Re: [PATCH] libsepol/cil: remove avrules with no affected types

[Gary Tierney <gary.tierney@gmx.com>]

[-- Attachment #1: Type: text/plain, Size: 3053 bytes --]

On Wed, Dec 07, 2016 at 08:27:05AM -0500, Stephen Smalley wrote:
> On 12/07/2016 07:15 AM, Gary Tierney wrote:
> > Adds a check for avrules with type attributes that have a bitmap cardinality
> > of 0 (i.e., no types in their set) before adding them to the libsepol policy in
> > __cil_avrule_to_avtab().  Also adds an exception for neverallow rules to
> > prevent breaking anything from AOSP mentioned in
> > f9927d9370f90bd9d975ff933fe107ec4f93a9ac.
> 
> James Carter is away for a few days, so this might be delayed in review.
> 

No problem.  I'll try and get the second part of this (removing typeattributes
which are only used in these dud avrules) to the list in time for reviewing
this.

> > 
> > Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
> > ---
> >  libsepol/cil/src/cil_binary.c | 47 +++++++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 47 insertions(+)
> > 
> > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> > index d33981b..3aa350a 100644
> > --- a/libsepol/cil/src/cil_binary.c
> > +++ b/libsepol/cil/src/cil_binary.c
> > @@ -1411,6 +1411,48 @@ exit:
> >  	return rc;
> >  }
> >  
> > +static int __cil_type_datum_is_unused_attrib(struct cil_symtab_datum *src)
> > +{
> > +	struct cil_tree_node *node = NULL;
> > +	struct cil_typeattribute *attrib = NULL;
> > +
> > +	if (src->fqn == CIL_KEY_SELF) {
> > +		return CIL_FALSE;
> > +	}
> > +
> > +	node = src->nodes->head->data;
> > +
> > +	if (node->flavor != CIL_TYPEATTRIBUTE) {
> > +		return CIL_FALSE;
> > +	}
> > +
> > +	attrib = (struct cil_typeattribute *) src;
> > +	return ebitmap_cardinality(attrib->types) == 0;
> > +}
> > +
> > +static int __cil_avrule_can_remove(struct cil_avrule *cil_avrule)
> > +{
> > +	struct cil_symtab_datum *src = cil_avrule->src;
> > +	struct cil_symtab_datum *tgt = cil_avrule->tgt;
> > +
> > +	// Don't remove neverallow rules so they are written to
> > +	// the resulting policy and can be checked by tools in
> > +	// AOSP.
> > +	if (cil_avrule->rule_kind == CIL_AVRULE_NEVERALLOW) {
> > +		return CIL_FALSE;
> > +	}
> > +
> > +	if (__cil_type_datum_is_unused_attrib(src)) {
> > +		return CIL_TRUE;
> > +	}
> > +
> > +	if (__cil_type_datum_is_unused_attrib(tgt)) {
> > +		return CIL_TRUE;
> > +	}
> > +
> > +	return CIL_FALSE;
> > +}
> > +
> >  int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_avrule *cil_avrule, cond_node_t *cond_node, enum cil_flavor cond_flavor)
> >  {
> >  	int rc = SEPOL_ERR;
> > @@ -1425,6 +1467,11 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a
> >  		goto exit;
> >  	}
> >  
> > +	if (__cil_avrule_can_remove(cil_avrule)) {
> > +		rc = SEPOL_OK;
> > +		goto exit;
> > +	}
> > +
> >  	src = cil_avrule->src;
> >  	tgt = cil_avrule->tgt;
> >  
> > 
> 

-- 
Gary Tierney

GPG fingerprint: 412C 0EF9 C305 68E6 B660  BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 473 bytes --]