All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] cil_reference_guide: update specification for valid symbols
@ 2026-04-13 17:40 Rahul Sandhu
  2026-05-13 15:03 ` James Carter
  0 siblings, 1 reply; 3+ messages in thread
From: Rahul Sandhu @ 2026-04-13 17:40 UTC (permalink / raw)
  To: selinux; +Cc: Rahul Sandhu

Currently, the specification has a very limited character set of valid
symbols. This does not reflect was libsepol (and by extension secilc as
well) accepts, as can be seen both in spec_char's definition[1], which
symbol is comprised of along with digit and alpha, and with some basic
demonstration (note cil-policy.cil refers to the example CIL minimum
viable policy provided by the SELinux notebook[2] such that the example
is not polluted with SID declarations, policy caps, and other fluff):

  carbon ~ # cat <<'EOF' >mytest.cil
  (filecon /[].@=/*-_$%+-!|&^:~`#{}'<>?, any ())
  EOF
  carbon ~ # secilc mytest.cil cil-policy.cil
  carbon ~ # echo $?
  0

As can be seen above, secilc is perfectly happy to accept a variety of
characters which are not valid in the specification. Whilst the above
example does NOT use valid filecon regex, which libsemanage will later
complain about, that does not matter for the purpose of demonstration:
a symbol pertains ONLY to what is valid in the language grammar as an
unquoted string, not what is valid for the filecon statement.

It should be noted as well that this patch drops the backslash symbol,
'\'. The libsepol definition of spec_char omits it and this can also be
seen in practice:

  carbon ~ # cat <<'EOF' >mytest.cil
  (filecon /\. any ())
  EOF
  carbon ~ # secilc mytest.cil cil-policy.cil
  Invalid token '\' at line 1 of mytest.cil
  Failure adding mytest.cil

As such, no consumers should be impacted by its removal from the spec.
It also does not seem like a grave omission, so it's probably best to
just drop it from the spec.

[1] https://github.com/SELinuxProject/selinux/blob/6be1ec3792c11040fd7a3ecb1135e54418eb0d57/libsepol/cil/src/cil_lexer.l#L48
[2] https://github.com/SELinuxProject/selinux-notebook/blob/9888b84b8e76c18c6141812d7ffd9b3e2fad6f9e/src/notebook-examples/cil-policy/cil-policy.cil

Signed-off-by: Rahul Sandhu <nvraxn@posteo.uk>
---
 secilc/docs/cil_reference_guide.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/secilc/docs/cil_reference_guide.md b/secilc/docs/cil_reference_guide.md
index bcd34b68..af883232 100644
--- a/secilc/docs/cil_reference_guide.md
+++ b/secilc/docs/cil_reference_guide.md
@@ -93,7 +93,7 @@ Definitions may be repeated many times throughout the policy. Duplicates will re
 Symbol Character Set
 --------------------
 
-Symbols (any string not enclosed in double quotes) must only contain alphanumeric `[a-z A-Z] [0-9]` characters plus the following special characters: `\.=/-_$%@+!|&^:`
+Symbols (any string not enclosed in double quotes) must only contain alphanumeric `[a-z A-Z] [0-9]` characters plus the following special characters: `` [].@=/*-_$%+-!|&^:~`#{}'<>?, ``
 
 However symbols are checked for any specific character set limitations, for example:
 
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-15 14:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-13 17:40 [PATCH] cil_reference_guide: update specification for valid symbols Rahul Sandhu
2026-05-13 15:03 ` James Carter
2026-05-15 14:04   ` Petr Lautrbach

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.