From patchwork Wed Jan 19 16:35:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12717665 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8BB4DC433FE for ; Wed, 19 Jan 2022 16:35:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344646AbiASQfd (ORCPT ); Wed, 19 Jan 2022 11:35:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46104 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356158AbiASQfb (ORCPT ); Wed, 19 Jan 2022 11:35:31 -0500 Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2AA0DC06161C for ; Wed, 19 Jan 2022 08:35:31 -0800 (PST) Received: by mail-qv1-xf34.google.com with SMTP id a8so3724216qvx.2 for ; Wed, 19 Jan 2022 08:35:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=xe9/8YvdpDyZtxye7TxK8fXCzaEzg9CokVs3WKVeLPI=; b=aKZAt6HCc4qBJJ83eCaOpwC3nNnKM+qUMTrzBTQOxg6j+54Rtd3paUyeoNLXDTK1n5 hIbK7JPgw88IrOExKmJEfyonFb6h8LY0+xE9He3Wj/cr9Y1YVa9FXnNkqVnxO4JVAgEy bhbVskVX4AN2c+ZAKNBuioUpqrV+JdTTWHafnsEQxHD7QsNVGWqK3AowHbOwhKGbJbfB sTgoW7x4SBfaVb8/re9+FwVXj2SSViHITSkhSzH++ZT1ghCBmNPgcdxnLAOeTuWqn6MB 75YRAGt2YaHsZQEvEy31SPLUzMRob1qnRJLi/JtwzpKCpjynyQfLdGDrsrGTSi9WzU98 Qu7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=xe9/8YvdpDyZtxye7TxK8fXCzaEzg9CokVs3WKVeLPI=; b=gEjV1KnO7w2EcRB1euNbUIVTFKFYUNtFCB6/mBF/G+a0haQFAu04UGiBAFk28Afo6n DXqew/A73OKPviJ2F8j33CSIfQfAwOoxXQWW+BISG00X2nPUy9Q9C4ENCpcTSEpGMI01 MeINgJmxWKWlhizXXTqwlZuLtiq1AsJWLrcCSHbDf6JSWhSqIL2U7mHOgwnKci78YoPB PNxCIs3ko6gObFWEg7QYLqLqQciWjr3ToLYK/B9cu3lKrY+hdbSnm0S6/iIvqUrLPM+8 0YynY2ZLrIpPkIPzYA+MTeVYGzS39Cmn/P4rB1cA4HwK/Gu8oNUt52gmngzE/R1IDwqa YX3A== X-Gm-Message-State: AOAM533uR/YzpWCLc4meK3E4xG3bHGrYi+UTJBx10M+DYpx8As3tXjrI T3KtPsY2GrLVeNGwWvi3aSq3QWrp1Js= X-Google-Smtp-Source: ABdhPJyZvDrFP8rUazB3JwLACyb0kUF2SXoBD/UyK2x8z4+OxpbnK0UrqP+IJUVoyEDybDQ/QSh3Vg== X-Received: by 2002:a05:6214:5001:: with SMTP id jo1mr27749773qvb.21.1642610130251; Wed, 19 Jan 2022 08:35:30 -0800 (PST) Received: from localhost.localdomain (c-69-250-217-147.hsd1.md.comcast.net. [69.250.217.147]) by smtp.gmail.com with ESMTPSA id b200sm127231qkc.50.2022.01.19.08.35.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Jan 2022 08:35:29 -0800 (PST) From: James Carter To: selinux@vger.kernel.org Cc: j2468h@googlemail.com, James Carter Subject: [PATCH 1/4 v2] libsepol/cil: Add cil_get_log_level() function Date: Wed, 19 Jan 2022 11:35:15 -0500 Message-Id: <20220119163518.93780-2-jwcart2@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20220119163518.93780-1-jwcart2@gmail.com> References: <20220119163518.93780-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Add the function cil_get_log_level() that returns the current log level for CIL. Signed-off-by: James Carter --- libsepol/cil/src/cil_log.c | 5 +++++ libsepol/cil/src/cil_log.h | 2 ++ 2 files changed, 7 insertions(+) diff --git a/libsepol/cil/src/cil_log.c b/libsepol/cil/src/cil_log.c index a8e4d2e9..a296929b 100644 --- a/libsepol/cil/src/cil_log.c +++ b/libsepol/cil/src/cil_log.c @@ -70,3 +70,8 @@ void cil_set_log_level(enum cil_log_level lvl) { cil_log_level = lvl; } + +enum cil_log_level cil_get_log_level(void) +{ + return cil_log_level; +} diff --git a/libsepol/cil/src/cil_log.h b/libsepol/cil/src/cil_log.h index 541569be..442781fb 100644 --- a/libsepol/cil/src/cil_log.h +++ b/libsepol/cil/src/cil_log.h @@ -38,4 +38,6 @@ __attribute__ ((format(printf, 2, 0))) void cil_vlog(enum cil_log_level lvl, const char *msg, va_list args); __attribute__ ((format(printf, 2, 3))) void cil_log(enum cil_log_level lvl, const char *msg, ...); +enum cil_log_level cil_get_log_level(void); + #endif // CIL_LOG_H_ From patchwork Wed Jan 19 16:35:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12717667 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C785C433F5 for ; Wed, 19 Jan 2022 16:35:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356158AbiASQfd (ORCPT ); Wed, 19 Jan 2022 11:35:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46112 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356159AbiASQfc (ORCPT ); Wed, 19 Jan 2022 11:35:32 -0500 Received: from mail-qv1-xf34.google.com (mail-qv1-xf34.google.com [IPv6:2607:f8b0:4864:20::f34]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B5AE2C06173E for ; Wed, 19 Jan 2022 08:35:31 -0800 (PST) Received: by mail-qv1-xf34.google.com with SMTP id bc19so2940766qvb.11 for ; Wed, 19 Jan 2022 08:35:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=qkDDpecYRmfpJOGlple4ThaWQ34EwKZUH50HlmE2SkY=; b=YTAbxQK0SGJIrDmIsTSrVodlKjQ+gXWllXIrQGmbPlaRBbLxbGA4B3YOz7IgA63OgO ABAnLn1ffI4DbSk6n1oxmboy/aW/UEFZ4asK8VHJrLJkehvWNv8SnTftcWI9/pipoVbG gfvA651mPQlXlgfpUwQyjeBKf3h641pw2jJ5FMycQyLOwBLhBPAA1154EQ7xMRSBONDA WGyYGh5GH2/iTohYCF3lxZQnGerOhvZljjSFGGSsreI736c4IzBGVgCvDNf/I8ZB7t9e kIvnuINTYUGgXENADv+z+jQ2akbRWwWNsKIuw33tRPuLFOWvGq9dQlHuXiLqqwQXrOoJ b9uA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=qkDDpecYRmfpJOGlple4ThaWQ34EwKZUH50HlmE2SkY=; b=OLL+xcsoi26ejPqEeXnWpkQUuCUxZtzxYUq0IkQoVRXQGX54Fcuk8j3bwPhXLGGjYc 1hHSVusq/KBaMSC5q0YMDAClmT5j0DifhwpY/hY7xJy7yl4WQQnChgtinO6qtvyIQQOQ 3QxGWQ+Cd0Z0Sn6n/d64Toij81CAVYPe1qJnQoqcrhT0X9Gehn3/wmMA3OJ7Ey8ITt8x W7UGarjBb/hJhs/RiTyjEbWsj/huMl8LKw5TUTaEp9H0bkqGmLbX6MlDPA4XvNE/q+Fe QpgRVhDeu9otNXMXICDc+1zkmc1Cukj6lQl7EtuX+hS81YBcHvaeHX/soKaSiF2+0XeC lE/g== X-Gm-Message-State: AOAM532vV8PZpme94TU8rxvTXd6C19vlxbgTm7vLSj9GPDr4+Cx8p/Ru 9mBRVTn9HnsTAzke2lLmGRNxwb6+Ro0= X-Google-Smtp-Source: ABdhPJwTzHbmD62sTiaDX9R2bP9xwuz3Z2I66tkrjTwP0r0Z9lWXHJcuOvYYFzGrbADDOm0kdZY2JA== X-Received: by 2002:a05:6214:23c8:: with SMTP id hr8mr28396228qvb.26.1642610130813; Wed, 19 Jan 2022 08:35:30 -0800 (PST) Received: from localhost.localdomain (c-69-250-217-147.hsd1.md.comcast.net. [69.250.217.147]) by smtp.gmail.com with ESMTPSA id b200sm127231qkc.50.2022.01.19.08.35.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Jan 2022 08:35:30 -0800 (PST) From: James Carter To: selinux@vger.kernel.org Cc: j2468h@googlemail.com, James Carter Subject: [PATCH 2/4 v2] libsepol/cil: Provide more control over reporting bounds failures Date: Wed, 19 Jan 2022 11:35:16 -0500 Message-Id: <20220119163518.93780-3-jwcart2@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20220119163518.93780-1-jwcart2@gmail.com> References: <20220119163518.93780-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org Commit 4b2e2a248e48b2902ab1ef3cab86322a3c6ef055 (libsepol/cil: Limit the amount of reporting for bounds failures) limited the number of bounds failures that were reported to the first two matching rules for the first two bad rules. Instead, report the first two matching rules for the first four bad rules at the default log level and report all matching rules for all bad rules for higher verbosity levels. Signed-off-by: James Carter --- libsepol/cil/src/cil_binary.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 4ac8ce8d..b7da8241 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -4863,6 +4863,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void struct cil_avrule target; struct cil_tree_node *n1 = NULL; int count_bad = 0; + enum cil_log_level log_level = cil_get_log_level(); *violation = CIL_TRUE; @@ -4909,16 +4910,16 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void __cil_print_rule(" ", "allow", r2); } count_matching++; - if (count_matching >= 2) { - cil_log(CIL_ERR, " Only first 2 of %d matching rules shown\n", num_matching); + if (count_matching >= 2 && num_matching > 2 && log_level == CIL_ERR) { + cil_log(CIL_ERR, " Only first 2 of %d matching rules shown (use \"-v\" to show all)\n", num_matching); break; } } cil_list_destroy(&matching, CIL_FALSE); cil_list_destroy(&target.perms.classperms, CIL_TRUE); count_bad++; - if (count_bad >= 2) { - cil_log(CIL_ERR, " Only first 2 of %d bad rules shown\n", numbad); + if (count_bad >= 4 && numbad > 4 && log_level == CIL_ERR) { + cil_log(CIL_ERR, " Only first 4 of %d bad rules shown (use \"-v\" to show all)\n", numbad); break; } } From patchwork Wed Jan 19 16:35:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12717666 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AAF53C4332F for ; Wed, 19 Jan 2022 16:35:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356162AbiASQfd (ORCPT ); Wed, 19 Jan 2022 11:35:33 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46116 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356161AbiASQfc (ORCPT ); Wed, 19 Jan 2022 11:35:32 -0500 Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7871CC061574 for ; Wed, 19 Jan 2022 08:35:32 -0800 (PST) Received: by mail-qv1-xf36.google.com with SMTP id bc19so2940840qvb.11 for ; Wed, 19 Jan 2022 08:35:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=YoIdsSrchlPX32ISbUioAfsNks9SXdmtHkHK7rdI3xw=; b=f65555o+C8hixpsBaB3AI2AdFJyLbu9m91WblgM4j4GE6HH+MoOQb9SLOsutTAzyFE LvDyb2ZyytANwZrGOVlrxanYD+JQc6Wrc3DQU1A1NV5hQhiqvPWu8Y0Eg2MmkaqOxY8z taOr/CPjkLriK4G1iCHOYWear/kVfnZHRdLdYouCc1nlVlamEl/16wgpD3RwQVTmdPOe lMxUxzBe37nSld6NmtO1YFoZU9BN6xIem1pLBN1VGAUmiGGgvkzCYRX/x9s63N6Y8FGY ztOUQvIquGVzcCPsCh/pwWWOIvUUdwgmH4Zgc2l5M7xr7noLvJv1z6BdenibHz3yHJhf bMUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=YoIdsSrchlPX32ISbUioAfsNks9SXdmtHkHK7rdI3xw=; b=tR6tCGbeMEKSXKpQQYsR5QeA3oGh+9Bop9ftH7BeHPv+XzXxO9pjAmiaE1htYVkYph s0F3mR62zNe3gvx7wTU/kwFQmNkbMkICQysd+ZJv3zGf1ZeIcv4dyM2sUVYxhQkqMy7e pOm1+msne1OBkfxQHis1FZDQG129XTew8Gbwn71zKmjdneucrOKUdZfynzHvZMhKCesk s455vcg98RjjF3ha16C13/kVoAvuIVpyg6wEORlmOCBDrl93c/8FaO7eCQW4r8iNTGCq QDo61wn/Jr2P0GXneYnkWOGJVOYUOPYDeEQ4rQTKElcG2AeSnN/XjEO+uCcmgqPVRll9 ZkmA== X-Gm-Message-State: AOAM530yw8NT7ClMWMUyJbddbSZx3BAqy/AwN+4Aa2kHTyO/q3gWKD0y mzcSOSeo0BlxSst8lJ+ZD4Fac5ZJwpY= X-Google-Smtp-Source: ABdhPJypfSkw9oJGlenpZON5C79rPVj+9TG90aOKSoeN2gE2Ol3Ox7o5gj2aCspcOpaqEEO86hRKDQ== X-Received: by 2002:ac8:7dc7:: with SMTP id c7mr14809709qte.83.1642610131488; Wed, 19 Jan 2022 08:35:31 -0800 (PST) Received: from localhost.localdomain (c-69-250-217-147.hsd1.md.comcast.net. [69.250.217.147]) by smtp.gmail.com with ESMTPSA id b200sm127231qkc.50.2022.01.19.08.35.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Jan 2022 08:35:31 -0800 (PST) From: James Carter To: selinux@vger.kernel.org Cc: j2468h@googlemail.com, James Carter Subject: [PATCH 3/4 v2] libsepol/cil: Limit the neverallow violations reported Date: Wed, 19 Jan 2022 11:35:17 -0500 Message-Id: <20220119163518.93780-4-jwcart2@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20220119163518.93780-1-jwcart2@gmail.com> References: <20220119163518.93780-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org When there is a neverallow violation, a search is made for all of the rules that violate the neverallow. The violating rules as well as their parents are written out to make it easier to find these rules. If there is a lot of rules that violate a neverallow, then this amount of reporting is too much. Instead, only print out the first four rules (with their parents) that match the violated neverallow rule along with the total number of rules that violate the neverallow at the default log level. Report all the violations when at a higher verbosity level. Signed-off-by: James Carter --- libsepol/cil/src/cil_binary.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index b7da8241..8b64b37a 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -4640,6 +4640,9 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr char *neverallow_str; char *allow_str; enum cil_flavor avrule_flavor; + int num_matching = 0; + int count_matching = 0; + enum cil_log_level log_level = cil_get_log_level(); target.rule_kind = CIL_AVRULE_ALLOWED; target.is_extended = cil_rule->is_extended; @@ -4666,11 +4669,19 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr goto exit; } + cil_list_for_each(i2, matching) { + num_matching++; + } cil_list_for_each(i2, matching) { n2 = i2->data; r2 = n2->data; __cil_print_parents(" ", n2); __cil_print_rule(" ", allow_str, r2); + count_matching++; + if (count_matching >= 4 && num_matching > 4 && log_level == CIL_ERR) { + cil_log(CIL_ERR, " Only first 4 of %d matching rules shown (use \"-v\" to show all)\n", num_matching); + break; + } } cil_log(CIL_ERR,"\n"); cil_list_destroy(&matching, CIL_FALSE); From patchwork Wed Jan 19 16:35:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Carter X-Patchwork-Id: 12717668 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 03126C43219 for ; Wed, 19 Jan 2022 16:35:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356161AbiASQfe (ORCPT ); Wed, 19 Jan 2022 11:35:34 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46124 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356159AbiASQfd (ORCPT ); Wed, 19 Jan 2022 11:35:33 -0500 Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 42542C06161C for ; Wed, 19 Jan 2022 08:35:33 -0800 (PST) Received: by mail-qk1-x72f.google.com with SMTP id 193so3222580qkh.13 for ; Wed, 19 Jan 2022 08:35:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=iWD1gmrTBS5AqRAp/neCI4yH1ztJZFB/TS2HBhDZnEU=; b=ReWR7mUx55ZmJ7HNBkrXbcwoCpuAjXMP0VKTfkRUMkFnD1YMISRi8IaWpINBMRVgAj vefCLgp6etMFTuUNAVd6bWw8U3goJmINgE808ezCuUQ8mg5z7y45ELTrz2633I3cP/Rp DqqBuyVHigsl5zP15P1FJHKA/m7hF6hsVQS3ulT5P/w4j5VlGH1TxmSPz0FM21ErxQAx PzOV8xEbECe7a92qHygfwWVJr//ME6xznIjJKzUoqBhOTOzXiomR9JP7IiueyaIHr2V5 3APBw4wU8VPoKZVgeZIYwj40vJORw6fTM6S2IUFautNa8EEuNNtVZTjecH2aWQ1JDCv+ Homw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=iWD1gmrTBS5AqRAp/neCI4yH1ztJZFB/TS2HBhDZnEU=; b=KtC5kfUtCfYOikkgL3WG2OHobw8IW/aKNC5B6vPIthemt38quOoLToOIKQ7Mtyh86/ xVg2NFWAPTnigVFCVGKdY1LQv6Q+Tig1+KPLz0cQ2+RmE/K/YcIotIbsucjSHN4dtDfm vvg0VXy7iIigc/w72K30c+h39UD1CZPYpgiGjInlvI5jNGjYWT0NJWwOjSar383AUbrZ 2yfhDSEL+PGg2ZGahhh/9iU21kCZoSfOmypQAnKc1kmRe+0ZOCvrbteoLfTIMRJJZBEP /qIqXvwuwgYmncoBcBaw85pL9aczpMiRTgBR90/eEZL34o8PcLwpkRgsHHxlz8g4Celu YdMQ== X-Gm-Message-State: AOAM533lLlFbt938R1mve2exv/HfazV24WH++uxQ8eU4Ff168mmyVAlZ uNbVuvM4o0tvlVKJrZlRPLJYOlRSUdM= X-Google-Smtp-Source: ABdhPJzUF195BFW1H3mT3vgsjWup8jswig6xnj3au4d4YivpyqOUGZkiS7nZKCCy6twrf0JqEfMVsQ== X-Received: by 2002:a37:9b8a:: with SMTP id d132mr21854161qke.672.1642610132263; Wed, 19 Jan 2022 08:35:32 -0800 (PST) Received: from localhost.localdomain (c-69-250-217-147.hsd1.md.comcast.net. [69.250.217.147]) by smtp.gmail.com with ESMTPSA id b200sm127231qkc.50.2022.01.19.08.35.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Jan 2022 08:35:32 -0800 (PST) From: James Carter To: selinux@vger.kernel.org Cc: j2468h@googlemail.com, James Carter Subject: [PATCH 4/4 v2] libsepol/cil: Limit the amount of reporting for context rule conflicts Date: Wed, 19 Jan 2022 11:35:18 -0500 Message-Id: <20220119163518.93780-5-jwcart2@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20220119163518.93780-1-jwcart2@gmail.com> References: <20220119163518.93780-1-jwcart2@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org When there are conflicting context rules, the location of the conflicting rules are written out. If there are many duplicates of the same context rule, there will be many pairs of conflicts written out. This hides the fact that all of the rules are the same and can make it hard to see the different conflicts. First, since these are warnings and not reported at the default log verbosity level (which only reports errors), only search for the locations of the conflicting rules when the verbosity level means that the warnings will actually be reported. Second, Report all the duplicate conflicting rules together. Third, Report the first four conflicts of the same rule if when the verbosity level is at CIL_WARN ("-v") and report all of them when the verbosity level is at CIL_INFO or higher ("-v -v"). Fixes problem found by oss-fuzz (#39735) Signed-off-by: James Carter --- libsepol/cil/src/cil_post.c | 57 +++++++++++++++++++++---------------- 1 file changed, 33 insertions(+), 24 deletions(-) diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c index 7e2c2b9a..09c02af9 100644 --- a/libsepol/cil/src/cil_post.c +++ b/libsepol/cil/src/cil_post.c @@ -2280,8 +2280,10 @@ static int __cil_post_report_conflict(struct cil_tree_node *node, uint32_t *fini static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)(const void *, const void *), int (*concompar)(const void *, const void *), struct cil_db *db, enum cil_flavor flavor, const char *flavor_str) { uint32_t count = sort->count; - uint32_t i, j = 0, removed = 0; + uint32_t i = 0, j, removed = 0; + int conflicting = 0; int rc = SEPOL_OK; + enum cil_log_level log_level = cil_get_log_level(); if (count < 2) { return SEPOL_OK; @@ -2289,36 +2291,43 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar) qsort(sort->array, sort->count, sizeof(sort->array), compar); - for (i=1; iarray[i], &sort->array[j]) != 0) { - j++; + i++; + if (conflicting >= 4) { + /* 2 rules were written when conflicting == 1 */ + cil_log(CIL_WARN, " Only first 4 of %d conflicting rules shown\n", conflicting); + } + conflicting = 0; } else { removed++; - if (!db->multiple_decls || - concompar(&sort->array[i], &sort->array[j]) != 0) { - struct cil_list_item li; - int rc2; - cil_log(CIL_WARN, "Found conflicting %s rules\n", - flavor_str); - rc = SEPOL_ERR; - li.flavor = flavor; - li.data = sort->array[i]; - rc2 = cil_tree_walk(db->ast->root, - __cil_post_report_conflict, - NULL, NULL, &li); - if (rc2 != SEPOL_OK) goto exit; - li.data = sort->array[j]; - rc2 = cil_tree_walk(db->ast->root, - __cil_post_report_conflict, - NULL, NULL, &li); - if (rc2 != SEPOL_OK) goto exit; + if (!db->multiple_decls || concompar(&sort->array[i], &sort->array[j]) != 0) { + conflicting++; + if (log_level >= CIL_WARN) { + struct cil_list_item li; + int rc2; + li.flavor = flavor; + if (conflicting == 1) { + cil_log(CIL_WARN, "Found conflicting %s rules\n", flavor_str); + rc = SEPOL_ERR; + li.data = sort->array[i]; + rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict, + NULL, NULL, &li); + if (rc2 != SEPOL_OK) goto exit; + } + if (conflicting < 4 || log_level > CIL_WARN) { + li.data = sort->array[j]; + rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict, + NULL, NULL, &li); + if (rc2 != SEPOL_OK) goto exit; + } + } } } - if (i != j) { - sort->array[j] = sort->array[i]; + if (i != j && !conflicting) { + sort->array[i] = sort->array[j]; } } - sort->count = count - removed; exit: