diff mbox series

[2/2] libsepol/cil: Limit the amount of reporting for context rule conflicts

Message ID 20220114192002.730773-2-jwcart2@gmail.com (mailing list archive)
State Superseded
Headers show
Series [1/2] libsepol/cil: Limit the amount of reporting for neverallow violations | expand

Commit Message

James Carter Jan. 14, 2022, 7:20 p.m. UTC 
When there are conflicting context rules, the location of the
conflicting rules are written out. If there are many duplicates of
the same context rule, there will be many pairs of conflicts written
out. This hides the fact that all of the rules are the same and can
make it hard to see the different conflicts.

Report all the duplicate conflicting rules together and only report
the first 10 conflicts of the same rule.

Fixes problem found by oss-fuzz (#39735)

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/cil/src/cil_post.c | 46 +++++++++++++++++++++----------------
 1 file changed, 26 insertions(+), 20 deletions(-)
diff mbox series

Patch

diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
index 7e2c2b9a..f0520abe 100644
--- a/libsepol/cil/src/cil_post.c
+++ b/libsepol/cil/src/cil_post.c
@@ -2280,7 +2280,8 @@  static int __cil_post_report_conflict(struct cil_tree_node *node, uint32_t *fini
 static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)(const void *, const void *), int (*concompar)(const void *, const void *), struct cil_db *db, enum cil_flavor flavor, const char *flavor_str)
 {
 	uint32_t count = sort->count;
-	uint32_t i, j = 0, removed = 0;
+	uint32_t i = 0, j, removed = 0;
+	int conflicting = 0;
 	int rc = SEPOL_OK;
 
 	if (count < 2) {
@@ -2289,36 +2290,41 @@  static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
 
 	qsort(sort->array, sort->count, sizeof(sort->array), compar);
 
-	for (i=1; i<count; i++) {
+	for (j=1; j<count; j++) {
 		if (compar(&sort->array[i], &sort->array[j]) != 0) {
-			j++;
+			i++;
+			if (conflicting >= 10) {
+				cil_log(CIL_WARN, "  Only first 10 of %d conflicting rules shown\n", conflicting);
+			}
+			conflicting = 0;
 		} else {
 			removed++;
 			if (!db->multiple_decls ||
 			   concompar(&sort->array[i], &sort->array[j]) != 0) {
 				struct cil_list_item li;
 				int rc2;
-				cil_log(CIL_WARN, "Found conflicting %s rules\n",
-					flavor_str);
-				rc = SEPOL_ERR;
-				li.flavor = flavor;
-				li.data = sort->array[i];
-				rc2 = cil_tree_walk(db->ast->root,
-						    __cil_post_report_conflict,
-						    NULL, NULL, &li);
-				if (rc2 != SEPOL_OK) goto exit;
-				li.data = sort->array[j];
-				rc2 = cil_tree_walk(db->ast->root,
-						    __cil_post_report_conflict,
-						    NULL, NULL, &li);
-				if (rc2 != SEPOL_OK) goto exit;
+				conflicting++;
+				if (conflicting == 1) {
+					cil_log(CIL_WARN, "Found conflicting %s rules\n", flavor_str);
+					rc = SEPOL_ERR;
+					li.flavor = flavor;
+					li.data = sort->array[i];
+					rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict,
+										NULL, NULL, &li);
+					if (rc2 != SEPOL_OK) goto exit;
+				}
+				if (conflicting < 10) {
+					li.data = sort->array[j];
+					rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict,
+										NULL, NULL, &li);
+					if (rc2 != SEPOL_OK) goto exit;
+				}
 			}
 		}
-		if (i != j) {
-			sort->array[j] = sort->array[i];
+		if (i != j && !conflicting) {
+			sort->array[i] = sort->array[j];
 		}
 	}
-
 	sort->count = count - removed;
 
 exit: