[v1 PATCH 2/7] Separate tunable from boolean during compile.

[v1 PATCH 2/7] Separate tunable from boolean during compile.

[Harry Ciao]

Both boolean and tunable keywords are processed by define_bool_tunable(),
argument 0 and 1 would be passed for boolean and tunable respectively.
For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags.

Note, when creating an if-else conditional we can not know if the
tunable identifier is indeed a tunable(for example, a boolean may be
misused in tunable_policy() or vice versa), thus the TUNABLE flag
for cond_node_t would be calculated and used in expansion when all
booleans/tunables copied during link.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 checkpolicy/module_compiler.c |   16 +++++++++++++++-
 checkpolicy/module_compiler.h |    1 +
 checkpolicy/policy_define.c   |    4 +++-
 checkpolicy/policy_define.h   |    2 +-
 checkpolicy/policy_parse.y    |    8 +++++++-
 checkpolicy/policy_scan.l     |    2 ++
 libsepol/src/conditional.c    |    1 +
 7 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
index 1c1d1d5..ffffaf1 100644
--- a/checkpolicy/module_compiler.c
+++ b/checkpolicy/module_compiler.c
@@ -1045,7 +1045,7 @@ int require_user(int pass)
 	}
 }
 
-int require_bool(int pass)
+static int require_bool_tunable(int pass, int is_tunable)
 {
 	char *id = queue_remove(id_queue);
 	cond_bool_datum_t *booldatum = NULL;
@@ -1063,6 +1063,8 @@ int require_bool(int pass)
 		yyerror("Out of memory!");
 		return -1;
 	}
+	if (is_tunable)
+		booldatum->flags |= COND_BOOL_FLAGS_TUNABLE;
 	retval =
 	    require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
 			   &booldatum->s.value, &booldatum->s.value);
@@ -1094,6 +1096,16 @@ int require_bool(int pass)
 	}
 }
 
+int require_bool(int pass)
+{
+	return require_bool_tunable(pass, 0);
+}
+
+int require_tunable(int pass)
+{
+	return require_bool_tunable(pass, 1);
+}
+
 int require_sens(int pass)
 {
 	char *id = queue_remove(id_queue);
@@ -1328,6 +1340,8 @@ void append_cond_list(cond_list_t * cond)
 		     tmp = tmp->next) ;
 		tmp->next = cond->avfalse_list;
 	}
+
+	old_cond->flags |= cond->flags;
 }
 
 void append_avrule(avrule_t * avrule)
diff --git a/checkpolicy/module_compiler.h b/checkpolicy/module_compiler.h
index 45a21cd..72c2d9b 100644
--- a/checkpolicy/module_compiler.h
+++ b/checkpolicy/module_compiler.h
@@ -58,6 +58,7 @@ int require_attribute(int pass);
 int require_attribute_role(int pass);
 int require_user(int pass);
 int require_bool(int pass);
+int require_tunable(int pass);
 int require_sens(int pass);
 int require_cat(int pass);
 
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index ded27f7..1bf669c 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -1494,7 +1494,7 @@ avrule_t *define_cond_compute_type(int which)
 	return avrule;
 }
 
-int define_bool(void)
+int define_bool_tunable(int is_tunable)
 {
 	char *id, *bool_value;
 	cond_bool_datum_t *datum;
@@ -1524,6 +1524,8 @@ int define_bool(void)
 		return -1;
 	}
 	memset(datum, 0, sizeof(cond_bool_datum_t));
+	if (is_tunable)
+		datum->flags |= COND_BOOL_FLAGS_TUNABLE;
 	ret = declare_symbol(SYM_BOOLS, id, datum, &value, &value);
 	switch (ret) {
 	case -3:{
diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
index fc8cd4d..92a9be7 100644
--- a/checkpolicy/policy_define.h
+++ b/checkpolicy/policy_define.h
@@ -21,7 +21,7 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2);
 int define_attrib(void);
 int define_attrib_role(void);
 int define_av_perms(int inherits);
-int define_bool(void);
+int define_bool_tunable(int is_tunable);
 int define_category(void);
 int define_class(void);
 int define_common_perms(void);
diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
index 0a17bdc..49ac15f 100644
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@@ -101,6 +101,7 @@ typedef int (* require_func_t)();
 %token ALIAS
 %token ATTRIBUTE
 %token BOOL
+%token TUNABLE
 %token IF
 %token ELSE
 %token TYPE_TRANSITION
@@ -269,6 +270,7 @@ te_decl			: attribute_def
                         | typeattribute_def
                         | typebounds_def
                         | bool_def
+			| tunable_def
                         | transition_def
                         | range_trans_def
                         | te_avtab_def
@@ -295,8 +297,11 @@ opt_attr_list           : ',' id_comma_list
 			| 
 			;
 bool_def                : BOOL identifier bool_val ';'
-                        {if (define_bool()) return -1;}
+                        { if (define_bool_tunable(0)) return -1; }
                         ;
+tunable_def		: TUNABLE identifier bool_val ';'
+			{ if (define_bool_tunable(1)) return -1; }
+			;
 bool_val                : CTRUE
  			{ if (insert_id("T",0)) return -1; }
                         | CFALSE
@@ -820,6 +825,7 @@ require_decl_def        : ROLE        { $$ = require_role; }
                         | ATTRIBUTE_ROLE   { $$ = require_attribute_role; }
                         | USER        { $$ = require_user; }
                         | BOOL        { $$ = require_bool; }
+			| TUNABLE     { $$ = require_tunable; }
                         | SENSITIVITY { $$ = require_sens; }
                         | CATEGORY    { $$ = require_cat; }
                         ;
diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
index ed27bbe..a61e0db 100644
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@@ -92,6 +92,8 @@ TYPE |
 type				{ return(TYPE); }
 BOOL |
 bool                            { return(BOOL); }
+TUNABLE |
+tunable				{ return(TUNABLE); }
 IF |
 if				{ return(IF); }
 ELSE |
diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c
index 1482387..efdedb0 100644
--- a/libsepol/src/conditional.c
+++ b/libsepol/src/conditional.c
@@ -160,6 +160,7 @@ cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node)
 		for (i = 0; i < min(node->nbools, COND_MAX_BOOLS); i++)
 			new_node->bool_ids[i] = node->bool_ids[i];
 		new_node->expr_pre_comp = node->expr_pre_comp;
+		new_node->flags = node->flags;
 	}
 
 	return new_node;
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v1 PATCH 3/7] Write and read TUNABLE flags in related data structures.

[Harry Ciao]

All flags in cond_bool_datum_t and cond_node_t structures are
written/read for policy modules which version is no less than
MOD_POLICYDB_VERSION_TUNABLE_SEP.

