| Message ID | 1481112959-26208-2-git-send-email-gary.tierney@gmx.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
On Wed, Dec 07, 2016 at 08:27:05AM -0500, Stephen Smalley wrote: > On 12/07/2016 07:15 AM, Gary Tierney wrote: > > Adds a check for avrules with type attributes that have a bitmap cardinality > > of 0 (i.e., no types in their set) before adding them to the libsepol policy in > > __cil_avrule_to_avtab(). Also adds an exception for neverallow rules to > > prevent breaking anything from AOSP mentioned in > > f9927d9370f90bd9d975ff933fe107ec4f93a9ac. > > James Carter is away for a few days, so this might be delayed in review. > No problem. I'll try and get the second part of this (removing typeattributes which are only used in these dud avrules) to the list in time for reviewing this. > > > > Signed-off-by: Gary Tierney <gary.tierney@gmx.com> > > --- > > libsepol/cil/src/cil_binary.c | 47 +++++++++++++++++++++++++++++++++++++++++++ > > 1 file changed, 47 insertions(+) > > > > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c > > index d33981b..3aa350a 100644 > > --- a/libsepol/cil/src/cil_binary.c > > +++ b/libsepol/cil/src/cil_binary.c > > @@ -1411,6 +1411,48 @@ exit: > > return rc; > > } > > > > +static int __cil_type_datum_is_unused_attrib(struct cil_symtab_datum *src) > > +{ > > + struct cil_tree_node *node = NULL; > > + struct cil_typeattribute *attrib = NULL; > > + > > + if (src->fqn == CIL_KEY_SELF) { > > + return CIL_FALSE; > > + } > > + > > + node = src->nodes->head->data; > > + > > + if (node->flavor != CIL_TYPEATTRIBUTE) { > > + return CIL_FALSE; > > + } > > + > > + attrib = (struct cil_typeattribute *) src; > > + return ebitmap_cardinality(attrib->types) == 0; > > +} > > + > > +static int __cil_avrule_can_remove(struct cil_avrule *cil_avrule) > > +{ > > + struct cil_symtab_datum *src = cil_avrule->src; > > + struct cil_symtab_datum *tgt = cil_avrule->tgt; > > + > > + // Don't remove neverallow rules so they are written to > > + // the resulting policy and can be checked by tools in > > + // AOSP. > > + if (cil_avrule->rule_kind == CIL_AVRULE_NEVERALLOW) { > > + return CIL_FALSE; > > + } > > + > > + if (__cil_type_datum_is_unused_attrib(src)) { > > + return CIL_TRUE; > > + } > > + > > + if (__cil_type_datum_is_unused_attrib(tgt)) { > > + return CIL_TRUE; > > + } > > + > > + return CIL_FALSE; > > +} > > + > > int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_avrule *cil_avrule, cond_node_t *cond_node, enum cil_flavor cond_flavor) > > { > > int rc = SEPOL_ERR; > > @@ -1425,6 +1467,11 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a > > goto exit; > > } > > > > + if (__cil_avrule_can_remove(cil_avrule)) { > > + rc = SEPOL_OK; > > + goto exit; > > + } > > + > > src = cil_avrule->src; > > tgt = cil_avrule->tgt; > > > > >
On 12/07/2016 07:15 AM, Gary Tierney wrote: > Adds a check for avrules with type attributes that have a bitmap cardinality > of 0 (i.e., no types in their set) before adding them to the libsepol policy in > __cil_avrule_to_avtab(). Also adds an exception for neverallow rules to > prevent breaking anything from AOSP mentioned in > f9927d9370f90bd9d975ff933fe107ec4f93a9ac. > > Signed-off-by: Gary Tierney <gary.tierney@gmx.com> > --- > libsepol/cil/src/cil_binary.c | 47 +++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 47 insertions(+) > > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c > index d33981b..3aa350a 100644 > --- a/libsepol/cil/src/cil_binary.c > +++ b/libsepol/cil/src/cil_binary.c > @@ -1411,6 +1411,48 @@ exit: > return rc; > } > > +static