diff mbox series

[v2,3/3] libsepol: Improve writing CIL category rules

Message ID 20200522145513.194440-3-jwcart2@gmail.com (mailing list archive)
State Accepted
Headers show
Series [v2,1/3] libsepol: Write CIL default MLS rules on separate lines | expand

Commit Message

James Carter May 22, 2020, 2:55 p.m. UTC 
Improves writing of CIL category rules when converting MLS kernel
policy to CIL. No changes to functionality, but eliminate useless
checks for category aliases when using the p_cat_val_to_name array,
find the actual number of aliases before allocating memory, and
skip the category alias rules if there are no aliases.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
v2: Add "__attribute__((unused))" to unused parameters as suggested by
    Nicolas Iooss

 libsepol/src/kernel_to_cil.c | 59 ++++++++++++++++++------------------
 1 file changed, 29 insertions(+), 30 deletions(-)

Comments

Stephen Smalley May 27, 2020, 4:44 p.m. UTC | #1 
On Fri, May 22, 2020 at 10:58 AM James Carter <jwcart2@gmail.com> wrote:
>
> Improves writing of CIL category rules when converting MLS kernel
> policy to CIL. No changes to functionality, but eliminate useless
> checks for category aliases when using the p_cat_val_to_name array,
> find the actual number of aliases before allocating memory, and
> skip the category alias rules if there are no aliases.
>
> Signed-off-by: James Carter <jwcart2@gmail.com>

This series looks fine to me but do you have a test case that exercises it?
James Carter May 27, 2020, 5:20 p.m. UTC | #2 
On Wed, May 27, 2020 at 12:44 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Fri, May 22, 2020 at 10:58 AM James Carter <jwcart2@gmail.com> wrote:
> >
> > Improves writing of CIL category rules when converting MLS kernel
> > policy to CIL. No changes to functionality, but eliminate useless
> > checks for category aliases when using the p_cat_val_to_name array,
> > find the actual number of aliases before allocating memory, and
> > skip the category alias rules if there are no aliases.
> >
> > Signed-off-by: James Carter <jwcart2@gmail.com>
>
> This series looks fine to me but do you have a test case that exercises it?

See attached.
Stephen Smalley May 27, 2020, 7:23 p.m. UTC | #3 
On Wed, May 27, 2020 at 1:20 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Wed, May 27, 2020 at 12:44 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Fri, May 22, 2020 at 10:58 AM James Carter <jwcart2@gmail.com> wrote:
> > >
> > > Improves writing of CIL category rules when converting MLS kernel
> > > policy to CIL. No changes to functionality, but eliminate useless
> > > checks for category aliases when using the p_cat_val_to_name array,
> > > find the actual number of aliases before allocating memory, and
> > > skip the category alias rules if there are no aliases.
> > >
> > > Signed-off-by: James Carter <jwcart2@gmail.com>
> >
> > This series looks fine to me but do you have a test case that exercises it?
>
> See attached.

Ok we should likely try to move some of these out of tree tests into
the set of tests exercised by
make test in libsepol or checkpolicy or secilc and thereby get them
regression tested by travis-ci.

Regardless, for this series,
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Stephen Smalley May 29, 2020, 12:58 p.m. UTC | #4 
On Wed, May 27, 2020 at 3:23 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Wed, May 27, 2020 at 1:20 PM James Carter <jwcart2@gmail.com> wrote:
> >
> > On Wed, May 27, 2020 at 12:44 PM Stephen Smalley
> > <stephen.smalley.work@gmail.com> wrote:
> > >
> > > On Fri, May 22, 2020 at 10:58 AM James Carter <jwcart2@gmail.com> wrote:
> > > >
> > > > Improves writing of CIL category rules when converting MLS kernel
> > > > policy to CIL. No changes to functionality, but eliminate useless
> > > > checks for category aliases when using the p_cat_val_to_name array,
> > > > find the actual number of aliases before allocating memory, and
> > > > skip the category alias rules if there are no aliases.
> > > >
> > > > Signed-off-by: James Carter <jwcart2@gmail.com>
> > >
> > > This series looks fine to me but do you have a test case that exercises it?
> >
> > See attached.
>
> Ok we should likely try to move some of these out of tree tests into
> the set of tests exercised by
> make test in libsepol or checkpolicy or secilc and thereby get them
> regression tested by travis-ci.
>
> Regardless, for this series,
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

Applied.
diff mbox series

Patch

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index b84da3e5..36c6c682 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -886,6 +886,17 @@  exit:
 	return rc;
 }
 
+static int map_count_category_aliases(__attribute__((unused)) char *key, void *data, void *args)
+{
+	cat_datum_t *cat = data;
+	unsigned *count = args;
+
+	if (cat->isalias)
+		(*count)++;
+
+	return SEPOL_OK;
+}
+
 static int map_category_aliases_to_strs(char *key, void *data, void *args)
 {
 	cat_datum_t *cat = data;
@@ -903,26 +914,13 @@  static int write_category_rules_to_cil(FILE *out, struct policydb *pdb)
 {
 	cat_datum_t *cat;
 	char *prev, *name, *actual;
-	struct strs *strs;
-	unsigned i, num;
+	struct strs *strs = NULL;
+	unsigned i, num = 0;
 	int rc = 0;
 
-	rc = strs_init(&strs, pdb->p_levels.nprim);
-	if (rc != 0) {
-		goto exit;
-	}
-
 	/* categories */
 	for (i=0; i < pdb->p_cats.nprim; i++) {
 		name = pdb->p_cat_val_to_name[i];
-		if (!name) continue;
-		cat = hashtab_search(pdb->p_cats.table, name);
-		if (!cat) {
-			rc = -1;
-			goto exit;
-		}
-		if (cat->isalias) continue;
-
 		sepol_printf(out, "(category %s)\n", name);
 	}
 
@@ -931,14 +929,6 @@  static int write_category_rules_to_cil(FILE *out, struct policydb *pdb)
 	prev = NULL;
 	for (i=0; i < pdb->p_cats.nprim; i++) {
 		name = pdb->p_cat_val_to_name[i];
-		if (!name) continue;
-		cat = hashtab_search(pdb->p_cats.table, name);
-		if (!cat) {
-			rc = -1;
-			goto exit;
-		}
-		if (cat->isalias) continue;
-
 		if (prev) {
 			sepol_printf(out, "%s ", prev);
 		}
@@ -949,6 +939,22 @@  static int write_category_rules_to_cil(FILE *out, struct policydb *pdb)
 	}
 	sepol_printf(out, "))\n");
 
+	rc = hashtab_map(pdb->p_cats.table, map_count_category_aliases, &num);
+	if (rc != 0) {
+		goto exit;
+	}
+
+	if (num == 0) {
+		/* No aliases, so skip category alias rules */
+		rc = 0;
+		goto exit;
+	}
+
+	rc = strs_init(&strs, num);
+	if (rc != 0) {
+		goto exit;
+	}
+
 	rc = hashtab_map(pdb->p_cats.table, map_category_aliases_to_strs, strs);
 	if (rc != 0) {
 		goto exit;
@@ -956,16 +962,9 @@  static int write_category_rules_to_cil(FILE *out, struct policydb *pdb)
 
 	strs_sort(strs);
 
-	num = strs_num_items(strs);
-
 	/* category aliases */
 	for (i=0; i < num; i++) {
 		name = strs_read_at_index(strs, i);
-		cat = hashtab_search(pdb->p_cats.table, name);
-		if (!cat) {
-			rc = -1;
-			goto exit;
-		}
 		sepol_printf(out, "(categoryalias %s)\n", name);
 	}