Note, for cond_node_t the TUNABLE flag bit would be used only at expand,
however, it won't hurt to read/write this field for modules(potentially
for future usage).

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/src/conditional.c |   21 +++++++++++++++++++--
 libsepol/src/write.c       |   18 ++++++++++++++++++
 2 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c
index efdedb0..d9d4fee 100644
--- a/libsepol/src/conditional.c
+++ b/libsepol/src/conditional.c
@@ -564,8 +564,8 @@ static int bool_isvalid(cond_bool_datum_t * b)
 	return 1;
 }
 
-int cond_read_bool(policydb_t * p
-		   __attribute__ ((unused)), hashtab_t h,
+int cond_read_bool(policydb_t * p,
+		   hashtab_t h,
 		   struct policy_file *fp)
 {
 	char *key = 0;
@@ -597,6 +597,15 @@ int cond_read_bool(policydb_t * p
 	if (rc < 0)
 		goto err;
 	key[len] = 0;
+
+	if (p->policy_type != POLICY_KERN &&
+	    p->policyvers >= MOD_POLICYDB_VERSION_TUNABLE_SEP) {
+		rc = next_entry(buf, fp, sizeof(uint32_t));
+		if (rc < 0)
+			goto err;
+		booldatum->flags = le32_to_cpu(buf[0]);
+	}
+
 	if (hashtab_insert(h, key, booldatum))
 		goto err;
 
@@ -810,6 +819,14 @@ static int cond_read_node(policydb_t * p, cond_node_t * node, void *fp)
 		if (avrule_read_list(p, &node->avfalse_list, fp))
 			goto err;
 	}
+	
+	if (p->policy_type != POLICY_KERN &&
+	    p->policyvers >= MOD_POLICYDB_VERSION_TUNABLE_SEP) {
+		rc = next_entry(buf, fp, sizeof(uint32_t));
+		if (rc < 0)
+			goto err;
+		node->flags = le32_to_cpu(buf[0]);
+	}
 
 	return 0;
       err:
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index 290e036..4284c93 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -607,6 +607,7 @@ static int cond_write_bool(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
 	unsigned int items, items2;
 	struct policy_data *pd = ptr;
 	struct policy_file *fp = pd->fp;
+	struct policydb *p = pd->p;
 
 	booldatum = (cond_bool_datum_t *) datum;
 
@@ -621,6 +622,15 @@ static int cond_write_bool(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
 	items = put_entry(key, 1, len, fp);
 	if (items != len)
 		return POLICYDB_ERROR;
+
+	if (p->policy_type != POLICY_KERN &&
+	    p->policyvers >= MOD_POLICYDB_VERSION_TUNABLE_SEP) {
+		buf[0] = cpu_to_le32(booldatum->flags);
+		items = put_entry(buf, sizeof(uint32_t), 1, fp);
+		if (items != 1)
+			return POLICYDB_ERROR;
+	}
+
 	return POLICYDB_SUCCESS;
 }
 
@@ -727,6 +737,14 @@ static int cond_write_node(policydb_t * p,
 			return POLICYDB_ERROR;
 	}
 
+	if (p->policy_type != POLICY_KERN &&
+	    p->policyvers >= MOD_POLICYDB_VERSION_TUNABLE_SEP) {	
+		buf[0] = cpu_to_le32(node->flags);
+		items = put_entry(buf, sizeof(uint32_t), 1, fp);
+		if (items != 1)
+			return POLICYDB_ERROR;
+	}
+
 	return POLICYDB_SUCCESS;
 }
 
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v1 PATCH 3/7] Write and read TUNABLE flags in related data structures.

[Harry Ciao]

Please ignore this patch, I would re-send it with 0/7 patch for extra 
comments for the v1 patchset.

Sorry for any inconvenience!

Thanks,
Harry

On 08/29/2011 03:53 PM, Harry Ciao wrote:
> All flags in cond_bool_datum_t and cond_node_t structures are
> written/read for policy modules which version is no less than
> MOD_POLICYDB_VERSION_TUNABLE_SEP.
>
> Note, for cond_node_t the TUNABLE flag bit would be used only at expand,
> however, it won't hurt to read/write this field for modules(potentially
> for future usage).
>
> Signed-off-by: Harry Ciao<qingtao.cao@windriver.com>
> ---
>   libsepol/src/conditional.c |   21 +++++++++++++++++++--
>   libsepol/src/write.c       |   18 ++++++++++++++++++
>   2 files changed, 37 insertions(+), 2 deletions(-)
>
> diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c
> index efdedb0..d9d4fee 100644
> --- a/libsepol/src/conditional.c
> +++ b/libsepol/src/conditional.c
> @@ -564,8 +564,8 @@ static int bool_isvalid(cond_bool_datum_t * b)
>   	return 1;
>   }
>
> -int cond_read_bool(policydb_t * p
> -		   __attribute__ ((unused)), hashtab_t h,
> +int cond_read_bool(policydb_t * p,
> +		   hashtab_t h,
>   		   struct policy_file *fp)
>   {
>   	char *key = 0;
> @@ -597,6 +597,15 @@ int cond_read_bool(policydb_t * p
>   	if (rc<  0)
>   		goto err;
>   	key[len] = 0;
> +
> +	if (p->policy_type != POLICY_KERN&&
> +	    p->policyvers>= MOD_POLICYDB_VERSION_TUNABLE_SEP) {
> +		rc = next_entry(buf, fp, sizeof(uint32_t));
> +		if (rc<  0)
> +			goto err;
> +		booldatum->flags = le32_to_cpu(buf[0]);
> +	}
> +
>   	if (hashtab_insert(h, key, booldatum))
>   		goto err;
>
> @@ -810,6 +819,14 @@ static int cond_read_node(policydb_t * p, cond_node_t * node, void *fp)
>   		if (avrule_read_list(p,&node->avfalse_list, fp))
>   			goto err;
>   	}
> +	
> +	if (p->policy_type != POLICY_KERN&&
> +	    p->policyvers>= MOD_POLICYDB_VERSION_TUNABLE_SEP) {
> +		rc = next_entry(buf, fp, sizeof(uint32_t));
> +		if (rc<  0)
> +			goto err;
> +		node->flags = le32_to_cpu(buf[0]);
> +	}
>
>   	return 0;
>         err:
> diff --git a/libsepol/src/write.c b/libsepol/src/write.c
> index 290e036..4284c93 100644
> --- a/libsepol/src/write.c
> +++ b/libsepol/src/write.c
> @@ -607,6 +607,7 @@ static int cond_write_bool(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
>   	unsigned int items, items2;
>   	struct policy_data *pd = ptr;
>   	struct policy_file *fp = pd->fp;
> +	struct policydb *p = pd->p;
>
>   	booldatum = (cond_bool_datum_t *) datum;
>
> @@ -621,6 +622,15 @@ static int cond_write_bool(hashtab_key_t key, hashtab_datum_t datum, void *ptr)
>   	items = put_entry(key, 1, len, fp);
>   	if (items != len)
>   		return POLICYDB_ERROR;
> +
> +	if (p->policy_type != POLICY_KERN&&
> +	    p->policyvers>= MOD_POLICYDB_VERSION_TUNABLE_SEP) {
> +		buf[0] = cpu_to_le32(booldatum->flags);
> +		items = put_entry(buf, sizeof(uint32_t), 1, fp);
> +		if (items != 1)
> +			return POLICYDB_ERROR;
> +	}
> +
>   	return POLICYDB_SUCCESS;
>   }
>
> @@ -727,6 +737,14 @@ static int cond_write_node(policydb_t * p,
>   			return POLICYDB_ERROR;
>   	}
>
> +	if (p->policy_type != POLICY_KERN&&
> +	    p->policyvers>= MOD_POLICYDB_VERSION_TUNABLE_SEP) {	
> +		buf[0] = cpu_to_le32(node->flags);
> +		items = put_entry(buf, sizeof(uint32_t), 1, fp);
> +		if (items != 1)
> +			return POLICYDB_ERROR;
> +	}
> +
>   	return POLICYDB_SUCCESS;
>   }
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v1 PATCH 4/7] Copy and check the cond_bool_datum_t.flags during link.

