* [PATCH 1/3] libselinux: add missing glue code to grab errno in Python bindings
@ 2020-04-12 8:09 Nicolas Iooss
2020-04-12 8:10 ` [PATCH 2/3] libselinux: copy the reason why selinux_status_open() returns 1 Nicolas Iooss
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Nicolas Iooss @ 2020-04-12 8:09 UTC (permalink / raw)
To: selinux
The Python bindings for libselinux expose functions such as
avc_has_perm(), get_ordered_context_list(), etc. When these functions
encounter an error, they set errno accordingly and return a negative
value. In order to get the value of errno from Python code, it needs to
be "forwarded" in a way. This is achieved by glue code in
selinuxswig_python_exception.i, which implement raising an OSError
exception from the value of errno.
selinuxswig_python_exception.i was only generating glue code from
functions declared in selinux.h and not in other headers. Add other
headers.
selinuxswig_python_exception.i is generated by "bash exception.sh". Mark
the fact that exception.sh is a Bash script by adding a shebang. This
makes "shellcheck" not warn about the Bash array which is used to list
header files.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
libselinux/src/exception.sh | 18 +-
libselinux/src/selinuxswig_python_exception.i | 396 ++++++++++++++++++
2 files changed, 412 insertions(+), 2 deletions(-)
diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh
index 33ceef804af5..644c7a05ec54 100755
--- a/libselinux/src/exception.sh
+++ b/libselinux/src/exception.sh
@@ -1,3 +1,5 @@
+#!/bin/bash
+
function except() {
case $1 in
selinux_file_context_cmp) # ignore
@@ -15,10 +17,22 @@ echo "
;;
esac
}
-if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h
+
+# Make sure that selinux.h is included first in order not to depend on the order
+# in which "#include <selinux/selinux.h>" appears in other files.
+FILE_LIST=(
+ ../include/selinux/selinux.h
+ ../include/selinux/avc.h
+ ../include/selinux/context.h
+ ../include/selinux/get_context_list.h
+ ../include/selinux/get_default_type.h
+ ../include/selinux/label.h
+ ../include/selinux/restorecon.h
+)
+if ! cat "${FILE_LIST[@]}" | ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux
then
# clang does not support -aux-info so fall back to gcc
- gcc -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h
+ cat "${FILE_LIST[@]}" | gcc -x c -c -I../include -o temp.o - -aux-info temp.aux
fi
for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done
rm -f -- temp.aux temp.o
diff --git a/libselinux/src/selinuxswig_python_exception.i b/libselinux/src/selinuxswig_python_exception.i
index cf6582595ee7..9f1f86a5564d 100644
--- a/libselinux/src/selinuxswig_python_exception.i
+++ b/libselinux/src/selinuxswig_python_exception.i
@@ -952,3 +952,399 @@
}
}
+
+%exception avc_sid_to_context {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception avc_sid_to_context_raw {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception avc_context_to_sid {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception avc_context_to_sid_raw {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception sidget {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception sidput {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception avc_get_initial_sid {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception avc_init {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception avc_open {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception avc_reset {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception avc_has_perm_noaudit {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception avc_has_perm {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception avc_compute_create {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception avc_compute_member {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception avc_add_callback {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception avc_netlink_open {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception avc_netlink_acquire_fd {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception avc_netlink_check_nb {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception selinux_status_open {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception selinux_status_updated {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception selinux_status_getenforce {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception selinux_status_policyload {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception selinux_status_deny_unknown {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception context_type_set {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception context_range_set {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception context_role_set {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception context_user_set {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception get_ordered_context_list {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception get_ordered_context_list_with_level {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception get_default_context {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception get_default_context_with_level {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception get_default_context_with_role {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception get_default_context_with_rolelevel {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception query_user_context {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception manual_user_enter_context {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception get_default_type {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception selabel_lookup {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception selabel_lookup_raw {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception selabel_lookup_best_match {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception selabel_lookup_best_match_raw {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception selabel_digest {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception selinux_restorecon {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception selinux_restorecon_set_alt_rootpath {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
+
+%exception selinux_restorecon_xattr {
+ $action
+ if (result < 0) {
+ PyErr_SetFromErrno(PyExc_OSError);
+ SWIG_fail;
+ }
+}
+
--
2.26.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/3] libselinux: copy the reason why selinux_status_open() returns 1
2020-04-12 8:09 [PATCH 1/3] libselinux: add missing glue code to grab errno in Python bindings Nicolas Iooss
@ 2020-04-12 8:10 ` Nicolas Iooss
2020-04-12 8:10 ` [PATCH 3/3] libselinux: make context_*_set() return -1 when an error occurs Nicolas Iooss
2020-04-13 14:18 ` [PATCH 1/3] libselinux: add missing glue code to grab errno in Python bindings William Roberts
2 siblings, 0 replies; 7+ messages in thread
From: Nicolas Iooss @ 2020-04-12 8:10 UTC (permalink / raw)
To: selinux
The function comment of selinux_status_open() states:
It returns 0 on success, or -1 on error.
