checkpolicy: Add --werror flag to checkmodule and checkpolicy to treat warnings as errors.

When the lexer encounters an unexpected character in a policy source file, it prints a warning, discards the character and moves on. In some build environments, these characters could be a symptom of an earlier problem, such as unintended results of expansion of preprocessor macros, and the ability to have the compiler halt on such issues would be helpful for diagnosis. Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-03-05 13:40:34 -05:00 · 2020-03-05 13:40:34 -05:00 · 62a91d7d71
commit 62a91d7d71
parent 692716fc5f
5 changed files with 25 additions and 4 deletions
--- a/checkpolicy/checkmodule.8
+++ b/checkpolicy/checkmodule.8
@ -28,6 +28,9 @@ module file.  This option is a development/debugging aid.
 .B \-C,\-\-cil
 Write CIL policy file rather than binary policy file.
 .TP
+.B \-E,\-\-werror
+Treat warnings as errors
+.TP
 .B \-h,\-\-help
 Print usage.
 .TP
--- a/checkpolicy/checkmodule.c
+++ b/checkpolicy/checkmodule.c
@ -41,6 +41,7 @@ extern int optind;
 static sidtab_t sidtab;

 extern int mlspol;
+extern int werror;

 static int handle_unknown = SEPOL_DENY_UNKNOWN;
 static const char *txtfile = "policy.conf";
@ -126,7 +127,7 @@ static int write_binary_policy(policydb_t * p, FILE *outfp)

 static __attribute__((__noreturn__)) void usage(const char *progname)
 {
-	printf("usage:  %s [-h] [-V] [-b] [-C] [-U handle_unknown] [-m] [-M] [-o FILE] [INPUT]\n", progname);
+	printf("usage:  %s [-h] [-V] [-b] [-C] [-E] [-U handle_unknown] [-m] [-M] [-o FILE] [INPUT]\n", progname);
 	printf("Build base and policy modules.\n");
 	printf("Options:\n");
 	printf("  INPUT      build module from INPUT (else read from \"%s\")\n",
@ -134,6 +135,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
 	printf("  -V         show policy versions created by this program\n");
 	printf("  -b         treat input as a binary policy file\n");
 	printf("  -C         output CIL policy instead of binary policy\n");
+	printf("  -E         treat warnings as errors\n");
 	printf("  -h         print usage\n");
 	printf("  -U OPTION  How to handle unknown classes and permissions\n");
 	printf("               deny: Deny unknown kernel checks\n");
@ -162,10 +164,11 @@ int main(int argc, char **argv)
 		{"handle-unknown", required_argument, NULL, 'U'},
 		{"mls", no_argument, NULL, 'M'},
 		{"cil", no_argument, NULL, 'C'},
+		{"werror", no_argument, NULL, 'E'},
 		{NULL, 0, NULL, 0}
 	};

-	while ((ch = getopt_long(argc, argv, "ho:bVU:mMCc:", long_options, NULL)) != -1) {
+	while ((ch = getopt_long(argc, argv, "ho:bVEU:mMCc:", long_options, NULL)) != -1) {
 		switch (ch) {
 		case 'h':
 			usage(argv[0]);
@ -180,6 +183,9 @@ int main(int argc, char **argv)
 		case 'V':
 			show_version = 1;
 			break;
+		case 'E':
+			werror = 1;
+			break;
 		case 'U':
 			if (!strcasecmp(optarg, "deny")) {
 				handle_unknown = DENY_UNKNOWN;
--- a/checkpolicy/checkpolicy.8
+++ b/checkpolicy/checkpolicy.8
@ -53,6 +53,9 @@ Specify the target platform (selinux or xen).
 .B \-O,\-\-optimize
 Optimize the final kernel policy (remove redundant rules).
 .TP
+.B \-E,\-\-werror
+Treat warnings as errors
+.TP
 .B \-V,\-\-version
 Show version information.
 .TP
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@ -101,6 +101,7 @@ static sidtab_t sidtab;

 extern policydb_t *policydbp;
 extern int mlspol;
+extern int werror;

 static int handle_unknown = SEPOL_DENY_UNKNOWN;
 static const char *txtfile = "policy.conf";
@ -113,7 +114,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
 	printf
 	    ("usage:  %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] "
 	     "[-c policyvers (%d-%d)] [-o output_file|-] [-S] "
-	     "[-t target_platform (selinux,xen)] [-V] [input_file]\n",
+	     "[-t target_platform (selinux,xen)] [-E] [-V] [input_file]\n",
 	     progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
 	exit(1);
 }
@ -421,11 +422,12 @@ int main(int argc, char **argv)
 		{"conf",no_argument, NULL, 'F'},
 		{"sort", no_argument, NULL, 'S'},
 		{"optimize", no_argument, NULL, 'O'},
+		{"werror", no_argument, NULL, 'E'},
 		{"help", no_argument, NULL, 'h'},
 		{NULL, 0, NULL, 0}
 	};

-	while ((ch = getopt_long(argc, argv, "o:t:dbU:MCFSVc:Oh", long_options, NULL)) != -1) {
+	while ((ch = getopt_long(argc, argv, "o:t:dbU:MCFSVc:OEh", long_options, NULL)) != -1) {
 		switch (ch) {
 		case 'o':
 			outfile = optarg;
@ -504,6 +506,9 @@ int main(int argc, char **argv)
 					policyvers = n;
 				break;
 			}
+		case 'E':
+			 werror = 1;
+			 break;
 		case 'h':
 		default:
 			usage(argv[0]);
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@ -36,6 +36,7 @@ typedef int (* require_func_t)(void);

 static char linebuf[2][255];
 static unsigned int lno = 0;
+int werror = 0;
 int yywarn(const char *msg);

 void set_source_file(const char *name);
@ -310,6 +311,9 @@ int yyerror(const char *msg)

 int yywarn(const char *msg)
 {
+	if (werror)
+		return yyerror(msg);
+
 	if (source_file[0])
 		fprintf(stderr, "%s:%ld:",
 			source_file, source_lineno);