[PATCH] cil: remove avrules that have no associated types

[PATCH] cil: remove avrules that have no associated types

[Gary Tierney]

This is a minor improvement to the CIL -> policydb code which will remove
unused AV rules.  In the past you could create 2 type attributes like so:

(typeattribute x)
(typeattribute y)
(type z)
(typeattributeset y z)

And an avrule (which would be kept in the resulting policydb):

(allow x y (process (transition)))

Now the avrule would be removed, since the source of the rule has
no associated types.  Similarly, the rule would have been removed if the
target had no associated types when the source does.  The exception to this
rule is neverallows, since AOSP checks for them in their resulting policy.conf.

There's a small difference in fedora-selinux:

[root@localhost ~]# sesearch -ACS original.30  | head -1
Found 101204 semantic av rules:
[root@localhost ~]# sesearch -ACS modified.30  | head -1
Found 101030 semantic av rules:

And a more noticeable difference with Dominick Grift's dssp1:

[root@localhost ~]# sesearch -ACS dssp_original.30 | head -1
Found 11270 semantic av rules:
[root@localhost ~]# sesearch -ACS dssp_modified.30 | head -1
Found 2574 semantic av rules:

Gary Tierney (1):
  libsepol/cil: remove avrules with no affected types

 libsepol/cil/src/cil_binary.c | 47 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

-- 
2.4.11

[PATCH] libsepol/cil: remove avrules with no affected types

[Gary Tierney]

Adds a check for avrules with type attributes that have a bitmap cardinality
of 0 (i.e., no types in their set) before adding them to the libsepol policy in
__cil_avrule_to_avtab().  Also adds an exception for neverallow rules to
prevent breaking anything from AOSP mentioned in
f9927d9370f90bd9d975ff933fe107ec4f93a9ac.

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
---
 libsepol/cil/src/cil_binary.c | 47 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index d33981b..3aa350a 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -1411,6 +1411,48 @@ exit:
 	return rc;
 }
 
+static int __cil_type_datum_is_unused_attrib(struct cil_symtab_datum *src)
+{
+	struct cil_tree_node *node = NULL;
+	struct cil_typeattribute *attrib = NULL;
+
+	if (src->fqn == CIL_KEY_SELF) {
+		return CIL_FALSE;
+	}
+
+	node = src->nodes->head->data;
+
+	if (node->flavor != CIL_TYPEATTRIBUTE) {
+		return CIL_FALSE;
+	}
+
+	attrib = (struct cil_typeattribute *) src;
+	return ebitmap_cardinality(attrib->types) == 0;
+}
+
+static int __cil_avrule_can_remove(struct cil_avrule *cil_avrule)
+{
+	struct cil_symtab_datum *src = cil_avrule->src;
+	struct cil_symtab_datum *tgt = cil_avrule->tgt;
+
+	// Don't remove neverallow rules so they are written to
+	// the resulting policy and can be checked by tools in
+	// AOSP.
+	if (cil_avrule->rule_kind == CIL_AVRULE_NEVERALLOW) {
+		return CIL_FALSE;
+	}
+
+	if (__cil_type_datum_is_unused_attrib(src)) {
+		return CIL_TRUE;
+	}
+
+	if (__cil_type_datum_is_unused_attrib(tgt)) {
+		return CIL_TRUE;
+	}
+
+	return CIL_FALSE;
+}
+
 int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_avrule *cil_avrule, cond_node_t *cond_node, enum cil_flavor cond_flavor)
 {
 	int rc = SEPOL_ERR;
@@ -1425,6 +1467,11 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a
 		goto exit;
 	}
 
+	if (__cil_avrule_can_remove(cil_avrule)) {
+		rc = SEPOL_OK;
+		goto exit;
+	}
+
 	src = cil_avrule->src;
 	tgt = cil_avrule->tgt;
 
-- 
2.4.11

Re: [PATCH] libsepol/cil: remove avrules with no affected types

[Gary Tierney]

[-- Attachment #1: Type: text/plain, Size: 3053 bytes --]

On Wed, Dec 07, 2016 at 08:27:05AM -0500, Stephen Smalley wrote:
> On 12/07/2016 07:15 AM, Gary Tierney wrote:
> > Adds a check for avrules with type attributes that have a bitmap cardinality
> > of 0 (i.e., no types in their set) before adding them to the libsepol policy in
> > __cil_avrule_to_avtab().  Also adds an exception for neverallow rules to
> > prevent breaking anything from AOSP mentioned in
> > f9927d9370f90bd9d975ff933fe107ec4f93a9ac.
> 
> James Carter is away for a few days, so this might be delayed in review.
> 

No problem.  I'll try and get the second part of this (removing typeattributes
which are only used in these dud avrules) to the list in time for reviewing
this.