However the implementation of this function can also return 1. This is
documented in its manpage (libselinux/man/man3/selinux_status_open.3) as
intended. Copy the reason near the function definition in order to make
the code more auditable.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
libselinux/src/sestatus.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
index ede5a28980bf..86267ff89646 100644
--- a/libselinux/src/sestatus.c
+++ b/libselinux/src/sestatus.c
@@ -250,7 +250,9 @@ static int fallback_cb_policyload(int policyload)
* Since Linux 2.6.37 or later supports this feature, we may run
* fallback routine using a netlink socket on older kernels, if
* the supplied `fallback' is not zero.
- * It returns 0 on success, or -1 on error.
+ * It returns 0 on success, -1 on error or 1 when we are ready to
+ * use these interfaces, but netlink socket was opened as fallback
+ * instead of the kernel status page.
*/
int selinux_status_open(int fallback)
{
--
2.26.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/3] libselinux: make context_*_set() return -1 when an error occurs
2020-04-12 8:09 [PATCH 1/3] libselinux: add missing glue code to grab errno in Python bindings Nicolas Iooss
2020-04-12 8:10 ` [PATCH 2/3] libselinux: copy the reason why selinux_status_open() returns 1 Nicolas Iooss
@ 2020-04-12 8:10 ` Nicolas Iooss
2020-04-13 14:18 ` [PATCH 1/3] libselinux: add missing glue code to grab errno in Python bindings William Roberts
2 siblings, 0 replies; 7+ messages in thread
From: Nicolas Iooss @ 2020-04-12 8:10 UTC (permalink / raw)
To: selinux
In libselinux, most functions set errno and return -1 when an error
occurs. But some functions return 1 instead, such as context_type_set(),
context_role_set(), etc. This increases the difficulty of writing Python
bindings of these functions without much benefit.
Return -1 instead (errno was already set).
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
libselinux/src/context.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libselinux/src/context.c b/libselinux/src/context.c
index 090264a49eb1..ce4258806c53 100644
--- a/libselinux/src/context.c
+++ b/libselinux/src/context.c
@@ -151,14 +151,14 @@ static int set_comp(context_private_t * n, int idx, const char *str)
if (str) {
t = (char *)malloc(strlen(str) + 1);
if (!t) {
- return 1;
+ return -1;
}
for (p = str; *p; p++) {
if (*p == '\t' || *p == '\n' || *p == '\r' ||
((*p == ':' || *p == ' ') && idx != COMP_RANGE)) {
free(t);
errno = EINVAL;
- return 1;
+ return -1;
}
}
strcpy(t, str);
--
2.26.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/3] libselinux: add missing glue code to grab errno in Python bindings
2020-04-12 8:09 [PATCH 1/3] libselinux: add missing glue code to grab errno in Python bindings Nicolas Iooss
2020-04-12 8:10 ` [PATCH 2/3] libselinux: copy the reason why selinux_status_open() returns 1 Nicolas Iooss
2020-04-12 8:10 ` [PATCH 3/3] libselinux: make context_*_set() return -1 when an error occurs Nicolas Iooss
@ 2020-04-13 14:18 ` William Roberts
2020-04-13 16:14 ` Nicolas Iooss
2 siblings, 1 reply; 7+ messages in thread
From: William Roberts @ 2020-04-13 14:18 UTC (permalink / raw)
To: Nicolas Iooss; +Cc: SElinux list
On Sun, Apr 12, 2020 at 3:12 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> The Python bindings for libselinux expose functions such as
> avc_has_perm(), get_ordered_context_list(), etc. When these functions
> encounter an error, they set errno accordingly and return a negative
> value. In order to get the value of errno from Python code, it needs to
> be "forwarded" in a way. This is achieved by glue code in
> selinuxswig_python_exception.i, which implement raising an OSError
> exception from the value of errno.