[Harry Ciao]

Copy the TUNABLE flag for cond_bool_datum_t during link, and check
if there is a mismatch between boolean/tunable declaration and
usage among modules. If this is the case, bail out with errors.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/src/link.c |   20 +++++++++++++++++---
 1 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index 421c47b..ee9675b 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -587,7 +587,18 @@ static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 		}
 		state->base->p_bools.nprim++;
 		base_bool = new_bool;
-
+		base_bool->flags = booldatum->flags;
+	} else if ((booldatum->flags & COND_BOOL_FLAGS_TUNABLE) !=
+		   (base_bool->flags & COND_BOOL_FLAGS_TUNABLE)) {
+			/* A mismatch between boolean/tunable declaration
+			 * and usage(for example a boolean used in the
+			 * tunable_policy() or vice versa).
+			 *
+			 * This is not allowed and bail out with errors */
+			ERR(state->handle,
+			    "%s: Mismatch between boolean/tunable definition "
+			    "and usage for %s", state->cur_mod_name, id);
+			return -1;
 	}
 
 	/* Get the scope info for this boolean to see if this is the declaration, 
@@ -595,9 +606,12 @@ static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 	scope = hashtab_search(state->cur->policy->p_bools_scope.table, id);
 	if (!scope)
 		return SEPOL_ERR;
-	if (scope->scope == SCOPE_DECL)  
+	if (scope->scope == SCOPE_DECL) {
 		base_bool->state = booldatum->state;
-
+		/* Only the declaration rather than requirement
+		 * decides if it is a boolean or tunable. */
+		base_bool->flags = booldatum->flags;
+	}
 	state->cur->map[SYM_BOOLS][booldatum->s.value - 1] = base_bool->s.value;
 	return 0;
 
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v1 PATCH 4/7] Copy and check the cond_bool_datum_t.flags during link.

[Harry Ciao]

Please ignore this patch, I would re-send it with 0/7 patch for extra 
comments for the v1 patchset.

Sorry for any inconvenience!

Thanks,
Harry

On 08/29/2011 03:53 PM, Harry Ciao wrote:
> Copy the TUNABLE flag for cond_bool_datum_t during link, and check
> if there is a mismatch between boolean/tunable declaration and
> usage among modules. If this is the case, bail out with errors.
>
> Signed-off-by: Harry Ciao<qingtao.cao@windriver.com>
> ---
>   libsepol/src/link.c |   20 +++++++++++++++++---
>   1 files changed, 17 insertions(+), 3 deletions(-)
>
> diff --git a/libsepol/src/link.c b/libsepol/src/link.c
> index 421c47b..ee9675b 100644
> --- a/libsepol/src/link.c
> +++ b/libsepol/src/link.c
> @@ -587,7 +587,18 @@ static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
>   		}
>   		state->base->p_bools.nprim++;
>   		base_bool = new_bool;
> -
> +		base_bool->flags = booldatum->flags;
> +	} else if ((booldatum->flags&  COND_BOOL_FLAGS_TUNABLE) !=
> +		   (base_bool->flags&  COND_BOOL_FLAGS_TUNABLE)) {
> +			/* A mismatch between boolean/tunable declaration
> +			 * and usage(for example a boolean used in the
> +			 * tunable_policy() or vice versa).
> +			 *
> +			 * This is not allowed and bail out with errors */
> +			ERR(state->handle,
> +			    "%s: Mismatch between boolean/tunable definition "
> +			    "and usage for %s", state->cur_mod_name, id);
> +			return -1;
>   	}
>
>   	/* Get the scope info for this boolean to see if this is the declaration,
> @@ -595,9 +606,12 @@ static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
>   	scope = hashtab_search(state->cur->policy->p_bools_scope.table, id);
>   	if (!scope)
>   		return SEPOL_ERR;
> -	if (scope->scope == SCOPE_DECL)
> +	if (scope->scope == SCOPE_DECL) {
>   		base_bool->state = booldatum->state;
> -
> +		/* Only the declaration rather than requirement
> +		 * decides if it is a boolean or tunable. */
> +		base_bool->flags = booldatum->flags;
> +	}
>   	state->cur->map[SYM_BOOLS][booldatum->s.value - 1] = base_bool->s.value;
>   	return 0;
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 5/7] Permanently discard disabled branches of tunables in expansion.

[Harry Ciao]

For a cond_node_t in one decl->cond_list queue, append its
avtrue_list or avfalse_list to the avrules list of its home decl
depending on its state value, so that these effective rules would
be permanently added to te_avtab hashtab.

On the other hand, the rules on the disabled unused list won't be
expanded and written to the raw policy at all.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/src/expand.c |   98 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 98 insertions(+), 0 deletions(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 06f11f4..be41243 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -2665,6 +2665,94 @@ int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
 	return copy_and_expand_avrule_block(&state);
 }
 
+static void discard_tunables(policydb_t *pol)
+{
+	avrule_block_t *block;
+	avrule_decl_t *decl;
+	cond_node_t *cur_node;
+	cond_expr_t *cur_expr;
+	int cur_state;
+	avrule_t *tail, *to_be_appended;
+
+	/* Iterate through all cond_node of all enabled decls, if a cond_node
+	 * is about tunable, caculate its state value and concatenate one of
+	 * its avrule list to the current decl->avrules list.
+	 *
+	 * Note, such tunable cond_node would be skipped over in expansion,
+	 * so we won't have to worry about removing it from decl->cond_list
+	 * here :-)
+	 *
+	 * If tunables and booleans co-exist in the expression of a cond_node,
+	 * then tunables would be "transformed" as booleans.
+	 */
+	for (block = pol->global; block != NULL; block = block->next) {
+		decl = block->enabled;
+		if (decl == NULL || decl->enabled == 0)
+			continue;
+
+		tail = decl->avrules;
+		while (tail && tail->next)
+			tail = tail->next;
+
+		for (cur_node = decl->cond_list; cur_node != NULL;
+		     cur_node = cur_node->next) {
+			int booleans, tunables;
+			cond_bool_datum_t *booldatum;
+
+			booleans = tunables = 0;
+
+			for (cur_expr = cur_node->expr; cur_expr != NULL;
+			     cur_expr = cur_expr->next) {
+				if (cur_expr->expr_type != COND_BOOL)
+					continue;
+				booldatum = pol->bool_val_to_struct[cur_expr->bool - 1];
+				if (booldatum->flags & COND_BOOL_FLAGS_TUNABLE)
+					tunables++;
+				else
+					booleans++;
+			}
+
+			/* bool_copy_callback() at link phase has ensured
+			 * that no mixture of tunables and booleans in one
+			 * expression. */
+			assert(!(booleans && tunables));
+
+			if (booleans) {
+				cur_node->flags &= ~COND_NODE_FLAGS_TUNABLE;
+			} else {
+				cur_node->flags |= COND_NODE_FLAGS_TUNABLE;
+				cur_state = cond_evaluate_expr(pol, cur_node->expr);
+				if (cur_state == -1) {
+					printf("Expression result was "
+					       "undefined, skipping all"
+					       "rules\n");
+					continue;
+				}
+
+				to_be_appended = (cur_state == 1) ?
+					cur_node->avtrue_list : cur_node->avfalse_list;
+
+				if (tail)
+					tail->next = to_be_appended;
+				else
+					tail = decl->avrules = to_be_appended;
+
+				/* Now that the effective branch has been
+				 * appended, neutralize its original pointer */
+				if (cur_state == 1)
+					cur_node->avtrue_list = NULL;
+				else
+					cur_node->avfalse_list = NULL;
+
+				/* Update the tail of decl->avrules for
+				 * further concatenation */
+				while (tail && tail->next)
+					tail = tail->next;
+			}
+		}
+	}
+}
+
 /* Linking should always be done before calling expand, even if
  * there is only a base since all optionals are dealt with at link time
  * the base passed in should be indexed and avrule blocks should be 
@@ -2678,6 +2766,16 @@ int expand_module(sepol_handle_t * handle,
 	expand_state_t state;
 	avrule_block_t *curblock;
 
+	/* Append tunable's avtrue_list or avfalse_list to the avrules list
+	 * of its home decl depending on its state value, so that the effect
+	 * rules of a tunable would be added to te_avtab permanently. Whereas
+	 * the disabled unused branch would be discarded.
+	 *
+	 * Originally this function is called at the very end of link phase,
+	 * however, we need to keep the linked policy intact for analysis
+	 * purpose. */
+	discard_tunables(base);
+
 	expand_state_init(&state);
 
 	state.verbose = verbose;
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 5/7] Permanently discard disabled branches of tunables in expansion.

[Harry Ciao]

Please ignore this patch, I would re-send it with 0/7 patch for extra 
comments for the v1 patchset.

Sorry for any inconvenience!

Thanks,
Harry

On 08/29/2011 03:53 PM, Harry Ciao wrote:
> For a cond_node_t in one decl->cond_list queue, append its
> avtrue_list or avfalse_list to the avrules list of its home decl
> depending on its state value, so that these effective rules would
> be permanently added to te_avtab hashtab.
>
> On the other hand, the rules on the disabled unused list won't be
> expanded and written to the raw policy at all.
>
> Signed-off-by: Harry Ciao<qingtao.cao@windriver.com>
> ---
>   libsepol/src/expand.c |   98 +++++++++++++++++++++++++++++++++++++++++++++++++
>   1 files changed, 98 insertions(+), 0 deletions(-)
>
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index 06f11f4..be41243 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -2665,6 +2665,94 @@ int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
>   	return copy_and_expand_avrule_block(&state);
>   }
>
> +static void discard_tunables(policydb_t *pol)
> +{
> +	avrule_block_t *block;
> +	avrule_decl_t *decl;
> +	cond_node_t *cur_node;
> +	cond_expr_t *cur_expr;
> +	int cur_state;
> +	avrule_t *tail, *to_be_appended;
> +
> +	/* Iterate through all cond_node of all enabled decls, if a cond_node
> +	 * is about tunable, caculate its state value and concatenate one of
> +	 * its avrule list to the current decl->avrules list.
> +	 *
> +	 * Note, such tunable cond_node would be skipped over in expansion,
> +	 * so we won't have to worry about removing it from decl->cond_list
> +	 * here :-)
> +	 *
> +	 * If tunables and booleans co-exist in the expression of a cond_node,
> +	 * then tunables would be "transformed" as booleans.
> +	 */
> +	for (block = pol->global; block != NULL; block = block->next) {
> +		decl = block->enabled;
> +		if (decl == NULL || decl->enabled == 0)
> +			continue;
> +
> +		tail = decl->avrules;
> +		while (tail&&  tail->next)
> +			tail = tail->next;
> +
> +		for (cur_node = decl->cond_list; cur_node != NULL;
> +		     cur_node = cur_node->next) {
> +			int booleans, tunables;
> +			cond_bool_datum_t *booldatum;
> +
> +			booleans = tunables = 0;
> +
> +			for (cur_expr = cur_node->expr; cur_expr != NULL;
> +			     cur_expr = cur_expr->next) {
> +				if (cur_expr->expr_type != COND_BOOL)
> +					continue;
> +				booldatum = pol->bool_val_to_struct[cur_expr->bool - 1];
> +				if (booldatum->flags&  COND_BOOL_FLAGS_TUNABLE)
> +					tunables++;
> +				else
> +					booleans++;
> +			}
> +
> +			/* bool_copy_callback() at link phase has ensured
> +			 * that no mixture of tunables and booleans in one
> +			 * expression. */
> +			assert(!(booleans&&  tunables));
> +
> +			if (booleans) {
> +				cur_node->flags&= ~COND_NODE_FLAGS_TUNABLE;
> +			} else {
> +				cur_node->flags |= COND_NODE_FLAGS_TUNABLE;
> +				cur_state = cond_evaluate_expr(pol, cur_node->expr);
> +				if (cur_state == -1) {
> +					printf("Expression result was "
> +					       "undefined, skipping all"
> +					       "rules\n");
> +					continue;
> +				}
> +
> +				to_be_appended = (cur_state == 1) ?
> +					cur_node->avtrue_list : cur_node->avfalse_list;
> +
> +				if (tail)
> +					tail->next = to_be_appended;
> +				else
> +					tail = decl->avrules = to_be_appended;
> +
> +				/* Now that the effective branch has been
> +				 * appended, neutralize its original pointer */
> +				if (cur_state == 1)
> +					cur_node->avtrue_list = NULL;
> +				else
> +					cur_node->avfalse_list = NULL;
> +
> +				/* Update the tail of decl->avrules for
> +				 * further concatenation */
> +				while (tail&&  tail->next)
> +					tail = tail->next;
> +			}
> +		}
> +	}
> +}
> +
>   /* Linking should always be done before calling expand, even if
>    * there is only a base since all optionals are dealt with at link time
>    * the base passed in should be indexed and avrule blocks should be
> @@ -2678,6 +2766,16 @@ int expand_module(sepol_handle_t * handle,
>   	expand_state_t state;
>   	avrule_block_t *curblock;
>
> +	/* Append tunable's avtrue_list or avfalse_list to the avrules list
> +	 * of its home decl depending on its state value, so that the effect
> +	 * rules of a tunable would be added to te_avtab permanently. Whereas
> +	 * the disabled unused branch would be discarded.
> +	 *
> +	 * Originally this function is called at the very end of link phase,
> +	 * however, we need to keep the linked policy intact for analysis
> +	 * purpose. */
> +	discard_tunables(base);
> +
>   	expand_state_init(&state);
>
>   	state.verbose = verbose;

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v1 PATCH 6/7] Skip tunable identifier and cond_node_t in expansion.

[Harry Ciao]

The effective branch of a tunable has been appended to its home
decl->avrules list during link, in expansion we should just skip tunables
from expanding their rules into te_cond_avtab hashtab and adding to the
out->cond_list queue.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/src/expand.c |   13 +++++++++++++
 1 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index be41243..d5f10a6 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1014,6 +1014,11 @@ static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 		return 0;
 	}
 
+	if (bool->flags & COND_BOOL_FLAGS_TUNABLE) {
+		/* Skip tunables */
+		return 0;
+	}
+
 	if (state->verbose)
 		INFO(state->handle, "copying boolean %s", id);
 
@@ -1046,6 +1051,7 @@ static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 	state->boolmap[bool->s.value - 1] = new_bool->s.value;
 
 	new_bool->state = bool->state;
+	new_bool->flags = bool->flags;
 
 	return 0;
 }
@@ -1940,6 +1946,13 @@ static int cond_node_copy(expand_state_t * state, cond_node_t * cn)
 	if (cond_node_copy(state, cn->next)) {
 		return -1;
 	}
+	
+	/* If current cond_node_t is of tunable, its effective branch
+	 * has been appended to its home decl->avrules list during link
+	 * and now we should just skip it. */
+	if (cn->flags & COND_NODE_FLAGS_TUNABLE)
+		return 0;
+
 	if (cond_normalize_expr(state->base, cn)) {
 		ERR(state->handle, "Error while normalizing conditional");
 		return -1;
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v1 PATCH 6/7] Skip tunable identifier and cond_node_t in expansion.

[Harry Ciao]

Please ignore this patch, I would re-send it with 0/7 patch for extra 
comments for the v1 patchset.

Sorry for any inconvenience!

Thanks,
Harry

On 08/29/2011 03:53 PM, Harry Ciao wrote:
> The effective branch of a tunable has been appended to its home
> decl->avrules list during link, in expansion we should just skip tunables
> from expanding their rules into te_cond_avtab hashtab and adding to the
> out->cond_list queue.
>
> Signed-off-by: Harry Ciao<qingtao.cao@windriver.com>
> ---
>   libsepol/src/expand.c |   13 +++++++++++++
>   1 files changed, 13 insertions(+), 0 deletions(-)
>
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index be41243..d5f10a6 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -1014,6 +1014,11 @@ static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
>   		return 0;
>   	}
>
> +	if (bool->flags&  COND_BOOL_FLAGS_TUNABLE) {
> +		/* Skip tunables */
> +		return 0;
> +	}
> +
>   	if (state->verbose)
>   		INFO(state->handle, "copying boolean %s", id);
>
> @@ -1046,6 +1051,7 @@ static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
>   	state->boolmap[bool->s.value - 1] = new_bool->s.value;
>
>   	new_bool->state = bool->state;
> +	new_bool->flags = bool->flags;
>
>   	return 0;
>   }
> @@ -1940,6 +1946,13 @@ static int cond_node_copy(expand_state_t * state, cond_node_t * cn)
>   	if (cond_node_copy(state, cn->next)) {
>   		return -1;
>   	}
> +	
> +	/* If current cond_node_t is of tunable, its effective branch
> +	 * has been appended to its home decl->avrules list during link
> +	 * and now we should just skip it. */
> +	if (cn->flags&  COND_NODE_FLAGS_TUNABLE)
> +		return 0;
> +
>   	if (cond_normalize_expr(state->base, cn)) {
>   		ERR(state->handle, "Error while normalizing conditional");
>   		return -1;

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v1 PATCH 7/7] Create a new preserve_tunables flag in sepol_handle_t.

[Harry Ciao]

By default only the effective branch of a tunable conditional would be
expanded and written to raw policy, while all needless unused branches
would be discarded.

Add a new option '-P' or "--preserve_tunables" to the semodule program.
By default it is 0, if set to 1 then the above preserve_tunables flag
in the sepol_handle_t would be set to 1 accordingly, then all branches
of any tunable conditionals would be preserved, resulting in tunables
treated exactly like normal booleans. This would be good for debug
purpose.

Note, this option would invalidate the logic to double check if there
is any mixture of tunables and booleans in discard_tunables().