> > 
> > Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
> > ---
> >  libsepol/cil/src/cil_binary.c | 47 +++++++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 47 insertions(+)
> > 
> > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> > index d33981b..3aa350a 100644
> > --- a/libsepol/cil/src/cil_binary.c
> > +++ b/libsepol/cil/src/cil_binary.c
> > @@ -1411,6 +1411,48 @@ exit:
> >  	return rc;
> >  }
> >  
> > +static int __cil_type_datum_is_unused_attrib(struct cil_symtab_datum *src)
> > +{
> > +	struct cil_tree_node *node = NULL;
> > +	struct cil_typeattribute *attrib = NULL;
> > +
> > +	if (src->fqn == CIL_KEY_SELF) {
> > +		return CIL_FALSE;
> > +	}
> > +
> > +	node = src->nodes->head->data;
> > +
> > +	if (node->flavor != CIL_TYPEATTRIBUTE) {
> > +		return CIL_FALSE;
> > +	}
> > +
> > +	attrib = (struct cil_typeattribute *) src;
> > +	return ebitmap_cardinality(attrib->types) == 0;
> > +}
> > +
> > +static int __cil_avrule_can_remove(struct cil_avrule *cil_avrule)
> > +{
> > +	struct cil_symtab_datum *src = cil_avrule->src;
> > +	struct cil_symtab_datum *tgt = cil_avrule->tgt;
> > +
> > +	// Don't remove neverallow rules so they are written to
> > +	// the resulting policy and can be checked by tools in
> > +	// AOSP.
> > +	if (cil_avrule->rule_kind == CIL_AVRULE_NEVERALLOW) {
> > +		return CIL_FALSE;
> > +	}
> > +
> > +	if (__cil_type_datum_is_unused_attrib(src)) {
> > +		return CIL_TRUE;
> > +	}
> > +
> > +	if (__cil_type_datum_is_unused_attrib(tgt)) {
> > +		return CIL_TRUE;
> > +	}
> > +
> > +	return CIL_FALSE;
> > +}
> > +
> >  int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_avrule *cil_avrule, cond_node_t *cond_node, enum cil_flavor cond_flavor)
> >  {
> >  	int rc = SEPOL_ERR;
> > @@ -1425,6 +1467,11 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a
> >  		goto exit;
> >  	}
> >  
> > +	if (__cil_avrule_can_remove(cil_avrule)) {
> > +		rc = SEPOL_OK;
> > +		goto exit;
> > +	}
> > +
> >  	src = cil_avrule->src;
> >  	tgt = cil_avrule->tgt;
> >  
> > 
> 

-- 
Gary Tierney

GPG fingerprint: 412C 0EF9 C305 68E6 B660  BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [PATCH] libsepol/cil: remove avrules with no affected types

[James Carter]

On 12/07/2016 07:15 AM, Gary Tierney wrote:
> Adds a check for avrules with type attributes that have a bitmap cardinality
> of 0 (i.e., no types in their set) before adding them to the libsepol policy in
> __cil_avrule_to_avtab().  Also adds an exception for neverallow rules to
> prevent breaking anything from AOSP mentioned in
> f9927d9370f90bd9d975ff933fe107ec4f93a9ac.
>
> Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
> ---
>  libsepol/cil/src/cil_binary.c | 47 +++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 47 insertions(+)
>
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index d33981b..3aa350a 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -1411,6 +1411,48 @@ exit:
>  	return rc;
>  }
>
> +static int __cil_type_datum_is_unused_attrib(struct cil_symtab_datum *src)
> +{
> +	struct cil_tree_node *node = NULL;
> +	struct cil_typeattribute *attrib = NULL;
> +
> +	if (src->fqn == CIL_KEY_SELF) {
> +		return CIL_FALSE;
> +	}
> +
> +	node = src->nodes->head->data;

There is a macro for this, so I changed this line to
node = NODE(src);

Everything else looked good, so I made the small change above and applied.

Thanks,
Jim

> +
> +	if (node->flavor != CIL_TYPEATTRIBUTE) {
> +		return CIL_FALSE;
> +	}
> +
> +	attrib = (struct cil_typeattribute *) src;
> +	return ebitmap_cardinality(attrib->types) == 0;
> +}
> +
> +static int __cil_avrule_can_remove(struct cil_avrule *cil_avrule)
> +{
> +	struct cil_symtab_datum *src = cil_avrule->src;
> +	struct cil_symtab_datum *tgt = cil_avrule->tgt;
> +
> +	// Don't remove neverallow rules so they are written to
> +	// the resulting policy and can be checked by tools in
> +	// AOSP.
> +	if (cil_avrule->rule_kind == CIL_AVRULE_NEVERALLOW) {
> +		return CIL_FALSE;
> +	}
> +
> +	if (__cil_type_datum_is_unused_attrib(src)) {
> +		return CIL_TRUE;
> +	}
> +
> +	if (__cil_type_datum_is_unused_attrib(tgt)) {
> +		return CIL_TRUE;
> +	}
> +
> +	return CIL_FALSE;
> +}
> +
>  int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_avrule *cil_avrule, cond_node_t *cond_node, enum cil_flavor cond_flavor)
>  {
>  	int rc = SEPOL_ERR;
> @@ -1425,6 +1467,11 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a
>  		goto exit;
>  	}
>
> +	if (__cil_avrule_can_remove(cil_avrule)) {
> +		rc = SEPOL_OK;
> +		goto exit;
> +	}
> +
>  	src = cil_avrule->src;
>  	tgt = cil_avrule->tgt;
>
>


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency