| Message ID | 20200719103506.865962-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | userspace: Implement new format of filename trans rules | expand |
On Sun, Jul 19, 2020 at 12:35 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > These patches are the userspace side of the following kernel commits: > c3a276111ea2 ("selinux: optimize storage of filename transitions") [1] > 430059024389 ("selinux: implement new format of filename transitions") [2]. > > The first patch changes libsepol's internal representation of filename > transition rules in a way similar to the kernel commit. > > The second patch then builds upon that and implements reading and > writing of the new binary policy format that uses this representation > also in the data layout. > > See individual patches for more details. > > NOTE: This series unfortunately breaks the build of setools. Moreover, > when an existing build of setools dynamically links against the new > libsepol, it segfaults. Sadly, there doesn't seem to be a nice way of > handling this, since setools relies on non-public libsepol policydb > API/ABI. I have prepared a preliminary patch to adapt setools to these > changes - I'll open a WIP pull request for it soon... And the setools PR is here: https://github.com/SELinuxProject/setools/pull/50 > > See also this discussion about the setools impact: > https://lore.kernel.org/selinux/daeae1d9-de29-aae0-6bde-3ad3427a5d42@tycho.nsa.gov/
These patches are the userspace side of the following kernel commits: c3a276111ea2 ("selinux: optimize storage of filename transitions") [1] 430059024389 ("selinux: implement new format of filename transitions") [2]. The first patch changes libsepol's internal representation of filename transition rules in a way similar to the kernel commit. The second patch then builds upon that and implements reading and writing of the new binary policy format that uses this representation also in the data layout. See individual patches for more details. NOTE: This series unfortunately breaks the build of setools. Moreover, when an existing build of setools dynamically links against the new libsepol, it segfaults. Sadly, there doesn't seem to be a nice way of handling this, since setools relies on non-public libsepol policydb API/ABI. I have prepared a preliminary patch to adapt setools to these changes - I'll open a WIP pull request for it soon... See also this discussion about the setools impact: https://lore.kernel.org/selinux/daeae1d9-de29-aae0-6bde-3ad3427a5d42@tycho.nsa.gov/ Changes in v5: - fix comment in filename_trans_read() to not change when being moved - fix filename_trans_check_datum() - destroy temporary ebitmaps at return - actually iterate through datums Changes in v4: - rebased on top of latest master branch Changes in v3: - fixed the change in dispol.c to match the rest of the code - renamed the helper functions to use the "_compat" suffix rather than "_old" and "_new" Changes in v2: - fixed counting rules when reading the new policy format [1] https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?id=c3a276111ea2572399281988b3129683e2a6b60b [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4300590243895ac39e8c97a2f5acd004dad8a42f Ondrej Mosnacek (2): libsepol,checkpolicy: optimize storage of filename transitions libsepol: implement POLICYDB_VERSION_COMP_FTRANS checkpolicy/policy_define.c | 52 ++-- checkpolicy/test/dispol.c | 20 +- libsepol/cil/src/cil_binary.c | 29 +- libsepol/include/sepol/policydb/policydb.h | 18 +- libsepol/src/expand.c | 60 +--- libsepol/src/kernel_to_cil.c | 24 +- libsepol/src/kernel_to_conf.c | 24 +- libsepol/src/policydb.c | 306 +++++++++++++++++---- libsepol/src/write.c | 101 +++++-- 9 files changed, 435 insertions(+), 199 deletions(-)