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsemanage/include/semanage/handle.h |    6 +++++
 libsemanage/src/direct_api.c          |   36 ++++++++++++++++++++++++++++++++-
 libsemanage/src/handle.c              |   13 +++++++++++
 libsemanage/src/libsemanage.map       |    1 +
 libsemanage/src/semanage_store.c      |    1 +
 libsemanage/src/semanage_store.h      |    1 +
 libsepol/include/sepol/handle.h       |    7 ++++++
 libsepol/src/expand.c                 |   36 ++++++++++++++++++++++-----------
 libsepol/src/handle.c                 |   15 +++++++++++++
 libsepol/src/handle.h                 |    2 +-
 libsepol/src/libsepol.map             |    1 +
 policycoreutils/semodule/semodule.c   |   10 ++++++++-
 12 files changed, 114 insertions(+), 15 deletions(-)

diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
index e303713..c746930 100644
--- a/libsemanage/include/semanage/handle.h
+++ b/libsemanage/include/semanage/handle.h
@@ -129,6 +129,12 @@ int semanage_mls_enabled(semanage_handle_t *sh);
 /* Change to alternate selinux root path */
 int semanage_set_root(const char *path);
 
+/* Get whether or not needless unused branch of tunables would be preserved */
+int semanage_get_preserve_tunables(semanage_handle_t * handle);
+
+/* Set whether or not to preserve the needless unused branch of tunables */
+void semanage_set_preserve_tunables(semanage_handle_t * handle, int preserve_tunables);
+
 /* META NOTES
  *
  * For all functions a non-negative number indicates success. For some
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index aac1974..481d8e6 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -236,6 +236,13 @@ int semanage_direct_connect(semanage_handle_t * sh)
 	else
 		sepol_set_disable_dontaudit(sh->sepolh, 0);
 
+	/* set the preserve tunables value */
+	path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_PRESERVE_TUNABLES);
+	if (access(path, F_OK) == 0)
+		sepol_set_preserve_tunables(sh->sepolh, 1);
+	else
+		sepol_set_preserve_tunables(sh->sepolh, 0);
+
 	return STATUS_SUCCESS;
 
       err:
@@ -695,7 +702,8 @@ static int semanage_direct_commit(semanage_handle_t * sh)
 
 	/* Declare some variables */
 	int modified = 0, fcontexts_modified, ports_modified,
-	    seusers_modified, users_extra_modified, dontaudit_modified;
+	    seusers_modified, users_extra_modified, dontaudit_modified,
+	    preserve_tunables_modified;
 	dbase_config_t *users = semanage_user_dbase_local(sh);
 	dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
 	dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
@@ -737,6 +745,31 @@ static int semanage_direct_commit(semanage_handle_t * sh)
 		}
 	}
 
+	/* Create or remove the preserve_tunables flag file. */
+	path = semanage_path(SEMANAGE_TMP, SEMANAGE_PRESERVE_TUNABLES);
+	if (access(path, F_OK) == 0)
+		preserve_tunables_modified = !(sepol_get_preserve_tunables(sh->sepolh) == 1);
+	else
+		preserve_tunables_modified = (sepol_get_preserve_tunables(sh->sepolh) == 1);
+	if (sepol_get_preserve_tunables(sh->sepolh) == 1) {
+		FILE *touch;
+		touch = fopen(path, "w");
+		if (touch != NULL) {
+			if (fclose(touch) != 0) {
+				ERR(sh, "Error attempting to create preserve_tunable flag.");
+				goto cleanup;
+			}
+		} else {
+			ERR(sh, "Error attempting to create preserve_tunable flag.");
+			goto cleanup;
+		}
+	} else {
+		if (remove(path) == -1 && errno != ENOENT) {
+			ERR(sh, "Error removing the preserve_tunables flag.");
+			goto cleanup;
+		}
+	}
+
 	/* Before we do anything else, flush the join to its component parts.
 	 * This *does not* flush to disk automatically */
 	if (users->dtable->is_modified(users->dbase)) {
@@ -759,6 +792,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
 	modified |= ifaces->dtable->is_modified(ifaces->dbase);
 	modified |= nodes->dtable->is_modified(nodes->dbase);
 	modified |= dontaudit_modified;
+	modified |= preserve_tunables_modified;
 
 	/* If there were policy changes, or explicitly requested, rebuild the policy */
 	if (sh->do_rebuild || modified) {
diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
index 647f0ee..7adc1cc 100644
--- a/libsemanage/src/handle.c
+++ b/libsemanage/src/handle.c
@@ -261,6 +261,19 @@ void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudi
 	return;
 }
 
+int semanage_get_preserve_tunables(semanage_handle_t * sh)
+{
+	assert(sh != NULL);
+	return sepol_get_preserve_tunables(sh->sepolh);
+}
+
+void semanage_set_preserve_tunables(semanage_handle_t * sh,
+				    int preserve_tunables)
+{
+	assert(sh != NULL);
+	sepol_set_preserve_tunables(sh->sepolh, preserve_tunables);
+}
+
 void semanage_set_check_contexts(semanage_handle_t * sh, int do_check_contexts)
 {
 
diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
index 3222e3d..2827abe 100644
--- a/libsemanage/src/libsemanage.map
+++ b/libsemanage/src/libsemanage.map
@@ -22,5 +22,6 @@ LIBSEMANAGE_1.0 {
 	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
 	  semanage_mls_enabled;
 	  semanage_set_check_contexts;
+	  semanage_get_preserve_tunables; semanage_set_preserve_tunables;
   local: *;
 };
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index 8d6ff1c..e5f8234 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -117,6 +117,7 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
 	"/netfilter_contexts",
 	"/file_contexts.homedirs",
 	"/disable_dontaudit",
+	"/preserve_tunables",
 };
 
 /* A node used in a linked list of file contexts; used for sorting.
diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
index a0b2dd8..eaae05e 100644
--- a/libsemanage/src/semanage_store.h
+++ b/libsemanage/src/semanage_store.h
@@ -59,6 +59,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_NC,
 	SEMANAGE_FC_HOMEDIRS,
 	SEMANAGE_DISABLE_DONTAUDIT,
+	SEMANAGE_PRESERVE_TUNABLES,
 	SEMANAGE_STORE_NUM_PATHS
 };
 
diff --git a/libsepol/include/sepol/handle.h b/libsepol/include/sepol/handle.h
index 19be326..115bda1 100644
--- a/libsepol/include/sepol/handle.h
+++ b/libsepol/include/sepol/handle.h
@@ -24,4 +24,11 @@ void sepol_set_expand_consume_base(sepol_handle_t * sh, int consume_base);
 /* Destroy a sepol handle. */
 void sepol_handle_destroy(sepol_handle_t *);
 
+/* Get whether or not needless unused branch of tunables would be preserved */
+int sepol_get_preserve_tunables(sepol_handle_t * sh);
+
+/* Set whether or not to preserve the needless unused branch of tunables,
+ * 0 is default and discard such branch, 1 preserves them */
+void sepol_set_preserve_tunables(sepol_handle_t * sh, int preserve_tunables);
+
 #endif
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index d5f10a6..d67b84c 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -2678,25 +2678,29 @@ int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
 	return copy_and_expand_avrule_block(&state);
 }
 
-static void discard_tunables(policydb_t *pol)
+static void discard_tunables(sepol_handle_t *sh, policydb_t *pol)
 {
 	avrule_block_t *block;
 	avrule_decl_t *decl;
 	cond_node_t *cur_node;
 	cond_expr_t *cur_expr;
-	int cur_state;
+	int cur_state, preserve_tunables = 0;
 	avrule_t *tail, *to_be_appended;
 
+	if (sh && sh->preserve_tunables)
+		preserve_tunables = 1;
+
 	/* Iterate through all cond_node of all enabled decls, if a cond_node
-	 * is about tunable, caculate its state value and concatenate one of
-	 * its avrule list to the current decl->avrules list.
+	 * is about tunable, calculate its state value and concatenate one of
+	 * its avrule list to the current decl->avrules list. On the other
+	 * hand, the disabled unused branch of a tunable would be discarded.
 	 *
 	 * Note, such tunable cond_node would be skipped over in expansion,
 	 * so we won't have to worry about removing it from decl->cond_list
 	 * here :-)
 	 *
-	 * If tunables and booleans co-exist in the expression of a cond_node,
-	 * then tunables would be "transformed" as booleans.
+	 * If tunables are requested to be preserved then they would be
+	 * "transformed" as booleans by having their TUNABLE flag cleared.
 	 */
 	for (block = pol->global; block != NULL; block = block->next) {
 		decl = block->enabled;
@@ -2709,10 +2713,12 @@ static void discard_tunables(policydb_t *pol)
 
 		for (cur_node = decl->cond_list; cur_node != NULL;
 		     cur_node = cur_node->next) {
-			int booleans, tunables;
+			int booleans, tunables, i;
 			cond_bool_datum_t *booldatum;
+			cond_bool_datum_t *tmp[COND_EXPR_MAXDEPTH];
 
 			booleans = tunables = 0;
+			memset(tmp, 0, sizeof(cond_bool_datum_t *) * COND_EXPR_MAXDEPTH);
 
 			for (cur_expr = cur_node->expr; cur_expr != NULL;
 			     cur_expr = cur_expr->next) {
@@ -2720,18 +2726,24 @@ static void discard_tunables(policydb_t *pol)
 					continue;
 				booldatum = pol->bool_val_to_struct[cur_expr->bool - 1];
 				if (booldatum->flags & COND_BOOL_FLAGS_TUNABLE)
-					tunables++;
+					tmp[tunables++] = booldatum;
 				else
 					booleans++;
 			}
 
 			/* bool_copy_callback() at link phase has ensured
 			 * that no mixture of tunables and booleans in one
-			 * expression. */
-			assert(!(booleans && tunables));
+			 * expression. However, this would be broken by the
+			 * request to preserve tunables */
+			if (!preserve_tunables)
+				assert(!(booleans && tunables));
 
-			if (booleans) {
+			if (booleans || preserve_tunables) {
 				cur_node->flags &= ~COND_NODE_FLAGS_TUNABLE;
+				if (tunables) {
+					for (i = 0; i < tunables; i++)
+						tmp[i]->flags &= ~COND_BOOL_FLAGS_TUNABLE;
+				}
 			} else {
 				cur_node->flags |= COND_NODE_FLAGS_TUNABLE;
 				cur_state = cond_evaluate_expr(pol, cur_node->expr);
@@ -2787,7 +2799,7 @@ int expand_module(sepol_handle_t * handle,
 	 * Originally this function is called at the very end of link phase,
 	 * however, we need to keep the linked policy intact for analysis
 	 * purpose. */
-	discard_tunables(base);
+	discard_tunables(handle, base);
 
 	expand_state_init(&state);
 
diff --git a/libsepol/src/handle.c b/libsepol/src/handle.c
index 191ac57..2e9a4ad 100644
--- a/libsepol/src/handle.c
+++ b/libsepol/src/handle.c
@@ -18,9 +18,24 @@ sepol_handle_t *sepol_handle_create(void)
 	sh->disable_dontaudit = 0;
 	sh->expand_consume_base = 0;
 
+	/* by default needless unused branch of tunables would be discarded  */
+	sh->preserve_tunables = 0;
+
 	return sh;
 }
 
+int sepol_get_preserve_tunables(sepol_handle_t *sh)
+{
+	assert(sh != NULL);
+	return sh->preserve_tunables;
+}
+
+void sepol_set_preserve_tunables(sepol_handle_t * sh, int preserve_tunables)
+{
+	assert(sh !=NULL);
+	sh->preserve_tunables = preserve_tunables;
+}
+
 int sepol_get_disable_dontaudit(sepol_handle_t *sh)
 {
 	assert(sh !=NULL);
diff --git a/libsepol/src/handle.h b/libsepol/src/handle.h
index 254fbd8..7728d04 100644
--- a/libsepol/src/handle.h
+++ b/libsepol/src/handle.h
@@ -17,7 +17,7 @@ struct sepol_handle {
 
 	int disable_dontaudit;
 	int expand_consume_base;
-
+	int preserve_tunables;
 };
 
 #endif
diff --git a/libsepol/src/libsepol.map b/libsepol/src/libsepol.map
index 719e5b7..81e0d48 100644
--- a/libsepol/src/libsepol.map
+++ b/libsepol/src/libsepol.map
@@ -15,5 +15,6 @@
 	sepol_get_disable_dontaudit;
 	sepol_set_disable_dontaudit;
 	sepol_set_expand_consume_base;
+	sepol_get_preserve_tunables; sepol_set_preserve_tunables;
   local: *;
 };
diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
index 81d6a3c..5d662e7 100644
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@@ -45,6 +45,7 @@ static int no_reload;
 static int create_store;
 static int build;
 static int disable_dontaudit;
+static int preserve_tunables;
 
 static semanage_handle_t *sh = NULL;
 static char *store;
@@ -117,6 +118,7 @@ static void usage(char *progname)
 	printf("  -h,--help        print this message and quit\n");
 	printf("  -v,--verbose     be verbose\n");
 	printf("  -D,--disable_dontaudit	Remove dontaudits from policy\n");
+	printf("  -P,--preserve_tunables	Preserve tunables in policy\n");
 }
 