>
> selinuxswig_python_exception.i was only generating glue code from
> functions declared in selinux.h and not in other headers. Add other
> headers.
>
> selinuxswig_python_exception.i is generated by "bash exception.sh". Mark
> the fact that exception.sh is a Bash script by adding a shebang. This
> makes "shellcheck" not warn about the Bash array which is used to list
> header files.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> ---
> libselinux/src/exception.sh | 18 +-
> libselinux/src/selinuxswig_python_exception.i | 396 ++++++++++++++++++
> 2 files changed, 412 insertions(+), 2 deletions(-)
>
> diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh
> index 33ceef804af5..644c7a05ec54 100755
> --- a/libselinux/src/exception.sh
> +++ b/libselinux/src/exception.sh
> @@ -1,3 +1,5 @@
> +#!/bin/bash
> +
> function except() {
> case $1 in
> selinux_file_context_cmp) # ignore
> @@ -15,10 +17,22 @@ echo "
> ;;
> esac
> }
> -if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h
> +
> +# Make sure that selinux.h is included first in order not to depend on the order
> +# in which "#include <selinux/selinux.h>" appears in other files.
> +FILE_LIST=(
> + ../include/selinux/selinux.h
> + ../include/selinux/avc.h
> + ../include/selinux/context.h
> + ../include/selinux/get_context_list.h
> + ../include/selinux/get_default_type.h
> + ../include/selinux/label.h
> + ../include/selinux/restorecon.h
> +)
> +if ! cat "${FILE_LIST[@]}" | ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux
> then
> # clang does not support -aux-info so fall back to gcc
> - gcc -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h
> + cat "${FILE_LIST[@]}" | gcc -x c -c -I../include -o temp.o - -aux-info temp.aux
> fi
> for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done
> rm -f -- temp.aux temp.o
> diff --git a/libselinux/src/selinuxswig_python_exception.i b/libselinux/src/selinuxswig_python_exception.i
> index cf6582595ee7..9f1f86a5564d 100644
> --- a/libselinux/src/selinuxswig_python_exception.i
> +++ b/libselinux/src/selinuxswig_python_exception.i
> @@ -952,3 +952,399 @@
> }
> }
>
> +
> +%exception avc_sid_to_context {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_sid_to_context_raw {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_context_to_sid {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_context_to_sid_raw {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception sidget {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception sidput {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_get_initial_sid {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_init {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_open {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_reset {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_has_perm_noaudit {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_has_perm {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_compute_create {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_compute_member {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_add_callback {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_netlink_open {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_netlink_acquire_fd {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception avc_netlink_check_nb {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_status_open {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_status_updated {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_status_getenforce {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_status_policyload {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_status_deny_unknown {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception context_type_set {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception context_range_set {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception context_role_set {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception context_user_set {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception get_ordered_context_list {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception get_ordered_context_list_with_level {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception get_default_context {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception get_default_context_with_level {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception get_default_context_with_role {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception get_default_context_with_rolelevel {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception query_user_context {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception manual_user_enter_context {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception get_default_type {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selabel_lookup {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selabel_lookup_raw {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selabel_lookup_best_match {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selabel_lookup_best_match_raw {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selabel_digest {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_restorecon {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_restorecon_set_alt_rootpath {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> +
> +%exception selinux_restorecon_xattr {
> + $action
> + if (result < 0) {
> + PyErr_SetFromErrno(PyExc_OSError);
> + SWIG_fail;
> + }
> +}
> +
> --
> 2.26.0
>
A few comments:
- overall looks fine, builds and works as expected.
- Why the double newline space on the exception swig file? The other
.i files seem to do a single newline?
is their something I am missing with syntax?
- I have the following whitespace warning:
Applying: libselinux: add missing glue code to grab errno in Python bindings
.git/rebase-apply/patch:444: new blank line at EOF.
+
warning: 1 line adds whitespace errors.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/3] libselinux: add missing glue code to grab errno in Python bindings
2020-04-13 14:18 ` [PATCH 1/3] libselinux: add missing glue code to grab errno in Python bindings William Roberts
@ 2020-04-13 16:14 ` Nicolas Iooss
2020-04-13 17:49 ` Roberts, William C
0 siblings, 1 reply; 7+ messages in thread
From: Nicolas Iooss @ 2020-04-13 16:14 UTC (permalink / raw)
To: William Roberts; +Cc: SElinux list
On Mon, Apr 13, 2020 at 4:18 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> On Sun, Apr 12, 2020 at 3:12 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
> >
> > The Python bindings for libselinux expose functions such as
> > avc_has_perm(), get_ordered_context_list(), etc. When these functions
> > encounter an error, they set errno accordingly and return a negative
> > value. In order to get the value of errno from Python code, it needs to
> > be "forwarded" in a way. This is achieved by glue code in
> > selinuxswig_python_exception.i, which implement raising an OSError
> > exception from the value of errno.
> >
> > selinuxswig_python_exception.i was only generating glue code from
> > functions declared in selinux.h and not in other headers. Add other
> > headers.
> >
> > selinuxswig_python_exception.i is generated by "bash exception.sh". Mark
> > the fact that exception.sh is a Bash script by adding a shebang. This
> > makes "shellcheck" not warn about the Bash array which is used to list
> > header files.
> >
> > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> > ---
> > libselinux/src/exception.sh | 18 +-
> > libselinux/src/selinuxswig_python_exception.i | 396 ++++++++++++++++++
> > 2 files changed, 412 insertions(+), 2 deletions(-)
> >
> > diff --git a/libselinux/src/exception.sh b/libselinux/src/exception.sh
> > index 33ceef804af5..644c7a05ec54 100755
> > --- a/libselinux/src/exception.sh
> > +++ b/libselinux/src/exception.sh
> > @@ -1,3 +1,5 @@
> > +#!/bin/bash
> > +
> > function except() {
> > case $1 in
> > selinux_file_context_cmp) # ignore
> > @@ -15,10 +17,22 @@ echo "
> > ;;
> > esac
> > }
> > -if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h
> > +
> > +# Make sure that selinux.h is included first in order not to depend on the order
> > +# in which "#include <selinux/selinux.h>" appears in other files.
> > +FILE_LIST=(
> > + ../include/selinux/selinux.h
> > + ../include/selinux/avc.h
> > + ../include/selinux/context.h
> > + ../include/selinux/get_context_list.h
> > + ../include/selinux/get_default_type.h
> > + ../include/selinux/label.h
> > + ../include/selinux/restorecon.h
> > +)
> > +if ! cat "${FILE_LIST[@]}" | ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux
> > then
> > # clang does not support -aux-info so fall back to gcc
> > - gcc -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h
> > + cat "${FILE_LIST[@]}" | gcc -x c -c -I../include -o temp.o - -aux-info temp.aux
> > fi
> > for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done
> > rm -f -- temp.aux temp.o
> > diff --git a/libselinux/src/selinuxswig_python_exception.i b/libselinux/src/selinuxswig_python_exception.i
> > index cf6582595ee7..9f1f86a5564d 100644
> > --- a/libselinux/src/selinuxswig_python_exception.i
> > +++ b/libselinux/src/selinuxswig_python_exception.i
> > @@ -952,3 +952,399 @@
> > }
> > }
> >
> > +
> > +%exception avc_sid_to_context {
> > + $action
> > + if (result < 0) {
> > + PyErr_SetFromErrno(PyExc_OSError);
> > + SWIG_fail;
> > + }
> > +}
> > +
> > +
> > +%exception avc_sid_to_context_raw {
> > + $action
> > + if (result < 0) {
> > + PyErr_SetFromErrno(PyExc_OSError);
> > + SWIG_fail;
> > + }
> > +}
[...]
>
> A few comments:
> - overall looks fine, builds and works as expected.
> - Why the double newline space on the exception swig file? The other
> .i files seem to do a single newline?
> is their something I am missing with syntax?
> - I have the following whitespace warning:
> Applying: libselinux: add missing glue code to grab errno in Python bindings
> .git/rebase-apply/patch:444: new blank line at EOF.
> +
> warning: 1 line adds whitespace errors.
The last two points are due to the way the file is generated, by exception.sh:
echo "
%exception $1 {
\$action
if (result < 0) {
PyErr_SetFromErrno(PyExc_OSError);
SWIG_fail;
}
}
"
... this introduces blank lines both before and after each exception
blocks. We could remove the one after the block by using }" in the
shell script. I will submit a patch that does this once this patch is
merged, as this makes the file cleaner.
Thanks,
Nicolas
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: [PATCH 1/3] libselinux: add missing glue code to grab errno in Python bindings
2020-04-13 16:14 ` Nicolas Iooss
@ 2020-04-13 17:49 ` Roberts, William C
2020-04-17 20:49 ` William Roberts
0 siblings, 1 reply; 7+ messages in thread
From: Roberts, William C @ 2020-04-13 17:49 UTC (permalink / raw)
To: Nicolas Iooss, William Roberts; +Cc: SElinux list
> -----Original Message-----
> From: selinux-owner@vger.kernel.org [mailto:selinux-owner@vger.kernel.org]
> On Behalf Of Nicolas Iooss
> Sent: Monday, April 13, 2020 11:15 AM
> To: William Roberts <bill.c.roberts@gmail.com>
> Cc: SElinux list <selinux@vger.kernel.org>
> Subject: Re: [PATCH 1/3] libselinux: add missing glue code to grab errno in Python
> bindings
>
> On Mon, Apr 13, 2020 at 4:18 PM William Roberts <bill.c.roberts@gmail.com>
> wrote:
> >
> > On Sun, Apr 12, 2020 at 3:12 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
> > >
> > > The Python bindings for libselinux expose functions such as
> > > avc_has_perm(), get_ordered_context_list(), etc. When these
> > > functions encounter an error, they set errno accordingly and return
> > > a negative value. In order to get the value of errno from Python
> > > code, it needs to be "forwarded" in a way. This is achieved by glue
> > > code in selinuxswig_python_exception.i, which implement raising an
> > > OSError exception from the value of errno.
> > >
> > > selinuxswig_python_exception.i was only generating glue code from
> > > functions declared in selinux.h and not in other headers. Add other
> > > headers.
> > >
> > > selinuxswig_python_exception.i is generated by "bash exception.sh".
> > > Mark the fact that exception.sh is a Bash script by adding a
> > > shebang. This makes "shellcheck" not warn about the Bash array which
> > > is used to list header files.
> > >
> > > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> > > ---
> > > libselinux/src/exception.sh | 18 +-
> > > libselinux/src/selinuxswig_python_exception.i | 396
> > > ++++++++++++++++++
> > > 2 files changed, 412 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/libselinux/src/exception.sh
> > > b/libselinux/src/exception.sh index 33ceef804af5..644c7a05ec54
> > > 100755
> > > --- a/libselinux/src/exception.sh
> > > +++ b/libselinux/src/exception.sh
> > > @@ -1,3 +1,5 @@
> > > +#!/bin/bash
> > > +
> > > function except() {
> > > case $1 in
> > > selinux_file_context_cmp) # ignore @@ -15,10 +17,22 @@ echo "
> > > ;;
> > > esac
> > > }
> > > -if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux
> > > < ../include/selinux/selinux.h
> > > +
> > > +# Make sure that selinux.h is included first in order not to depend
> > > +on the order # in which "#include <selinux/selinux.h>" appears in other files.
> > > +FILE_LIST=(
> > > + ../include/selinux/selinux.h
> > > + ../include/selinux/avc.h
> > > + ../include/selinux/context.h
> > > + ../include/selinux/get_context_list.h
> > > + ../include/selinux/get_default_type.h
> > > + ../include/selinux/label.h
> > > + ../include/selinux/restorecon.h
> > > +)
> > > +if ! cat "${FILE_LIST[@]}" | ${CC:-gcc} -x c -c -I../include -o
> > > +temp.o - -aux-info temp.aux
> > > then
> > > # clang does not support -aux-info so fall back to gcc
> > > - gcc -x c -c -I../include -o temp.o - -aux-info temp.aux <
> ../include/selinux/selinux.h
> > > + cat "${FILE_LIST[@]}" | gcc -x c -c -I../include -o temp.o -
> > > + -aux-info temp.aux
> > > fi
> > > for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do
> > > except $i ; done rm -f -- temp.aux temp.o diff --git
> > > a/libselinux/src/selinuxswig_python_exception.i
> > > b/libselinux/src/selinuxswig_python_exception.i
> > > index cf6582595ee7..9f1f86a5564d 100644
> > > --- a/libselinux/src/selinuxswig_python_exception.i
> > > +++ b/libselinux/src/selinuxswig_python_exception.i
> > > @@ -952,3 +952,399 @@
> > > }
> > > }
> > >
> > > +
> > > +%exception avc_sid_to_context {
> > > + $action
> > > + if (result < 0) {
> > > + PyErr_SetFromErrno(PyExc_OSError);
> > > + SWIG_fail;
> > > + }
> > > +}
> > > +
> > > +
> > > +%exception avc_sid_to_context_raw {
> > > + $action
> > > + if (result < 0) {
> > > + PyErr_SetFromErrno(PyExc_OSError);
> > > + SWIG_fail;
> > > + }
> > > +}
> [...]
> >
> > A few comments:
> > - overall looks fine, builds and works as expected.
> > - Why the double newline space on the exception swig file? The other
> > .i files seem to do a single newline?
> > is their something I am missing with syntax?
> > - I have the following whitespace warning:
> > Applying: libselinux: add missing glue code to grab errno in Python
> > bindings
> > .git/rebase-apply/patch:444: new blank line at EOF.
> > +
> > warning: 1 line adds whitespace errors.
>
> The last two points are due to the way the file is generated, by exception.sh:
>
> echo "
> %exception $1 {
> \$action
> if (result < 0) {
> PyErr_SetFromErrno(PyExc_OSError);
> SWIG_fail;
> }
> }
> "
> ... this introduces blank lines both before and after each exception blocks. We
> could remove the one after the block by using }" in the shell script. I will submit a
> patch that does this once this patch is merged, as this makes the file cleaner.
WFM. Thanks for fixing this, I used the python bindings eons ago and remember
being frustrated I didn't get really good errors.
Acked-by: William Roberts <william.c.roberts@intel.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/3] libselinux: add missing glue code to grab errno in Python bindings
2020-04-13 17:49 ` Roberts, William C
@ 2020-04-17 20:49 ` William Roberts
0 siblings, 0 replies; 7+ messages in thread
From: William Roberts @ 2020-04-17 20:49 UTC (permalink / raw)
To: Roberts, William C; +Cc: Nicolas Iooss, SElinux list
>
> > -----Original Message-----
> > From: selinux-owner@vger.kernel.org [mailto:selinux-owner@vger.kernel.org]
> > On Behalf Of Nicolas Iooss
> > Sent: Monday, April 13, 2020 11:15 AM
> > To: William Roberts <bill.c.roberts@gmail.com>
> > Cc: SElinux list <selinux@vger.kernel.org>
> > Subject: Re: [PATCH 1/3] libselinux: add missing glue code to grab errno in Python
> > bindings
> >
> > On Mon, Apr 13, 2020 at 4:18 PM William Roberts <bill.c.roberts@gmail.com>
> > wrote:
> > >
> > > On Sun, Apr 12, 2020 at 3:12 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
> > > >
> > > > The Python bindings for libselinux expose functions such as
> > > > avc_has_perm(), get_ordered_context_list(), etc. When these
> > > > functions encounter an error, they set errno accordingly and return
> > > > a negative value. In order to get the value of errno from Python
> > > > code, it needs to be "forwarded" in a way. This is achieved by glue
> > > > code in selinuxswig_python_exception.i, which implement raising an
> > > > OSError exception from the value of errno.
> > > >
> > > > selinuxswig_python_exception.i was only generating glue code from
> > > > functions declared in selinux.h and not in other headers. Add other
> > > > headers.
> > > >
> > > > selinuxswig_python_exception.i is generated by "bash exception.sh".
> > > > Mark the fact that exception.sh is a Bash script by adding a
> > > > shebang. This makes "shellcheck" not warn about the Bash array which
> > > > is used to list header files.
> > > >
> > > > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> > > > ---
> > > > libselinux/src/exception.sh | 18 +-
> > > > libselinux/src/selinuxswig_python_exception.i | 396
> > > > ++++++++++++++++++
> > > > 2 files changed, 412 insertions(+), 2 deletions(-)
> > > >
> > > > diff --git a/libselinux/src/exception.sh
> > > > b/libselinux/src/exception.sh index 33ceef804af5..644c7a05ec54
> > > > 100755
> > > > --- a/libselinux/src/exception.sh
> > > > +++ b/libselinux/src/exception.sh
> > > > @@ -1,3 +1,5 @@
> > > > +#!/bin/bash
> > > > +
> > > > function except() {
> > > > case $1 in
> > > > selinux_file_context_cmp) # ignore @@ -15,10 +17,22 @@ echo "
> > > > ;;
> > > > esac
> > > > }
> > > > -if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux
> > > > < ../include/selinux/selinux.h
> > > > +
> > > > +# Make sure that selinux.h is included first in order not to depend
> > > > +on the order # in which "#include <selinux/selinux.h>" appears in other files.
> > > > +FILE_LIST=(
> > > > + ../include/selinux/selinux.h
> > > > + ../include/selinux/avc.h
> > > > + ../include/selinux/context.h
> > > > + ../include/selinux/get_context_list.h
> > > > + ../include/selinux/get_default_type.h
> > > > + ../include/selinux/label.h
> > > > + ../include/selinux/restorecon.h
> > > > +)
> > > > +if ! cat "${FILE_LIST[@]}" | ${CC:-gcc} -x c -c -I../include -o
> > > > +temp.o - -aux-info temp.aux
> > > > then
> > > > # clang does not support -aux-info so fall back to gcc
> > > > - gcc -x c -c -I../include -o temp.o - -aux-info temp.aux <
> > ../include/selinux/selinux.h
> > > > + cat "${FILE_LIST[@]}" | gcc -x c -c -I../include -o temp.o -
> > > > + -aux-info temp.aux
> > > > fi
> > > > for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do
> > > > except $i ; done rm -f -- temp.aux temp.o diff --git
> > > > a/libselinux/src/selinuxswig_python_exception.i
> > > > b/libselinux/src/selinuxswig_python_exception.i
> > > > index cf6582595ee7..9f1f86a5564d 100644
> > > > --- a/libselinux/src/selinuxswig_python_exception.i
> > > > +++ b/libselinux/src/selinuxswig_python_exception.i
> > > > @@ -952,3 +952,399 @@
> > > > }
> > > > }
> > > >
> > > > +
> > > > +%exception avc_sid_to_context {
> > > > + $action
> > > > + if (result < 0) {
> > > > + PyErr_SetFromErrno(PyExc_OSError);
> > > > + SWIG_fail;
> > > > + }
> > > > +}
> > > > +
> > > > +
> > > > +%exception avc_sid_to_context_raw {
> > > > + $action
> > > > + if (result < 0) {
> > > > + PyErr_SetFromErrno(PyExc_OSError);
> > > > + SWIG_fail;
> > > > + }
> > > > +}
> > [...]
> > >
> > > A few comments:
> > > - overall looks fine, builds and works as expected.
> > > - Why the double newline space on the exception swig file? The other
> > > .i files seem to do a single newline?
> > > is their something I am missing with syntax?
> > > - I have the following whitespace warning:
> > > Applying: libselinux: add missing glue code to grab errno in Python
> > > bindings
> > > .git/rebase-apply/patch:444: new blank line at EOF.
> > > +
> > > warning: 1 line adds whitespace errors.
> >
> > The last two points are due to the way the file is generated, by exception.sh:
> >
> > echo "
> > %exception $1 {
> > \$action
> > if (result < 0) {
> > PyErr_SetFromErrno(PyExc_OSError);
> > SWIG_fail;
> > }
> > }
> > "
> > ... this introduces blank lines both before and after each exception blocks. We
> > could remove the one after the block by using }" in the shell script. I will submit a
> > patch that does this once this patch is merged, as this makes the file cleaner.
>
> WFM. Thanks for fixing this, I used the python bindings eons ago and remember
> being frustrated I didn't get really good errors.
>
> Acked-by: William Roberts <william.c.roberts@intel.com>
Merged:
https://github.com/SELinuxProject/selinux/pull/221
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-04-17 20:50 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-12 8:09 [PATCH 1/3] libselinux: add missing glue code to grab errno in Python bindings Nicolas Iooss
2020-04-12 8:10 ` [PATCH 2/3] libselinux: copy the reason why selinux_status_open() returns 1 Nicolas Iooss
2020-04-12 8:10 ` [PATCH 3/3] libselinux: make context_*_set() return -1 when an error occurs Nicolas Iooss
2020-04-13 14:18 ` [PATCH 1/3] libselinux: add missing glue code to grab errno in Python bindings William Roberts
2020-04-13 16:14 ` Nicolas Iooss
2020-04-13 17:49 ` Roberts, William C
2020-04-17 20:49 ` William Roberts
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).