From patchwork Sat Mar 28 12:45:48 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ondrej Mosnacek X-Patchwork-Id: 11463515 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3EBD4161F for ; Sat, 28 Mar 2020 12:46:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 0283F206E6 for ; Sat, 28 Mar 2020 12:46:02 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="dg+o8EU9" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726353AbgC1MqB (ORCPT ); Sat, 28 Mar 2020 08:46:01 -0400 Received: from us-smtp-delivery-74.mimecast.com ([63.128.21.74]:30372 "EHLO us-smtp-delivery-74.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726290AbgC1MqB (ORCPT ); Sat, 28 Mar 2020 08:46:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1585399560; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=wd8ziv+HGAv/zDdK8rd18zEi8T01NST2lViyTQM5bFQ=; b=dg+o8EU9EV3xQZNe2DMb5fNexxjMkNQu1pTLxv86TITAQl26Bbg9UV6tvIjzonZE4zlig+ 3AuoDkSiCDeOSYynDPx/dsaSlYrBzzt0yrhnRqFBED0eeQEhlKRbKYKeVXqBsmnfnEf46J EM2eKq/KD1eQelHAwWLB4GkVYQBm2NY= Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-338-Jjb0H849NHGxRw6f9mJBzQ-1; Sat, 28 Mar 2020 08:45:55 -0400 X-MC-Unique: Jjb0H849NHGxRw6f9mJBzQ-1 Received: by mail-wr1-f72.google.com with SMTP id l17so6200582wro.3 for ; Sat, 28 Mar 2020 05:45:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=wd8ziv+HGAv/zDdK8rd18zEi8T01NST2lViyTQM5bFQ=; b=GEqOBYDwzevKlcL1fB69PH8lzeM8+1nYnJcc62tBIlZGBEU6s6t7Us5aqIG3h8znJ9 /ETKgQtFJFAPw5tehPzs09LnTXLgLHnllZ50eTUt5W5fPmQWSbgqwHmKzpp6DL5UfnW2 VVz2d0mnGS7yLGF2W8Y60PDEGbNOiO6JjRULv5hDGo+B35ecLkgkX8E0xNGqBLC7qT8c ZfrkyF6RRVmZouo7ct/r31VnJ0ZrdnztbYxrJYy2SG/dX2xdW5OWPKxVCWrQWDTk3uBh iV79vanPTnpa9EUiGs17nEYWSZL4mKWSZtHRat5gxhZgqYA4X4gPC9ePxEgXW5sJDq4T mWOA== X-Gm-Message-State: ANhLgQ1QZFlu5u/WMewLlIj+C0uZSJ3kUBfgbmzBm4ZY2osl5mfUxzBF Kwm1I4Tj2D+PQpdqOzHVq8f1CJ/zm6QSOMPl+4jbidZoJSzEUlwNahiohSQT+YUDFUzFZ9XqAtY JzIkZI0Tz0/gjQMLiBw== X-Received: by 2002:adf:f1c4:: with SMTP id z4mr5098586wro.342.1585399554307; Sat, 28 Mar 2020 05:45:54 -0700 (PDT) X-Google-Smtp-Source: ADFU+vt1eEihAId6GvFvjPwIfJ8nMQR2DY7MZhAkmXuneyyJ55YRBUX1KGnDuKXdbuEM69O/3UAL8g== X-Received: by 2002:adf:f1c4:: with SMTP id z4mr5098563wro.342.1585399554066; Sat, 28 Mar 2020 05:45:54 -0700 (PDT) Received: from omos.redhat.com ([2a02:8308:b13f:2100:f695:3ae5:c8bf:2f57]) by smtp.gmail.com with ESMTPSA id y200sm12349156wmc.20.2020.03.28.05.45.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Mar 2020 05:45:53 -0700 (PDT) From: Ondrej Mosnacek To: selinux@vger.kernel.org Cc: Stephen Smalley , Chris PeBenito Subject: [PATCH v2 0/2] userspace: Implement new format of filename trans rules Date: Sat, 28 Mar 2020 13:45:48 +0100 Message-Id: <20200328124550.199568-1-omosnace@redhat.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org These patches are the userspace side of the kernel change posted at [1]. The first patch changes libsepol's internal representation of filename transition rules in a way similar to kernel commit c3a276111ea2 ("selinux: optimize storage of filename transitions") [2]. The second patch then builds upon that and implements reading and writing of a new binary policy format that uses this representation also in the data layout. See individual patches for more details. NOTE: This series unfortunately breaks the build of setools. Moreover, when an existing build of setools dynamically links against the new libsepol, it segfaults. Sadly, there doesn't seem to be a nice way of handling this, since setools relies on non-public libsepol policydb API/ABI. Changes in v2: - fixed counting rules when reading the new policy format [1] https://lore.kernel.org/selinux/20200327151941.95619-1-omosnace@redhat.com/T/ [2] https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?id=c3a276111ea2572399281988b3129683e2a6b60b Ondrej Mosnacek (2): libsepol,checkpolicy: optimize storage of filename transitions libsepol: implement POLICYDB_VERSION_COMP_FTRANS checkpolicy/policy_define.c | 52 ++-- checkpolicy/test/dispol.c | 27 +- libsepol/cil/src/cil_binary.c | 29 +- libsepol/include/sepol/policydb/policydb.h | 18 +- libsepol/src/expand.c | 60 +--- libsepol/src/kernel_to_cil.c | 24 +- libsepol/src/kernel_to_conf.c | 24 +- libsepol/src/policydb.c | 314 ++++++++++++++++----- libsepol/src/write.c | 100 +++++-- 9 files changed, 441 insertions(+), 207 deletions(-)