SELinuxTypeEnforcement: new parser

Signed-off-by: Masatake YAMATO <[email protected]>

Tmain/list-map-extensions.d/stdout-expected.txt

@@ -1,9 +1,9 @@
 ## all|grep LdScript
-#LANGUAGE           EXTENSION
-LdScript            lds
-LdScript            scr
-LdScript            ld
-LdScript            ldi
+#LANGUAGE               EXTENSION
+LdScript                lds
+LdScript                scr
+LdScript                ld
+LdScript                ldi
 ## LdScript
 #EXTENSION
 lds

Units/parser-selinux-type-enforcement.r/modules.d/args.ctags

@@ -0,0 +1 @@
+--sort=no

Units/parser-selinux-type-enforcement.r/modules.d/expected.tags

@@ -0,0 +1,2 @@
+bind	input.te	/^module bind 1.0.0;$/;"	m
+bootloader	input-0.te	/^policy_module(bootloader, 1.14.0)$/;"	m

Units/parser-selinux-type-enforcement.r/modules.d/input-0.te

@@ -0,0 +1,2 @@
+# selinux-policy-0113b35519369e628e7fcd87af000cfcd4b1fa6c/policy/modules/admin/bootloader.te
+policy_module(bootloader, 1.14.0)

Units/parser-selinux-type-enforcement.r/modules.d/input.te

@@ -0,0 +1,2 @@
+# https://github.com/SELinuxProject/selinux-notebook/blob/main/src/modular_policy_statements.md#modular-policy-support-statements
+module bind 1.0.0;

Units/parser-selinux-type-enforcement.r/simple.d/args.ctags

@@ -0,0 +1 @@
+--sort=no

Units/parser-selinux-type-enforcement.r/simple.d/expected.tags

@@ -0,0 +1,26 @@
+dbus	input.te	/^policy_module(dbus, 1.19.0)$/;"	m
+dbusd_unconfined	input.te	/^attribute dbusd_unconfined;$/;"	T
+system_bus_type	input.te	/^attribute system_bus_type;$/;"	T
+dbusd_etc_t	input.te	/^type dbusd_etc_t;$/;"	t
+dbusd_exec_t	input.te	/^type dbusd_exec_t;$/;"	t
+system_dbusd_exec_t	input.te	/^typealias dbusd_exec_t alias system_dbusd_exec_t;$/;"	a
+session_dbusd_tmp_t	input.te	/^type session_dbusd_tmp_t;$/;"	t
+user_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };$/;"	a
+staff_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };$/;"	a
+sysadm_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };$/;"	a
+auditadm_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };$/;"	a
+secadm_dbusd_tmp_t	input.te	/^typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };$/;"	a
+system_r	input.te	/^role system_r types system_bus_type;$/;"	r
+git_sys_content_t	input.te	/^type git_sys_content_t alias git_system_content_t;$/;"	t
+git_system_content_t	input.te	/^type git_sys_content_t alias git_system_content_t;$/;"	a
+kmod_t	input.te	/^type kmod_t alias { update_modules_t depmod_t insmod_t };$/;"	t
+update_modules_t	input.te	/^type kmod_t alias { update_modules_t depmod_t insmod_t };$/;"	a
+depmod_t	input.te	/^type kmod_t alias { update_modules_t depmod_t insmod_t };$/;"	a
+insmod_t	input.te	/^type kmod_t alias { update_modules_t depmod_t insmod_t };$/;"	a
+system_r	input.te	/^role system_r types anaconda_t;$/;"	r
+install_roles	input.te	/^attribute_role install_roles;$/;"	R
+antivirus_can_scan_system	input.te	/^gen_tunable(antivirus_can_scan_system, false)$/;"	b
+secure_mode_insmod	input.te	/^gen_bool(secure_mode_insmod, false)$/;"	b
+allow_daemons_use_tty	input.te	/^bool allow_daemons_use_tty true;$/;"	b
+xguest_u	input.te	/^gen_user(xguest_u, user, xguest_r, s0, s0)$/;"	u
+sysadm_u	input.te	/^user sysadm_u roles { sysadm_r } level s0 range s0-s15:c0.c255;$/;"	u

Units/parser-selinux-type-enforcement.r/simple.d/input.te

@@ -0,0 +1,58 @@
+#
+# Derrived from policy/modules/contrib/dbus.te
+#
+policy_module(dbus, 1.19.0)
+
+gen_require(`
+	class dbus all_dbus_perms;
+')
+
+##############################
+#
+# Delcarations
+#
+
+attribute dbusd_unconfined;
+attribute system_bus_type;
+
+type dbusd_etc_t;
+files_config_file(dbusd_etc_t)
+
+type dbusd_exec_t;
+corecmd_executable_file(dbusd_exec_t)
+typealias dbusd_exec_t alias system_dbusd_exec_t;
+
+type session_dbusd_tmp_t;
+typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
+typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
+userdom_user_tmp_file(session_dbusd_tmp_t)
+
+# ...
+
+########################################
+#
+# system_bus_type rules
+#
+role system_r types system_bus_type;
+dontaudit system_bus_type self:capability net_admin;
+
+# The next one should not be tagged.
+gen_require(`
+    type ssh_keygen_t;
+')
+
+
+type git_sys_content_t alias git_system_content_t;
+type kmod_t alias { update_modules_t depmod_t insmod_t };
+
+role system_r types anaconda_t;
+attribute_role install_roles;
+roleattribute system_r install_roles;
+
+gen_tunable(antivirus_can_scan_system, false)
+gen_bool(secure_mode_insmod, false)
+
+bool allow_daemons_use_tty true;
+
+gen_user(xguest_u, user, xguest_r, s0, s0)
+user sysadm_u roles { sysadm_r } level s0 range s0-s15:c0.c255;

docs/news/HEAD.rst

@@ -34,6 +34,7 @@ New parsers
 * TOML *peg/packcc*
 * Cargo *TOML based subparser*
 * SELinuxIntefae *M4 based subparser*
+* SELinuxTypeEnforcement *optlib*
 
 Changes about parser specific kinds, roles, fields, and extras
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

main/parsers_p.h

@@ -171,6 +171,7 @@
 	SchemeParser, \
 	SCSSParser, \
 	SELinuxInterfaceParser, \
+	SELinuxTypeEnforcementParser, \
 	ShParser, \
 	SlangParser, \
 	SmlParser, \

optlib/selinux-type-enforcement.c

@@ -0,0 +1,177 @@
+/*
+ * Generated by ./misc/optlib2c from optlib/selinux-type-enforcement.ctags, Don't edit this manually.
+ */
+#include "general.h"
+#include "parse.h"
+#include "routines.h"
+#include "field.h"
+#include "xtag.h"
+
+
+static void initializeSELinuxTypeEnforcementParser (const langType language)
+{
+
+	addLanguageRegexTable (language, "main");
+	addLanguageRegexTable (language, "typedef");
+	addLanguageRegexTable (language, "alias");
+	addLanguageRegexTable (language, "compoundalias");
+	addLanguageRegexTable (language, "lit");
+
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^#[^\n]*",
+	                               "", "", "", NULL);
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^[[:space:]]+",
+	                               "", "", "", NULL);
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^`",
+	                               "", "", "{tenter=lit}", NULL);
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^[^pmtarbgu[:space:]][a-zA-Z0-9_]*",
+	                               "", "", "", NULL);
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^policy_module\\([[:blank:]]*([^,[:space:]\\)]+)[^\\)]*\\)",
+	                               "\\1", "m", "", NULL);
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^module[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;",
+	                               "\\1", "m", "", NULL);
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^type[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*",
+	                               "\\1", "t", "{tenter=typedef}", NULL);
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^typealias[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*",
+	                               "", "", "{tenter=typedef}", NULL);
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^attribute[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;",
+	                               "\\1", "T", "", NULL);
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^role[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;",
+	                               "\\1", "r", "", NULL);
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^attribute_role[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;",
+	                               "\\1", "R", "", NULL);
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^bool[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;",
+	                               "\\1", "b", "", NULL);
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^gen_(tunable|bool)\\([[:blank:]]*([^,[:space:]\\)]+)[^\\)]*\\)",
+	                               "\\2", "b", "", NULL);
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^user[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;",
+	                               "\\1", "u", "", NULL);
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^gen_user\\([[:blank:]]*([^,[:space:]\\)]+)[^\\)]*\\)",
+	                               "\\1", "u", "", NULL);
+	addLanguageTagMultiTableRegex (language, "main",
+	                               "^.",
+	                               "", "", "", NULL);
+	addLanguageTagMultiTableRegex (language, "typedef",
+	                               "^[[:space:]]+",
+	                               "", "", "", NULL);
+	addLanguageTagMultiTableRegex (language, "typedef",
+	                               "^alias[[:space:]]+",
+	                               "", "", "{tenter=alias}", NULL);
+	addLanguageTagMultiTableRegex (language, "typedef",
+	                               "^;",
+	                               "", "", "{tleave}", NULL);
+	addLanguageTagMultiTableRegex (language, "typedef",
+	                               "^.",
+	                               "", "", "", NULL);
+	addLanguageTagMultiTableRegex (language, "alias",
+	                               "^[[:space:]]+",
+	                               "", "", "", NULL);
+	addLanguageTagMultiTableRegex (language, "alias",
+	                               "^([a-zA-Z0-9_]+)[[:space:]]*",
+	                               "\\1", "a", "{tleave}", NULL);
+	addLanguageTagMultiTableRegex (language, "alias",
+	                               "^\\{[[:space:]]*",
+	                               "", "", "{tenter=compoundalias}", NULL);
+	addLanguageTagMultiTableRegex (language, "alias",
+	                               "^\\}[[:space:]]*",
+	                               "", "", "{tleave}", NULL);
+	addLanguageTagMultiTableRegex (language, "alias",
+	                               "^.",
+	                               "", "", "", NULL);
+	addLanguageTagMultiTableRegex (language, "compoundalias",
+	                               "^[[:space:]]+",
+	                               "", "", "", NULL);
+	addLanguageTagMultiTableRegex (language, "compoundalias",
+	                               "^([a-zA-Z0-9_]+)[[:space:]]*",
+	                               "\\1", "a", "", NULL);
+	addLanguageTagMultiTableRegex (language, "compoundalias",
+	                               "^\\}[[:space:]]*",
+	                               "", "", "{tleave}{_advanceTo=0start}", NULL);
+	addLanguageTagMultiTableRegex (language, "compoundalias",
+	                               "^.",
+	                               "", "", "", NULL);
+	addLanguageTagMultiTableRegex (language, "lit",
+	                               "^[^'`]+",
+	                               "", "", "", NULL);
+	addLanguageTagMultiTableRegex (language, "lit",
+	                               "^'",
+	                               "", "", "{tleave}", NULL);
+	addLanguageTagMultiTableRegex (language, "lit",
+	                               "^`",
+	                               "", "", "{tenter=lit}", NULL);
+	addLanguageTagMultiTableRegex (language, "lit",
+	                               "^.",
+	                               "", "", "", NULL);
+}
+
+extern parserDefinition* SELinuxTypeEnforcementParser (void)
+{
+	static const char *const extensions [] = {
+		"te",
+		NULL
+	};
+
+	static const char *const aliases [] = {
+		NULL
+	};
+
+	static const char *const patterns [] = {
+		NULL
+	};
+
+	static kindDefinition SELinuxTypeEnforcementKindTable [] = {
+		{
+		  true, 'm', "module", "policy modules",
+		},
+		{
+		  true, 't', "type", "types",
+		},
+		{
+		  true, 'a', "alias", "type aliases",
+		},
+		{
+		  true, 'T', "attr", "type attributes",
+		},
+		{
+		  true, 'r', "role", "roles",
+		},
+		{
+		  true, 'R', "rattr", "role attributes",
+		},
+		{
+		  true, 'b', "tunable", "tunables",
+		},
+		{
+		  true, 'u', "user", "users",
+		},
+	};
+
+	parserDefinition* const def = parserNew ("SELinuxTypeEnforcement");
+
+	def->versionCurrent= 0;
+	def->versionAge    = 0;
+	def->enabled       = true;
+	def->extensions    = extensions;
+	def->patterns      = patterns;
+	def->aliases       = aliases;
+	def->method        = METHOD_NOT_CRAFTED|METHOD_REGEX;
+	def->kindTable     = SELinuxTypeEnforcementKindTable;
+	def->kindCount     = ARRAY_SIZE(SELinuxTypeEnforcementKindTable);
+	def->initialize    = initializeSELinuxTypeEnforcementParser;
+
+	return def;
+}

optlib/selinux-type-enforcement.ctags

@@ -0,0 +1,88 @@
+#
+#  Copyright (c) 2025 Red Hat, Inc.
+#  Copyright (c) 2025 Masatake YAMATO
+#
+#  This source code is released for free distribution under the terms of the
+#  GNU General Public License version 2 or (at your opinion) any later version.
+#
+#  This module contains functions for generating tags for *.te files in SELinux policy definitions:
+#
+#  https://github.com/SELinuxProject/selinux-notebook/blob/main/src/kernel_policy_language.md#kernel-policy-language
+#
+--langdef=SELinuxTypeEnforcement
+--map-SELinuxTypeEnforcement=+.te
+
+--kinddef-SELinuxTypeEnforcement=m,module,policy modules
+--kinddef-SELinuxTypeEnforcement=t,type,types
+--kinddef-SELinuxTypeEnforcement=a,alias,type aliases
+--kinddef-SELinuxTypeEnforcement=T,attr,type attributes
+--kinddef-SELinuxTypeEnforcement=r,role,roles
+--kinddef-SELinuxTypeEnforcement=R,rattr,role attributes
+--kinddef-SELinuxTypeEnforcement=b,tunable,tunables
+--kinddef-SELinuxTypeEnforcement=u,user,users
+# TODO: sensitivity, category, sid, class
+
+--_tabledef-SELinuxTypeEnforcement=main
+--_tabledef-SELinuxTypeEnforcement=typedef
+--_tabledef-SELinuxTypeEnforcement=alias
+--_tabledef-SELinuxTypeEnforcement=compoundalias
+--_tabledef-SELinuxTypeEnforcement=lit
+
+#
+# main
+#
+--_mtable-regex-SELinuxTypeEnforcement=main/#[^\n]*//
+--_mtable-regex-SELinuxTypeEnforcement=main/[[:space:]]+//
+--_mtable-regex-SELinuxTypeEnforcement=main/`//{tenter=lit}
+--_mtable-regex-SELinuxTypeEnforcement=main/[^pmtarbgu[:space:]][a-zA-Z0-9_]*//
+
+--_mtable-regex-SELinuxTypeEnforcement=main/policy_module\([[:blank:]]*([^,[:space:]\)]+)[^\)]*\)/\1/m/
+--_mtable-regex-SELinuxTypeEnforcement=main/module[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;/\1/m/
+
+ --_mtable-regex-SELinuxTypeEnforcement=main/type[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*/\1/t/{tenter=typedef}
+--_mtable-regex-SELinuxTypeEnforcement=main/typealias[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*//{tenter=typedef}
+--_mtable-regex-SELinuxTypeEnforcement=main/attribute[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;/\1/T/
+
+--_mtable-regex-SELinuxTypeEnforcement=main/role[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;/\1/r/
+--_mtable-regex-SELinuxTypeEnforcement=main/attribute_role[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;/\1/R/
+
+--_mtable-regex-SELinuxTypeEnforcement=main/bool[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;/\1/b/
+--_mtable-regex-SELinuxTypeEnforcement=main/gen_(tunable|bool)\([[:blank:]]*([^,[:space:]\)]+)[^\)]*\)/\2/b/
+
+--_mtable-regex-SELinuxTypeEnforcement=main/user[[:blank:]]+([a-zA-Z0-9_]+)[[:blank:]]*[^;]*;/\1/u/
+--_mtable-regex-SELinuxTypeEnforcement=main/gen_user\([[:blank:]]*([^,[:space:]\)]+)[^\)]*\)/\1/u/
+
+--_mtable-regex-SELinuxTypeEnforcement=main/.//
+
+#
+# typedef
+#
+--_mtable-regex-SELinuxTypeEnforcement=typedef/[[:space:]]+//
+--_mtable-regex-SELinuxTypeEnforcement=typedef/alias[[:space:]]+//{tenter=alias}
+--_mtable-regex-SELinuxTypeEnforcement=typedef/;//{tleave}
+--_mtable-regex-SELinuxTypeEnforcement=typedef/.//
+
+#
+# alias
+#
+--_mtable-regex-SELinuxTypeEnforcement=alias/[[:space:]]+//
+--_mtable-regex-SELinuxTypeEnforcement=alias/([a-zA-Z0-9_]+)[[:space:]]*/\1/a/{tleave}
+--_mtable-regex-SELinuxTypeEnforcement=alias/\{[[:space:]]*//{tenter=compoundalias}
+--_mtable-regex-SELinuxTypeEnforcement=alias/\}[[:space:]]*//{tleave}
+--_mtable-regex-SELinuxTypeEnforcement=alias/.//
+
+#
+# compoundalias
+#
+--_mtable-regex-SELinuxTypeEnforcement=compoundalias/[[:space:]]+//
+--_mtable-regex-SELinuxTypeEnforcement=compoundalias/([a-zA-Z0-9_]+)[[:space:]]*/\1/a/
+--_mtable-regex-SELinuxTypeEnforcement=compoundalias/\}[[:space:]]*//{tleave}{_advanceTo=0start}
+--_mtable-regex-SELinuxTypeEnforcement=compoundalias/.//
+
+#
+# lit
+#
+--_mtable-regex-SELinuxTypeEnforcement=lit/[^'`]+//
+--_mtable-regex-SELinuxTypeEnforcement=lit/'//{tleave}
+--_mtable-regex-SELinuxTypeEnforcement=lit/`//{tenter=lit}
+--_mtable-regex-SELinuxTypeEnforcement=lit/.//