| Message ID | 20230105171340.18444-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | [1/2] libsepol: do not write empty class definitions | expand |
On Thu, Jan 5, 2023 at 12:27 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Do not write class definitions for classes without any permission and > any inherited common class. The classes are already declared in > write_class_decl_rules_to_conf(). Skipping those empty definitions, > which are equal to the corresponding class declarations, will enable to > parse the generated policy conf file with checkpolicy, as checkpolicy > does not accept class declarations after initial sid declarations. > > This will enable simple round-trip tests with checkpolicy. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > libsepol/src/kernel_to_conf.c | 21 +++++++++++++-------- > 1 file changed, 13 insertions(+), 8 deletions(-) > > diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c > index 63dffd9b..73b72b5d 100644 > --- a/libsepol/src/kernel_to_conf.c > +++ b/libsepol/src/kernel_to_conf.c > @@ -591,16 +591,21 @@ static int write_class_and_common_rules_to_conf(FILE *out, struct policydb *pdb) > class = pdb->class_val_to_struct[i]; > if (!class) continue; > name = pdb->p_class_val_to_name[i]; > - sepol_printf(out, "class %s", name); > - if (class->comkey) { > - sepol_printf(out, " inherits %s", class->comkey); > - } > perms = class_or_common_perms_to_str(&class->permissions); > - if (perms) { > - sepol_printf(out, " { %s }", perms); > - free(perms); > + /* Do not write empty classes, their declaration was alreedy > + * printed in write_class_decl_rules_to_conf() */ > + if (perms || class->comkey) { > + sepol_printf(out, "class %s", name); > + if (class->comkey) { > + sepol_printf(out, " inherits %s", class->comkey); > + } > + > + if (perms) { > + sepol_printf(out, " { %s }", perms); > + free(perms); > + } > + sepol_printf(out, "\n"); > } > - sepol_printf(out, "\n"); > } > > exit: > -- > 2.39.0 >
On Tue, Jan 10, 2023 at 10:27 AM James Carter <jwcart2@gmail.com> wrote: > > On Thu, Jan 5, 2023 at 12:27 PM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > Do not write class definitions for classes without any permission and > > any inherited common class. The classes are already declared in > > write_class_decl_rules_to_conf(). Skipping those empty definitions, > > which are equal to the corresponding class declarations, will enable to > > parse the generated policy conf file with checkpolicy, as checkpolicy > > does not accept class declarations after initial sid declarations. > > > > This will enable simple round-trip tests with checkpolicy. > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Acked-by: James Carter <jwcart2@gmail.com> > Merged. Thanks, Jim > > --- > > libsepol/src/kernel_to_conf.c | 21 +++++++++++++-------- > > 1 file changed, 13 insertions(+), 8 deletions(-) > > > > diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c > > index 63dffd9b..73b72b5d 100644 > > --- a/libsepol/src/kernel_to_conf.c > > +++ b/libsepol/src/kernel_to_conf.c > > @@ -591,16 +591,21 @@ static int write_class_and_common_rules_to_conf(FILE *out, struct policydb *pdb) > > class = pdb->class_val_to_struct[i]; > > if (!class) continue; > > name = pdb->p_class_val_to_name[i]; > > - sepol_printf(out, "class %s", name); > > - if (class->comkey) { > > - sepol_printf(out, " inherits %s", class->comkey); > > - } > > perms = class_or_common_perms_to_str(&class->permissions); > > - if (perms) { > > - sepol_printf(out, " { %s }", perms); > > - free(perms); > > + /* Do not write empty classes, their declaration was alreedy > > + * printed in write_class_decl_rules_to_conf() */ > > + if (perms || class->comkey) { > > + sepol_printf(out, "class %s", name); > > + if (class->comkey) { > > + sepol_printf(out, " inherits %s", class->comkey); > > + } > > + > > + if (perms) { > > + sepol_printf(out, " { %s }", perms); > > + free(perms); > > + } > > + sepol_printf(out, "\n"); > > } > > - sepol_printf(out, "\n"); > > } > > > > exit: > > -- > > 2.39.0 > >
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c index 63dffd9b..73b72b5d 100644 --- a/libsepol/src/kernel_to_conf.c +++ b/libsepol/src/kernel_to_conf.c @@ -591,16 +591,21 @@ static int write_class_and_common_rules_to_conf(FILE *out, struct policydb *pdb) class = pdb->class_val_to_struct[i]; if (!class) continue; name = pdb->p_class_val_to_name[i]; - sepol_printf(out, "class %s", name); - if (class->comkey) { - sepol_printf(out, " inherits %s", class->comkey); - } perms = class_or_common_perms_to_str(&class->permissions); - if (perms) { - sepol_printf(out, " { %s }", perms); - free(perms); + /* Do not write empty classes, their declaration was alreedy + * printed in write_class_decl_rules_to_conf() */ + if (perms || class->comkey) { + sepol_printf(out, "class %s", name); + if (class->comkey) { + sepol_printf(out, " inherits %s", class->comkey); + } + + if (perms) { + sepol_printf(out, " { %s }", perms); + free(perms); + } + sepol_printf(out, "\n"); } - sepol_printf(out, "\n"); } exit:
Do not write class definitions for classes without any permission and any inherited common class. The classes are already declared in write_class_decl_rules_to_conf(). Skipping those empty definitions, which are equal to the corresponding class declarations, will enable to parse the generated policy conf file with checkpolicy, as checkpolicy does not accept class declarations after initial sid declarations. This will enable simple round-trip tests with checkpolicy. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libsepol/src/kernel_to_conf.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-)