644 mcstrans.service $(DESTDIR)$(SYSTEMDDIR)/system/
 
 clean: 
-	-rm -f $(OBJS) $(LOBJS) $(TARGET) $(PROG) $(PROG_OBJS) *~ \#*
+	-rm -f $(OBJS) $(LOBJS) $(TARGET) $(PROG) $(PROG_OBJS) ./*~ \#*
 
diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
index 9dfe772332b4..90ae75c29317 100644
--- a/mcstrans/utils/Makefile
+++ b/mcstrans/utils/Makefile
@@ -30,7 +30,7 @@ test:
 	./mlstrans-test-runner.py ../test/*.test
 
 clean:
-	rm -f $(TARGETS) *.o *~ \#*
+	rm -f $(TARGETS) ./*.o ./*~ \#*
 
 relabel:
 
diff --git a/policycoreutils/load_policy/Makefile b/policycoreutils/load_policy/Makefile
index c1ba805b6a9a..9581eefc27f5 100644
--- a/policycoreutils/load_policy/Makefile
+++ b/policycoreutils/load_policy/Makefile
@@ -26,7 +26,7 @@ install: all
 	done
 
 clean:
-	-rm -f $(TARGETS) *.o 
+	-rm -f $(TARGETS) ./*.o
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
index 73ebd413da85..11b2a40b3d72 100644
--- a/policycoreutils/newrole/Makefile
+++ b/policycoreutils/newrole/Makefile
@@ -83,7 +83,7 @@ endif
 endif
 
 clean:
-	rm -f newrole *.o 
+	rm -f newrole ./*.o
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
index 575e143122e6..b201b90b2392 100644
--- a/policycoreutils/po/Makefile
+++ b/policycoreutils/po/Makefile
@@ -123,7 +123,7 @@ refresh-po: Makefile
 	done
 
 clean:
-	@rm -fv *mo *~ .depend
+	@rm -fv ./*mo ./*~ .depend
 	@rm -rf tmp
 
 install: $(MOFILES)
diff --git a/policycoreutils/run_init/Makefile b/policycoreutils/run_init/Makefile
index e86364a496e6..b19540662eba 100644
--- a/policycoreutils/run_init/Makefile
+++ b/policycoreutils/run_init/Makefile
@@ -50,7 +50,7 @@ ifeq ($(PAMH), y)
 endif
 
 clean:
-	-rm -f $(TARGETS) *.o 
+	-rm -f $(TARGETS) ./*.o
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
diff --git a/policycoreutils/secon/Makefile b/policycoreutils/secon/Makefile
index 576a6203dfa3..b17997914d69 100644
--- a/policycoreutils/secon/Makefile
+++ b/policycoreutils/secon/Makefile
@@ -32,7 +32,7 @@ relabel:
 	/sbin/restorecon $(DESTDIR)$(BINDIR)/secon
 
 clean:
-	rm -f *.o core* secon *~ *.bak
+	rm -f ./*.o core* secon ./*~ ./*.bak
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
index 73801e487a76..e6520e877252 100644
--- a/policycoreutils/semodule/Makefile
+++ b/policycoreutils/semodule/Makefile
@@ -32,7 +32,7 @@ install: all
 relabel:
 
 clean:
-	-rm -f semodule *.o genhomedircon
+	-rm -f semodule ./*.o genhomedircon
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile
index 8c4f45f804f2..4849405ec3cb 100644
--- a/policycoreutils/sestatus/Makefile
+++ b/policycoreutils/sestatus/Makefile
@@ -32,7 +32,7 @@ install: all
 	install -m 644 sestatus.conf $(DESTDIR)$(ETCDIR)
 
 clean:
-	rm -f sestatus *.o
+	rm -f sestatus ./*.o
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
index bc5a8db789a5..456f288d649b 100644
--- a/policycoreutils/setfiles/Makefile
+++ b/policycoreutils/setfiles/Makefile
@@ -45,7 +45,7 @@ install: all
 	done
 
 clean:
-	rm -f setfiles restorecon restorecon_xattr *.o setfiles.8.man
+	rm -f setfiles restorecon restorecon_xattr ./*.o setfiles.8.man
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
index 4b55046cecc4..217cf844aaba 100644
--- a/policycoreutils/setsebool/Makefile
+++ b/policycoreutils/setsebool/Makefile
@@ -32,7 +32,7 @@ install: all
 relabel:
 
 clean:
-	-rm -f setsebool *.o
+	-rm -f setsebool ./*.o
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
diff --git a/python/audit2allow/Makefile b/python/audit2allow/Makefile
index 15db549081dd..0a8008f63dee 100644
--- a/python/audit2allow/Makefile
+++ b/python/audit2allow/Makefile
@@ -47,7 +47,7 @@ install: all
 	done
 
 clean:
-	rm -f *~ *.o sepolgen-ifgen-attr-helper test_dummy_policy
+	rm -f ./*~ ./*.o sepolgen-ifgen-attr-helper test_dummy_policy
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
diff --git a/python/sepolgen/Makefile b/python/sepolgen/Makefile
index 3aed330499a4..01d7b46c6918 100644
--- a/python/sepolgen/Makefile
+++ b/python/sepolgen/Makefile
@@ -8,7 +8,7 @@ relabel: ;
 clean:
 	$(MAKE) -C src $@
 	$(MAKE) -C tests $@
-	rm -f *~ *.pyc
+	rm -f ./*~ ./*.pyc
 	rm -f parser.out parsetab.py
 
 indent: ;
diff --git a/python/sepolgen/src/Makefile b/python/sepolgen/src/Makefile
index 2815a13d3499..3e55309f8dcf 100644
--- a/python/sepolgen/src/Makefile
+++ b/python/sepolgen/src/Makefile
@@ -9,7 +9,7 @@ relabel: ;
 clean:
 	$(MAKE) -C sepolgen $@
 	$(MAKE) -C share $@
-	rm -f *~ *.pyc
+	rm -f ./*~ ./*.pyc
 	rm -f parser.out parsetab.py
 
 indent: ;
diff --git a/python/sepolgen/src/sepolgen/Makefile b/python/sepolgen/src/sepolgen/Makefile
index cac8def7204e..83b17bb80227 100644
--- a/python/sepolgen/src/sepolgen/Makefile
+++ b/python/sepolgen/src/sepolgen/Makefile
@@ -11,5 +11,5 @@ install: all
 
 clean:
 	rm -f parser.out parsetab.py
-	rm -f *~ *.pyc
+	rm -f ./*~ ./*.pyc
 	rm -rf __pycache__
diff --git a/python/sepolgen/src/share/Makefile b/python/sepolgen/src/share/Makefile
index 1a7133cbf5cb..4045be56597b 100644
--- a/python/sepolgen/src/share/Makefile
+++ b/python/sepolgen/src/share/Makefile
@@ -7,4 +7,4 @@ install: all
 	install -m 644 perm_map $(DESTDIR)$(SHAREDIR)
 
 clean:
-	rm -f *~
+	rm -f ./*~
diff --git a/python/sepolgen/tests/Makefile b/python/sepolgen/tests/Makefile
index 83d072f4e6aa..a5c23899e8fd 100644
--- a/python/sepolgen/tests/Makefile
+++ b/python/sepolgen/tests/Makefile
@@ -1,7 +1,7 @@
 PYTHON ?= python3
 
 clean:
-	rm -f *~ *.pyc
+	rm -f ./*~ ./*.pyc
 	rm -f parser.out parsetab.py
 	rm -f out.txt
 	rm -f module_compile_test.fc
diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile
index 69f29fa962f9..0f55c5f30804 100644
--- a/python/sepolicy/Makefile
+++ b/python/sepolicy/Makefile
@@ -18,7 +18,7 @@ python-build:
 
 clean:
 	$(PYTHON) setup.py clean
-	-rm -rf build *~ \#* *pyc .#*
+	-rm -rf build ./*~ \#* ./*pyc .#*
 
 sepolgen:
 	ln -sf sepolicy sepolgen
diff --git a/restorecond/Makefile b/restorecond/Makefile
index 12452cd2f8e1..f200d70e6a8e 100644
--- a/restorecond/Makefile
+++ b/restorecond/Makefile
@@ -54,7 +54,7 @@ relabel: install
 	/sbin/restorecon $(DESTDIR)$(SBINDIR)/restorecond 
 
 clean:
-	-rm -f restorecond *.o *~
+	-rm -f restorecond ./*.o ./*~
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
diff --git a/sandbox/Makefile b/sandbox/Makefile
index 9da5e58db9e6..e0e2be5574ce 100644
--- a/sandbox/Makefile
+++ b/sandbox/Makefile
@@ -44,7 +44,7 @@ test:
 	@$(PYTHON) test_sandbox.py -v
 
 clean:
-	-rm -f seunshare *.o *~
+	-rm -f seunshare ./*.o ./*~
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
diff --git a/semodule-utils/semodule_expand/Makefile b/semodule-utils/semodule_expand/Makefile
index e63dcff246d9..e5022fb598e7 100644
--- a/semodule-utils/semodule_expand/Makefile
+++ b/semodule-utils/semodule_expand/Makefile
@@ -26,7 +26,7 @@ install: all
 relabel:
 
 clean:
-	-rm -f semodule_expand *.o
+	-rm -f semodule_expand ./*.o
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
diff --git a/semodule-utils/semodule_link/Makefile b/semodule-utils/semodule_link/Makefile
index c5cf69cd9ca3..ba5d97d115ad 100644
--- a/semodule-utils/semodule_link/Makefile
+++ b/semodule-utils/semodule_link/Makefile
@@ -26,7 +26,7 @@ install: all
 relabel:
 
 clean:
-	-rm -f semodule_link *.o
+	-rm -f semodule_link ./*.o
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
diff --git a/semodule-utils/semodule_package/Makefile b/semodule-utils/semodule_package/Makefile
index 680ab836cfe6..c53628ae1365 100644
--- a/semodule-utils/semodule_package/Makefile
+++ b/semodule-utils/semodule_package/Makefile
@@ -28,7 +28,7 @@ install: all
 relabel:
 
 clean:
-	-rm -f semodule_package semodule_unpackage *.o
+	-rm -f semodule_package semodule_unpackage ./*.o
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
-- 
2.23.0

[PATCH 2/3] libselinux: generate Python glue code using "sed"

[Nicolas Iooss]

libselinux currently uses "gcc -aux-info" in order to generate glue code
for its Python bindings that throws an exception when a function returns
a negative integer value. This causes issues when another compiler than
gcc is used (such as clang or icc), as option -aux-info is specific to
gcc.

Replace "gcc -aux-info" with a command that parses the content of header
files using "sed". As this is more fragile (because the declaration of
functions is not normalized), add a new target to the Makefile in order
to test that the new method does not produce different results with
"make CC=gcc test".

When reverting commit cfe487409307 ("libselinux: mark all exported
function "extern""), "make test" now fails as expected:

    bash -e exception.sh test
    Error ensuring that all exported functions that return an int are handled by exception.sh.
    Here are functions that were not found in "gcc -aux-info" but that were collected by "sed":
    Here are functions in "gcc -aux-info" that may be missing "extern" in header file:
    selinuxfs_exists
    make: *** [Makefile:202: test] Error 1

Original thread: https://lore.kernel.org/selinux/20191012172357.GB19655@imap.altlinux.org/T/#ma78bd7fe71fb5784387a8c0cebd867d6c02ee6e4