int __cil_type_datum_is_unused_attrib(struct cil_symtab_datum *src) > +{ > + struct cil_tree_node *node = NULL; > + struct cil_typeattribute *attrib = NULL; > + > + if (src->fqn == CIL_KEY_SELF) { > + return CIL_FALSE; > + } > + > + node = src->nodes->head->data; There is a macro for this, so I changed this line to node = NODE(src); Everything else looked good, so I made the small change above and applied. Thanks, Jim > + > + if (node->flavor != CIL_TYPEATTRIBUTE) { > + return CIL_FALSE; > + } > + > + attrib = (struct cil_typeattribute *) src; > + return ebitmap_cardinality(attrib->types) == 0; > +} > + > +static int __cil_avrule_can_remove(struct cil_avrule *cil_avrule) > +{ > + struct cil_symtab_datum *src = cil_avrule->src; > + struct cil_symtab_datum *tgt = cil_avrule->tgt; > + > + // Don't remove neverallow rules so they are written to > + // the resulting policy and can be checked by tools in > + // AOSP. > + if (cil_avrule->rule_kind == CIL_AVRULE_NEVERALLOW) { > + return CIL_FALSE; > + } > + > + if (__cil_type_datum_is_unused_attrib(src)) { > + return CIL_TRUE; > + } > + > + if (__cil_type_datum_is_unused_attrib(tgt)) { > + return CIL_TRUE; > + } > + > + return CIL_FALSE; > +} > + > int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_avrule *cil_avrule, cond_node_t *cond_node, enum cil_flavor cond_flavor) > { > int rc = SEPOL_ERR; > @@ -1425,6 +1467,11 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a > goto exit; > } > > + if (__cil_avrule_can_remove(cil_avrule)) { > + rc = SEPOL_OK; > + goto exit; > + } > + > src = cil_avrule->src; > tgt = cil_avrule->tgt; > >
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index d33981b..3aa350a 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -1411,6 +1411,48 @@ exit: return rc; } +static int __cil_type_datum_is_unused_attrib(struct cil_symtab_datum *src) +{ + struct cil_tree_node *node = NULL; + struct cil_typeattribute *attrib = NULL; + + if (src->fqn == CIL_KEY_SELF) { + return CIL_FALSE; + } + + node = src->nodes->head->data; + + if (node->flavor != CIL_TYPEATTRIBUTE) { + return CIL_FALSE; + } + + attrib = (struct cil_typeattribute *) src; + return ebitmap_cardinality(attrib->types) == 0; +} + +static int __cil_avrule_can_remove(struct cil_avrule *cil_avrule) +{ + struct cil_symtab_datum *src = cil_avrule->src; + struct cil_symtab_datum *tgt = cil_avrule->tgt; + + // Don't remove neverallow rules so they are written to + // the resulting policy and can be checked by tools in + // AOSP. + if (cil_avrule->rule_kind == CIL_AVRULE_NEVERALLOW) { + return CIL_FALSE; + } + + if (__cil_type_datum_is_unused_attrib(src)) { + return CIL_TRUE; + } + + if (__cil_type_datum_is_unused_attrib(tgt)) { + return CIL_TRUE; + } + + return CIL_FALSE; +} + int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_avrule *cil_avrule, cond_node_t *cond_node, enum cil_flavor cond_flavor) { int rc = SEPOL_ERR; @@ -1425,6 +1467,11 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a goto exit; } + if (__cil_avrule_can_remove(cil_avrule)) { + rc = SEPOL_OK; + goto exit; + } + src = cil_avrule->src; tgt = cil_avrule->tgt;
Adds a check for avrules with type attributes that have a bitmap cardinality of 0 (i.e., no types in their set) before adding them to the libsepol policy in __cil_avrule_to_avtab(). Also adds an exception for neverallow rules to prevent breaking anything from AOSP mentioned in f9927d9370f90bd9d975ff933fe107ec4f93a9ac. Signed-off-by: Gary Tierney <gary.tierney@gmx.com> --- libsepol/cil/src/cil_binary.c | 47 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)