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Cc: Michael Shigorin <mike@altlinux.org>
---
 libselinux/Makefile         |  1 +
 libselinux/src/Makefile     |  5 ++++-
 libselinux/src/exception.sh | 38 +++++++++++++++++++++++++++++++------
 3 files changed, 37 insertions(+), 7 deletions(-)

diff --git a/libselinux/Makefile b/libselinux/Makefile
index 16531fe95bf5..c0ae884f8ede 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -67,3 +67,4 @@ clean-rubywrap:
 	$(MAKE) -C src clean-rubywrap $@
 
 test:
+	$(MAKE) -C src test
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 63d6b0eda270..c12230a17b1d 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -198,7 +198,10 @@ clean: clean-pywrap clean-rubywrap
 distclean: clean
 	rm -f $(GENERATED) $(SWIGFILES)
 
+test:
+	bash -e exception.sh test
+
 indent:
 	../../scripts/Lindent $(filter-out $(GENERATED),$(wildcard *.[ch]))
 
-.PHONY: all clean clean-pywrap clean-rubywrap pywrap rubywrap swigify install install-pywrap install-rubywrap distclean
+.PHONY: all clean clean-pywrap clean-rubywrap pywrap rubywrap swigify install install-pywrap install-rubywrap distclean test indent
diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh
index d6c8c71713ad..adbb632c2f04 100755
--- a/libselinux/src/exception.sh
+++ b/libselinux/src/exception.sh
@@ -1,11 +1,12 @@
+#!/bin/bash -e
 function except() {
-case $1 in
+case "$1" in
     selinux_file_context_cmp) # ignore
     ;;
     *)
 echo "
 %exception $1 {
-  \$action 
+  \$action
   if (result < 0) {
      PyErr_SetFromErrno(PyExc_OSError);
      SWIG_fail;
@@ -15,10 +16,35 @@ echo "
 ;;
 esac
 }
-if ! ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h
+
+if [ $# -eq 1 ] && [ "$1" = "test" ]
 then
-    # clang does not support -aux-info so fall back to gcc
-    gcc -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h
+    # Ensure that "gcc -aux-info" produces the same list of functions as the sed command.
+    # The main difference between these way of producing the list of exported
+    # functions is that "gcc -aux-info" automatically inserts "extern" to all
+    # declarations and writes each one on a single line.
+    # clang does not support -aux-info, so skip the test if generating the aux file failed.
+    if ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h
+    then
+        FCT_FROM_AUX="$(awk '/<stdin>.*extern int/ { print $6 }' temp.aux | sort -u)"
+        FCT_FROM_SED="$(sed -n 's/^extern \+int \+\([0-9A-Za-z_]\+\) *(.*$/\1/p' < ../include/selinux/selinux.h | sort -u)"
+        if [ "$FCT_FROM_AUX" != "$FCT_FROM_SED" ]
+        then
+            echo >&2 'Error ensuring that all exported functions that return an int are handled by exception.sh.'
+            echo >&2 'Here are functions that were not found in "gcc -aux-info" but that were collected by "sed":'
+            comm -13 <(echo "$FCT_FROM_AUX") <(echo "$FCT_FROM_SED")
+            echo >&2 'Here are functions in "gcc -aux-info" that may be missing "extern" in header file:'
+            comm -23 <(echo "$FCT_FROM_AUX") <(echo "$FCT_FROM_SED")
+            exit 1
+        fi
+    fi
+    rm -f -- temp.aux -.o
+    exit
 fi
-for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done 
+
+# shellcheck disable=SC2013
+for i in $(sed -n 's/^extern \+int \+\([0-9A-Za-z_]\+\) *(.*$/\1/p' < ../include/selinux/selinux.h)
+do
+    except "$i"
+done
 rm -f -- temp.aux -.o
-- 
2.23.0

[PATCH 3/3] libsemanage: generate Python glue code using "sed"

[Nicolas Iooss]

libsemanage currently uses "gcc -aux-info" in order to generate glue
code for its Python bindings that throws an exception when a function
returns a negative integer value. This causes issues when another
compiler than gcc is used (such as clang or icc), as option -aux-info is
specific to gcc.

Replace "gcc -aux-info" with a command that parses the content of header
files using "sed". As this is more fragile (because the declaration of
functions is not normalized), add a new target to the Makefile in order
to test that the new method does not produce different results with
"make CC=gcc test".

When reverting commit b915c7a9d330 ("libsemanage: mark all exported
function "extern""), "make test" now fails as expected:

    bash -e exception.sh test
    Error ensuring that all exported functions that return an int are handled by exception.sh.
    Here are functions that were not found in "gcc -aux-info" but that were collected by "sed":
    Here are functions in "gcc -aux-info" that may be missing "extern" in header file:
    semanage_access_check
    semanage_begin_transaction
    semanage_commit
    semanage_connect
    semanage_disconnect
    semanage_get_disable_dontaudit
    semanage_get_hll_compiler_path
    ...
    make: *** [Makefile:202: test] Error 1

Original thread: https://lore.kernel.org/selinux/20191012172357.GB19655@imap.altlinux.org/T/#ma78bd7fe71fb5784387a8c0cebd867d6c02ee6e4

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Cc: Michael Shigorin <mike@altlinux.org>
---
 libsemanage/Makefile         |  1 +
 libsemanage/src/Makefile     |  5 ++++-
 libsemanage/src/exception.sh | 34 ++++++++++++++++++++++++++++++----
 3 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/libsemanage/Makefile b/libsemanage/Makefile
index 390176fee7fb..e24b9ae55adc 100644
--- a/libsemanage/Makefile
+++ b/libsemanage/Makefile
@@ -34,4 +34,5 @@ indent:
 	$(MAKE) -C include $@
 
 test: all
+	$(MAKE) -C src test
 	$(MAKE) -C tests test
diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
index 7dcf4715878e..b21ff219aef3 100644
--- a/libsemanage/src/Makefile
+++ b/libsemanage/src/Makefile
@@ -160,7 +160,10 @@ clean:
 distclean: clean
 	rm -f $(GENERATED) $(SWIGFILES)
 
+test:
+	bash -e exception.sh test
+
 indent:
 	../../scripts/Lindent $(filter-out $(GENERATED),$(wildcard *.[ch]))
 
-.PHONY: all clean pywrap rubywrap swigify install install-pywrap install-rubywrap distclean
+.PHONY: all clean pywrap rubywrap swigify install install-pywrap install-rubywrap distclean test indent
diff --git a/libsemanage/src/exception.sh b/libsemanage/src/exception.sh
index 97bc2ae879f2..f1e8aa2f7033 100644
--- a/libsemanage/src/exception.sh
+++ b/libsemanage/src/exception.sh
@@ -1,3 +1,4 @@
+#!/bin/bash -e
 function except() {
 echo "
 %exception $1 {
@@ -9,10 +10,35 @@ echo "
 }
 "
 }
-if ! ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/semanage/semanage.h
+
+if [ $# -eq 1 ] && [ "$1" = "test" ]
 then
-    # clang does not support -aux-info so fall back to gcc
-    gcc -x c -c -I../include - -aux-info temp.aux < ../include/semanage/semanage.h
+    # Ensure that "gcc -aux-info" produces the same list of functions as the sed command.
+    # The main difference between these way of producing the list of exported
+    # functions is that "gcc -aux-info" automatically inserts "extern" to all
+    # declarations and writes each one on a single line.
+    # clang does not support -aux-info, so skip the test if generating the aux file failed.
+    if ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/semanage/semanage.h
+    then
+        FCT_FROM_AUX="$(awk '/include\/semanage\/.*extern int/ { print $6 }' temp.aux | sort -u)"
+        FCT_FROM_SED="$(cat ../include/semanage/*.h | sed -n 's/^extern \+int \+\([0-9A-Za-z_]\+\) *(.*$/\1/p' | sort -u)"
+        if [ "$FCT_FROM_AUX" != "$FCT_FROM_SED" ]
+        then
+            echo >&2 'Error ensuring that all exported functions that return an int are handled by exception.sh.'
+            echo >&2 'Here are functions that were not found in "gcc -aux-info" but that were collected by "sed":'
+            comm -13 <(echo "$FCT_FROM_AUX") <(echo "$FCT_FROM_SED")
+            echo >&2 'Here are functions in "gcc -aux-info" that may be missing "extern" in header file:'
+            comm -23 <(echo "$FCT_FROM_AUX") <(echo "$FCT_FROM_SED")
+            exit 1
+        fi
+    fi
+    rm -f -- temp.aux -.o
+    exit
 fi
-for i in `awk '/extern int/ { print $6 }' temp.aux`; do except $i ; done
+
+# shellcheck disable=SC2013
+for i in $(cat ../include/semanage/*.h | sed -n 's/^extern \+int \+\([0-9A-Za-z_]\+\) *(.*$/\1/p')
+do
+    except "$i"
+done
 rm -f -- temp.aux -.o
-- 
2.23.0

Re: [PATCH 1/3] Makefile: fix cleaning files that starts with "-"

[Stephen Smalley]

On 11/1/19 5:27 AM, Nicolas Iooss wrote:
> libselinux/src/exception.sh creates a file named "-.o". This file is
> usually removed at the end of this script, but some failures in it could
> left it on the filesystem. "make clean" is then supposed to remove this
> file, but fails instead with:
> 
>      rm: invalid option -- '.'
>      Try 'rm ./-.o' to remove the file '-.o'.
>      Try 'rm --help' for more information.
> 
> This is due to "rm -f *.o" being expanded to "rm -f -.o". Prevent this
> buggy expansion by using "./*.o" in the command line. While at it, do so
> for other patterns like "*~".

Does any other software package use this idiom for clean?  I haven't 
seen it.  I'm wondering if we aren't better off doing any/all of the 
following:

1) Fix exception.sh to not create files starting in "-",
2) Fix our clean targets to only delete explicitly generated object file 
lists; some of them at least already have $(OBJS) $(LOBJS) so why do we 
need the extra wildcard?
3) Maybe use $(wildcard ...)?

> 
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> ---
>   checkpolicy/test/Makefile                | 2 +-
>   libselinux/src/Makefile                  | 4 ++--
>   libselinux/utils/Makefile                | 2 +-
>   libsemanage/src/Makefile                 | 2 +-
>   libsepol/utils/Makefile                  | 2 +-
>   mcstrans/Makefile                        | 2 +-
>   mcstrans/man/Makefile                    | 2 +-
>   mcstrans/src/Makefile                    | 2 +-
>   mcstrans/utils/Makefile                  | 2 +-
>   policycoreutils/load_policy/Makefile     | 2 +-
>   policycoreutils/newrole/Makefile         | 2 +-
>   policycoreutils/po/Makefile              | 2 +-
>   policycoreutils/run_init/Makefile        | 2 +-
>   policycoreutils/secon/Makefile           | 2 +-
>   policycoreutils/semodule/Makefile        | 2 +-
>   policycoreutils/sestatus/Makefile        | 2 +-
>   policycoreutils/setfiles/Makefile        | 2 +-
>   policycoreutils/setsebool/Makefile       | 2 +-
>   python/audit2allow/Makefile              | 2 +-
>   python/sepolgen/Makefile                 | 2 +-
>   python/sepolgen/src/Makefile             | 2 +-
>   python/sepolgen/src/sepolgen/Makefile    | 2 +-
>   python/sepolgen/src/share/Makefile       | 2 +-
>   python/sepolgen/tests/Makefile           | 2 +-
>   python/sepolicy/Makefile                 | 2 +-
>   restorecond/Makefile                     | 2 +-
>   sandbox/Makefile                         | 2 +-
>   semodule-utils/semodule_expand/Makefile  | 2 +-
>   semodule-utils/semodule_link/Makefile    | 2 +-
>   semodule-utils/semodule_package/Makefile | 2 +-
>   30 files changed, 31 insertions(+), 31 deletions(-)
> 
> diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
> index 89e7557c7aa6..ec8cc7299e4b 100644
> --- a/checkpolicy/test/Makefile
> +++ b/checkpolicy/test/Makefile
> @@ -19,4 +19,4 @@ dismod: dismod.o $(LIBSEPOLA)
>   	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
>   
>   clean:
> -	-rm -f dispol dismod *.o
> +	-rm -f dispol dismod ./*.o
> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> index 2b1696a0c17b..63d6b0eda270 100644
> --- a/libselinux/src/Makefile
> +++ b/libselinux/src/Makefile
> @@ -187,13 +187,13 @@ relabel:
>   clean-pywrap:
>   	-rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO)
>   	$(PYTHON) setup.py clean
> -	-rm -rf build *~ \#* *pyc .#*
> +	-rm -rf build ./*~ \#* ./*pyc .#*
>   
>   clean-rubywrap:
>   	-rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
>   
>   clean: clean-pywrap clean-rubywrap
> -	-rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) *.o *.lo *~
> +	-rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(TARGET) ./*.o ./*.lo ./*~
>   
>   distclean: clean
>   	rm -f $(GENERATED) $(SWIGFILES)
> diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
> index 361506384d08..1ac6f7dfd9f7 100644
> --- a/libselinux/utils/Makefile
> +++ b/libselinux/utils/Makefile
> @@ -65,7 +65,7 @@ install: all
>   	install -m 755 $(TARGETS) $(DESTDIR)$(SBINDIR)
>   
>   clean:
> -	rm -f $(TARGETS) *.o *~
> +	rm -f $(TARGETS) ./*.o ./*~
>   
>   distclean: clean
>   
> diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
> index e029f0988dd8..7dcf4715878e 100644
> --- a/libsemanage/src/Makefile
> +++ b/libsemanage/src/Makefile
> @@ -155,7 +155,7 @@ relabel:
>   	/sbin/restorecon $(DESTDIR)$(LIBDIR)/$(LIBSO)
>   
>   clean:
> -	-rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGSO) $(SWIGRUBYSO) $(TARGET) conf-parse.c conf-parse.h conf-scan.c *.o *.lo *~
> +	-rm -f $(LIBPC) $(OBJS) $(LOBJS) $(LIBA) $(LIBSO) $(SWIGLOBJ) $(SWIGSO) $(SWIGRUBYSO) $(TARGET) conf-parse.c conf-parse.h conf-scan.c ./*.o ./*.lo ./*~
>   
>   distclean: clean
>   	rm -f $(GENERATED) $(SWIGFILES)
> diff --git a/libsepol/utils/Makefile b/libsepol/utils/Makefile
> index 31932c111026..26f7a02476a6 100644
> --- a/libsepol/utils/Makefile
> +++ b/libsepol/utils/Makefile
> @@ -16,7 +16,7 @@ install: all
>   	install -m 755 $(TARGETS) $(DESTDIR)$(BINDIR)
>   
>   clean:
> -	-rm -f $(TARGETS) *.o
> +	-rm -f $(TARGETS) ./*.o
>   
>   indent:
>   	../../scripts/Lindent $(wildcard *.[ch])
> diff --git a/mcstrans/Makefile b/mcstrans/Makefile
> index c993a9f52713..c3e4a148c66d 100644
> --- a/mcstrans/Makefile
> +++ b/mcstrans/Makefile
> @@ -8,7 +8,7 @@ install:
>   	$(MAKE) -C man install
>   
>   clean:
> -	rm -f *~ \#*
> +	rm -f ./*~ ./\#*
>   	$(MAKE) -C src clean
>   	$(MAKE) -C utils clean
>   	$(MAKE) -C man clean
> diff --git a/mcstrans/man/Makefile b/mcstrans/man/Makefile
> index 71713818c621..696430155c9f 100644
> --- a/mcstrans/man/Makefile
> +++ b/mcstrans/man/Makefile
> @@ -26,6 +26,6 @@ install: all
>   	done
>   
>   clean:
> -	-rm -f *~ \#*
> +	-rm -f ./*~ \#*
>   	-rm -f man5/*~ man5/\#*
>   	-rm -f man8/*~ man8/\#*
> diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
> index 76ef055714e9..b7f14654889f 100644
> --- a/mcstrans/src/Makefile
> +++ b/mcstrans/src/Makefile
> @@ -34,5 +34,5 @@ install: all
>   	install -m 644 mcstrans.service $(DESTDIR)$(SYSTEMDDIR)/system/
>   
>   clean:
> -	-rm -f $(OBJS) $(LOBJS) $(TARGET) $(PROG) $(PROG_OBJS) *~ \#*
> +	-rm -f $(OBJS) $(LOBJS) $(TARGET) $(PROG) $(PROG_OBJS) ./*~ \#*
>   
> diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
> index 9dfe772332b4..90ae75c29317 100644
> --- a/mcstrans/utils/Makefile
> +++ b/mcstrans/utils/Makefile
> @@ -30,7 +30,7 @@ test:
>   	./mlstrans-test-runner.py ../test/*.test
>   
>   clean:
> -	rm -f $(TARGETS) *.o *~ \#*
> +	rm -f $(TARGETS) ./*.o ./*~ \#*
>   
>   relabel:
>   
> diff --git a/policycoreutils/load_policy/Makefile b/policycoreutils/load_policy/Makefile
> index c1ba805b6a9a..9581eefc27f5 100644
> --- a/policycoreutils/load_policy/Makefile
> +++ b/policycoreutils/load_policy/Makefile
> @@ -26,7 +26,7 @@ install: all
>   	done
>   
>   clean:
> -	-rm -f $(TARGETS) *.o
> +	-rm -f $(TARGETS) ./*.o
>   
>   indent:
>   	../../scripts/Lindent $(wildcard *.[ch])
> diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
> index 73ebd413da85..11b2a40b3d72 100644
> --- a/policycoreutils/newrole/Makefile
> +++ b/policycoreutils/newrole/Makefile
> @@ -83,7 +83,7 @@ endif
>   endif
>   
>   clean:
> -	rm -f newrole *.o
> +	rm -f newrole ./*.o
>   
>   indent:
>   	../../scripts/Lindent $(wildcard *.[ch])
> diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
> index 575e143122e6..b201b90b2392 100644
> --- a/policycoreutils/po/Makefile
> +++ b/policycoreutils/po/Makefile
> @@ -123,7 +123,7 @@ refresh-po: Makefile
>   	done
>   
>   clean:
> -	@rm -fv *mo *~ .depend
> +	@rm -fv ./*mo ./*~ .depend
>   	@rm -rf tmp
>   
>   install: $(MOFILES)
> diff --git a/policycoreutils/run_init/Makefile b/policycoreutils/run_init/Makefile
> index e86364a496e6..b19540662eba 100644
> --- a/policycoreutils/run_init/Makefile
> +++ b/policycoreutils/run_init/Makefile
> @@ -50,7 +50,7 @@ ifeq ($(PAMH), y)
>   endif
>   
>   clean:
> -	-rm -f $(TARGETS) *.o
> +	-rm -f $(TARGETS) ./*.o
>   
>   indent:
>   	../../scripts/Lindent $(wildcard *.[ch])
> diff --git a/policycoreutils/secon/Makefile b/policycoreutils/secon/Makefile
> index 576a6203dfa3..b17997914d69 100644
> --- a/policycoreutils/secon/Makefile
> +++ b/policycoreutils/secon/Makefile
> @@ -32,7 +32,7 @@ relabel:
>   	/sbin/restorecon $(DESTDIR)$(BINDIR)/secon
>   
>   clean:
> -	rm -f *.o core* secon *~ *.bak
> +	rm -f ./*.o core* secon ./*~ ./*.bak
>   
>   indent:
>   	../../scripts/Lindent $(wildcard *.[ch])
> diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
> index 73801e487a76..e6520e877252 100644
> --- a/policycoreutils/semodule/Makefile
> +++ b/policycoreutils/semodule/Makefile
> @@ -32,7 +32,7 @@ install: all
>   relabel:
>   
>   clean:
> -	-rm -f semodule *.o genhomedircon
> +	-rm -f semodule ./*.o genhomedircon
>   
>   indent:
>   	../../scripts/Lindent $(wildcard *.[ch])
> diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile
> index 8c4f45f804f2..4849405ec3cb 100644
> --- a/policycoreutils/sestatus/Makefile
> +++ b/policycoreutils/sestatus/Makefile
> @@ -32,7 +32,7 @@ install: all
>   	install -m 644 sestatus.conf $(DESTDIR)$(ETCDIR)
>   
>   clean:
> -	rm -f sestatus *.o
> +	rm -f sestatus ./*.o
>   
>   indent:
>   	../../scripts/Lindent $(wildcard *.[ch])
> diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
> index bc5a8db789a5..456f288d649b 100644
> --- a/policycoreutils/setfiles/Makefile
> +++ b/policycoreutils/setfiles/Makefile
> @@ -45,7 +45,7 @@ install: all
>   	done
>   
>   clean:
> -	rm -f setfiles restorecon restorecon_xattr *.o setfiles.8.man
> +	rm -f setfiles restorecon restorecon_xattr ./*.o setfiles.8.man
>   
>   indent:
>   	../../scripts/Lindent $(wildcard *.[ch])
> diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
> index 4b55046cecc4..217cf844aaba 100644
> --- a/policycoreutils/setsebool/Makefile
> +++ b/policycoreutils/setsebool/Makefile
> @@ -32,7 +32,7 @@ install: all
>   relabel:
>   
>   clean:
> -	-rm -f setsebool *.o
> +	-rm -f setsebool ./*.o
>   
>   indent:
>   	../../scripts/Lindent $(wildcard *.[ch])
> diff --git a/python/audit2allow/Makefile b/python/audit2allow/Makefile
> index 15db549081dd..0a8008f63dee 100644
> --- a/python/audit2allow/Makefile
> +++ b/python/audit2allow/Makefile
> @@ -47,7 +47,7 @@ install: all
>   	done
>   
>   clean:
> -	rm -f *~ *.o sepolgen-ifgen-attr-helper test_dummy_policy
> +	rm -f ./*~ ./*.o sepolgen-ifgen-attr-helper test_dummy_policy
>   
>   indent:
>   	../../scripts/Lindent $(wildcard *.[ch])
> diff --git a/python/sepolgen/Makefile b/python/sepolgen/Makefile
> index 3aed330499a4..01d7b46c6918 100644
> --- a/python/sepolgen/Makefile
> +++ b/python/sepolgen/Makefile
> @@ -8,7 +8,7 @@ relabel: ;
>   clean:
>   	$(MAKE) -C src $@
>   	$(MAKE) -C tests $@
> -	rm -f *~ *.pyc
> +	rm -f ./*~ ./*.pyc
>   	rm -f parser.out parsetab.py
>   
>   indent: ;
> diff --git a/python/sepolgen/src/Makefile b/python/sepolgen/src/Makefile
> index 2815a13d3499..3e55309f8dcf 100644
> --- a/python/sepolgen/src/Makefile
> +++ b/python/sepolgen/src/Makefile
> @@ -9,7 +9,7 @@ relabel: ;
>   clean:
>   	$(MAKE) -C sepolgen $@
>   	$(MAKE) -C share $@
> -	rm -f *~ *.pyc
> +	rm -f ./*~ ./*.pyc
>   	rm -f parser.out parsetab.py
>   
>   indent: ;
> diff --git a/python/sepolgen/src/sepolgen/Makefile b/python/sepolgen/src/sepolgen/Makefile
> index cac8def7204e..83b17bb80227 100644
> --- a/python/sepolgen/src/sepolgen/Makefile
> +++ b/python/sepolgen/src/sepolgen/Makefile
> @@ -11,5 +11,5 @@ install: all
>   
>   clean:
>   	rm -f parser.out parsetab.py
> -	rm -f *~ *.pyc
> +	rm -f ./*~ ./*.pyc
>   	rm -rf __pycache__
> diff --git a/python/sepolgen/src/share/Makefile b/python/sepolgen/src/share/Makefile
> index 1a7133cbf5cb..4045be56597b 100644
> --- a/python/sepolgen/src/share/Makefile
> +++ b/python/sepolgen/src/share/Makefile
> @@ -7,4 +7,4 @@ install: all
>   	install -m 644 perm_map $(DESTDIR)$(SHAREDIR)
>   
>   clean:
> -	rm -f *~
> +	rm -f ./*~
> diff --git a/python/sepolgen/tests/Makefile b/python/sepolgen/tests/Makefile
> index 83d072f4e6aa..a5c23899e8fd 100644
> --- a/python/sepolgen/tests/Makefile
> +++ b/python/sepolgen/tests/Makefile
> @@ -1,7 +1,7 @@
>   PYTHON ?= python3
>   
>   clean:
> -	rm -f *~ *.pyc
> +	rm -f ./*~ ./*.pyc
>   	rm -f parser.out parsetab.py
>   	rm -f out.txt
>   	rm -f module_compile_test.fc
> diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile
> index 69f29fa962f9..0f55c5f30804 100644
> --- a/python/sepolicy/Makefile
> +++ b/python/sepolicy/Makefile
> @@ -18,7 +18,7 @@ python-build:
>   
>   clean:
>   	$(PYTHON) setup.py clean
> -	-rm -rf build *~ \#* *pyc .#*
> +	-rm -rf build ./*~ \#* ./*pyc .#*
>   
>   sepolgen:
>   	ln -sf sepolicy sepolgen
> diff --git a/restorecond/Makefile b/restorecond/Makefile
> index 12452cd2f8e1..f200d70e6a8e 100644
> --- a/restorecond/Makefile
> +++ b/restorecond/Makefile
> @@ -54,7 +54,7 @@ relabel: install
>   	/sbin/restorecon $(DESTDIR)$(SBINDIR)/restorecond
>   
>   clean:
> -	-rm -f restorecond *.o *~
> +	-rm -f restorecond ./*.o ./*~
>   
>   indent:
>   	../../scripts/Lindent $(wildcard *.[ch])
> diff --git a/sandbox/Makefile b/sandbox/Makefile
> index 9da5e58db9e6..e0e2be5574ce 100644
> --- a/sandbox/Makefile
> +++ b/sandbox/Makefile
> @@ -44,7 +44,7 @@ test:
>   	@$(PYTHON) test_sandbox.py -v
>   
>   clean:
> -	-rm -f seunshare *.o *~
> +	-rm -f seunshare ./*.o ./*~
>   
>   indent:
>   	../../scripts/Lindent $(wildcard *.[ch])
> diff --git a/semodule-utils/semodule_expand/Makefile b/semodule-utils/semodule_expand/Makefile
> index e63dcff246d9..e5022fb598e7 100644
> --- a/semodule-utils/semodule_expand/Makefile
> +++ b/semodule-utils/semodule_expand/Makefile
> @@ -26,7 +26,7 @@ install: all
>   relabel:
>   
>   clean:
> -	-rm -f semodule_expand *.o
> +	-rm -f semodule_expand ./*.o
>   
>   indent:
>   	../../scripts/Lindent $(wildcard *.[ch])
> diff --git a/semodule-utils/semodule_link/Makefile b/semodule-utils/semodule_link/Makefile
> index c5cf69cd9ca3..ba5d97d115ad 100644
> --- a/semodule-utils/semodule_link/Makefile
> +++ b/semodule-utils/semodule_link/Makefile
> @@ -26,7 +26,7 @@ install: all
>   relabel:
>   
>   clean:
> -	-rm -f semodule_link *.o
> +	-rm -f semodule_link ./*.o
>   
>   indent:
>   	../../scripts/Lindent $(wildcard *.[ch])
> diff --git a/semodule-utils/semodule_package/Makefile b/semodule-utils/semodule_package/Makefile
> index 680ab836cfe6..c53628ae1365 100644
> --- a/semodule-utils/semodule_package/Makefile
> +++ b/semodule-utils/semodule_package/Makefile
> @@ -28,7 +28,7 @@ install: all
>   relabel:
>   
>   clean:
> -	-rm -f semodule_package semodule_unpackage *.o
> +	-rm -f semodule_package semodule_unpackage ./*.o
>   
>   indent:
>   	../../scripts/Lindent $(wildcard *.[ch])
> 

Re: [PATCH 2/3] libselinux: generate Python glue code using "sed"

[Stephen Smalley]

On 11/1/19 5:27 AM, Nicolas Iooss wrote:
> libselinux currently uses "gcc -aux-info" in order to generate glue code
> for its Python bindings that throws an exception when a function returns
> a negative integer value. This causes issues when another compiler than
> gcc is used (such as clang or icc), as option -aux-info is specific to
> gcc.
> 
> Replace "gcc -aux-info" with a command that parses the content of header
> files using "sed". As this is more fragile (because the declaration of
> functions is not normalized), add a new target to the Makefile in order
> to test that the new method does not produce different results with
> "make CC=gcc test".
> 
> When reverting commit cfe487409307 ("libselinux: mark all exported
> function "extern""), "make test" now fails as expected:
> 
>      bash -e exception.sh test
>      Error ensuring that all exported functions that return an int are handled by exception.sh.
>      Here are functions that were not found in "gcc -aux-info" but that were collected by "sed":
>      Here are functions in "gcc -aux-info" that may be missing "extern" in header file:
>      selinuxfs_exists
>      make: *** [Makefile:202: test] Error 1
> 
> Original thread: https://lore.kernel.org/selinux/20191012172357.GB19655@imap.altlinux.org/T/#ma78bd7fe71fb5784387a8c0cebd867d6c02ee6e4

I'm not excited about moving to a more fragile method of generating this 
glue code. Would it perhaps suffice for us to pre-generate the files and 
keep them in-tree (or package them as part of the tar file 
distributions) so that downstream users without gcc can just use the 
generated files?

> 
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> Cc: Michael Shigorin <mike@altlinux.org>
> ---
>   libselinux/Makefile         |  1 +
>   libselinux/src/Makefile     |  5 ++++-
>   libselinux/src/exception.sh | 38 +++++++++++++++++++++++++++++++------
>   3 files changed, 37 insertions(+), 7 deletions(-)
> 
> diff --git a/libselinux/Makefile b/libselinux/Makefile
> index 16531fe95bf5..c0ae884f8ede 100644
> --- a/libselinux/Makefile
> +++ b/libselinux/Makefile
> @@ -67,3 +67,4 @@ clean-rubywrap:
>   	$(MAKE) -C src clean-rubywrap $@
>   
>   test:
> +	$(MAKE) -C src test
> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> index 63d6b0eda270..c12230a17b1d 100644
> --- a/libselinux/src/Makefile
> +++ b/libselinux/src/Makefile
> @@ -198,7 +198,10 @@ clean: clean-pywrap clean-rubywrap
>   distclean: clean
>   	rm -f $(GENERATED) $(SWIGFILES)
>   
> +test:
> +	bash -e exception.sh test
> +
>   indent:
>   	../../scripts/Lindent $(filter-out $(GENERATED),$(wildcard *.[ch]))
>   
> -.PHONY: all clean clean-pywrap clean-rubywrap pywrap rubywrap swigify install install-pywrap install-rubywrap distclean
> +.PHONY: all clean clean-pywrap clean-rubywrap pywrap rubywrap swigify install install-pywrap install-rubywrap distclean test indent
> diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh
> index d6c8c71713ad..adbb632c2f04 100755
> --- a/libselinux/src/exception.sh
> +++ b/libselinux/src/exception.sh
> @@ -1,11 +1,12 @@
> +#!/bin/bash -e
>   function except() {
> -case $1 in
> +case "$1" in
>       selinux_file_context_cmp) # ignore
>       ;;
>       *)
>   echo "
>   %exception $1 {
> -  \$action
> +  \$action
>     if (result < 0) {
>        PyErr_SetFromErrno(PyExc_OSError);
>        SWIG_fail;
> @@ -15,10 +16,35 @@ echo "
>   ;;
>   esac
>   }
> -if ! ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h
> +
> +if [ $# -eq 1 ] && [ "$1" = "test" ]
>   then
> -    # clang does not support -aux-info so fall back to gcc
> -    gcc -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h
> +    # Ensure that "gcc -aux-info" produces the same list of functions as the sed command.
> +    # The main difference between these way of producing the list of exported
> +    # functions is that "gcc -aux-info" automatically inserts "extern" to all
> +    # declarations and writes each one on a single line.
> +    # clang does not support -aux-info, so skip the test if generating the aux file failed.
> +    if ${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h
> +    then
> +        FCT_FROM_AUX="$(awk '/<stdin>.*extern int/ { print $6 }' temp.aux | sort -u)"
> +        FCT_FROM_SED="$(sed -n 's/^extern \+int \+\([0-9A-Za-z_]\+\) *(.*$/\1/p' < ../include/selinux/selinux.h | sort -u)"
> +        if [ "$FCT_FROM_AUX" != "$FCT_FROM_SED" ]
> +        then
> +            echo >&2 'Error ensuring that all exported functions that return an int are handled by exception.sh.'
> +            echo >&2 'Here are functions that were not found in "gcc -aux-info" but that were collected by "sed":'
> +            comm -13 <(echo "$FCT_FROM_AUX") <(echo "$FCT_FROM_SED")
> +            echo >&2 'Here are functions in "gcc -aux-info" that may be missing "extern" in header file:'
> +            comm -23 <(echo "$FCT_FROM_AUX") <(echo "$FCT_FROM_SED")
> +            exit 1
> +        fi
> +    fi
> +    rm -f -- temp.aux -.o
> +    exit
>   fi
> -for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done
> +
> +# shellcheck disable=SC2013
> +for i in $(sed -n 's/^extern \+int \+\([0-9A-Za-z_]\+\) *(.*$/\1/p' < ../include/selinux/selinux.h)
> +do
> +    except "$i"
> +done
>   rm -f -- temp.aux -.o
> 

Re: [PATCH 1/3] Makefile: fix cleaning files that starts with "-"

[Nicolas Iooss]

On Mon, Nov 4, 2019 at 4:16 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On 11/1/19 5:27 AM, Nicolas Iooss wrote:
> > libselinux/src/exception.sh creates a file named "-.o". This file is
> > usually removed at the end of this script, but some failures in it could
> > left it on the filesystem. "make clean" is then supposed to remove this
> > file, but fails instead with:
> >
> >      rm: invalid option -- '.'
> >      Try 'rm ./-.o' to remove the file '-.o'.
> >      Try 'rm --help' for more information.
> >
> > This is due to "rm -f *.o" being expanded to "rm -f -.o". Prevent this
> > buggy expansion by using "./*.o" in the command line. While at it, do so
> > for other patterns like "*~".
>
> Does any other software package use this idiom for clean?  I haven't
> seen it.  I'm wondering if we aren't better off doing any/all of the
> following:
>
> 1) Fix exception.sh to not create files starting in "-",
> 2) Fix our clean targets to only delete explicitly generated object file
> lists; some of them at least already have $(OBJS) $(LOBJS) so why do we
> need the extra wildcard?
> 3) Maybe use $(wildcard ...)?

The only over software that use "./*..." or "rm -- *..." are those
which handle directories with "untrusted content", ie. with files
whose names may be created by an attacker. Such as threat model is not
applicable on a build management system, which is why only few
projects use ./* or "rm --" in "make clean".

Therefore I agree with considering that creating a file starting with
"-" is a bug. I will send a patch to fix exception.sh (by adding "-o
temp.o" to some commands). Thanks for your feedback.
Nicolas