 /* Sets the global mode variable to new_mode, but only if no other
@@ -162,6 +164,7 @@ static void parse_command_line(int argc, char **argv)
 		{"noreload", 0, NULL, 'n'},
 		{"build", 0, NULL, 'B'},
 		{"disable_dontaudit", 0, NULL, 'D'},
+		{"preserve_tunables", 0, NULL, 'P'},
 		{"path", required_argument, NULL, 'p'},
 		{NULL, 0, NULL, 0}
 	};
@@ -171,7 +174,7 @@ static void parse_command_line(int argc, char **argv)
 	no_reload = 0;
 	create_store = 0;
 	while ((i =
-		getopt_long(argc, argv, "p:s:b:hi:lvqe:d:r:u:RnBD", opts,
+		getopt_long(argc, argv, "p:s:b:hi:lvqe:d:r:u:RnBDP", opts,
 			    NULL)) != -1) {
 		switch (i) {
 		case 'b':
@@ -220,6 +223,9 @@ static void parse_command_line(int argc, char **argv)
 		case 'D':
 			disable_dontaudit = 1;
 			break;
+		case 'P':
+			preserve_tunables = 1;
+			break;
 		case '?':
 		default:{
 				usage(argv[0]);
@@ -466,6 +472,8 @@ int main(int argc, char *argv[])
 			semanage_set_disable_dontaudit(sh, 1);
 		else if (build)
 			semanage_set_disable_dontaudit(sh, 0);
+		if (preserve_tunables)
+			semanage_set_preserve_tunables(sh, 1);
 
 		result = semanage_commit(sh);
 	}
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v1 PATCH 7/7] Create a new preserve_tunables flag in sepol_handle_t.

[Harry Ciao]

Please ignore this patch, I would re-send it with 0/7 patch for extra 
comments for the v1 patchset.

Sorry for any inconvenience!

Thanks,
Harry

On 08/29/2011 03:53 PM, Harry Ciao wrote:
> By default only the effective branch of a tunable conditional would be
> expanded and written to raw policy, while all needless unused branches
> would be discarded.
>
> Add a new option '-P' or "--preserve_tunables" to the semodule program.
> By default it is 0, if set to 1 then the above preserve_tunables flag
> in the sepol_handle_t would be set to 1 accordingly, then all branches
> of any tunable conditionals would be preserved, resulting in tunables
> treated exactly like normal booleans. This would be good for debug
> purpose.
>
> Note, this option would invalidate the logic to double check if there
> is any mixture of tunables and booleans in discard_tunables().
>
> Signed-off-by: Harry Ciao<qingtao.cao@windriver.com>
> ---
>   libsemanage/include/semanage/handle.h |    6 +++++
>   libsemanage/src/direct_api.c          |   36 ++++++++++++++++++++++++++++++++-
>   libsemanage/src/handle.c              |   13 +++++++++++
>   libsemanage/src/libsemanage.map       |    1 +
>   libsemanage/src/semanage_store.c      |    1 +
>   libsemanage/src/semanage_store.h      |    1 +
>   libsepol/include/sepol/handle.h       |    7 ++++++
>   libsepol/src/expand.c                 |   36 ++++++++++++++++++++++-----------
>   libsepol/src/handle.c                 |   15 +++++++++++++
>   libsepol/src/handle.h                 |    2 +-
>   libsepol/src/libsepol.map             |    1 +
>   policycoreutils/semodule/semodule.c   |   10 ++++++++-
>   12 files changed, 114 insertions(+), 15 deletions(-)
>
> diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
> index e303713..c746930 100644
> --- a/libsemanage/include/semanage/handle.h
> +++ b/libsemanage/include/semanage/handle.h
> @@ -129,6 +129,12 @@ int semanage_mls_enabled(semanage_handle_t *sh);
>   /* Change to alternate selinux root path */
>   int semanage_set_root(const char *path);
>
> +/* Get whether or not needless unused branch of tunables would be preserved */
> +int semanage_get_preserve_tunables(semanage_handle_t * handle);
> +
> +/* Set whether or not to preserve the needless unused branch of tunables */
> +void semanage_set_preserve_tunables(semanage_handle_t * handle, int preserve_tunables);
> +
>   /* META NOTES
>    *
>    * For all functions a non-negative number indicates success. For some
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index aac1974..481d8e6 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -236,6 +236,13 @@ int semanage_direct_connect(semanage_handle_t * sh)
>   	else
>   		sepol_set_disable_dontaudit(sh->sepolh, 0);
>
> +	/* set the preserve tunables value */
> +	path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_PRESERVE_TUNABLES);
> +	if (access(path, F_OK) == 0)
> +		sepol_set_preserve_tunables(sh->sepolh, 1);
> +	else
> +		sepol_set_preserve_tunables(sh->sepolh, 0);
> +
>   	return STATUS_SUCCESS;
>
>         err:
> @@ -695,7 +702,8 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>
>   	/* Declare some variables */
>   	int modified = 0, fcontexts_modified, ports_modified,
> -	    seusers_modified, users_extra_modified, dontaudit_modified;
> +	    seusers_modified, users_extra_modified, dontaudit_modified,
> +	    preserve_tunables_modified;
>   	dbase_config_t *users = semanage_user_dbase_local(sh);
>   	dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
>   	dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
> @@ -737,6 +745,31 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>   		}
>   	}
>
> +	/* Create or remove the preserve_tunables flag file. */
> +	path = semanage_path(SEMANAGE_TMP, SEMANAGE_PRESERVE_TUNABLES);
> +	if (access(path, F_OK) == 0)
> +		preserve_tunables_modified = !(sepol_get_preserve_tunables(sh->sepolh) == 1);
> +	else
> +		preserve_tunables_modified = (sepol_get_preserve_tunables(sh->sepolh) == 1);
> +	if (sepol_get_preserve_tunables(sh->sepolh) == 1) {
> +		FILE *touch;
> +		touch = fopen(path, "w");
> +		if (touch != NULL) {
> +			if (fclose(touch) != 0) {
> +				ERR(sh, "Error attempting to create preserve_tunable flag.");
> +				goto cleanup;
> +			}
> +		} else {
> +			ERR(sh, "Error attempting to create preserve_tunable flag.");
> +			goto cleanup;
> +		}
> +	} else {
> +		if (remove(path) == -1&&  errno != ENOENT) {
> +			ERR(sh, "Error removing the preserve_tunables flag.");
> +			goto cleanup;
> +		}
> +	}
> +
>   	/* Before we do anything else, flush the join to its component parts.
>   	 * This *does not* flush to disk automatically */
>   	if (users->dtable->is_modified(users->dbase)) {
> @@ -759,6 +792,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
>   	modified |= ifaces->dtable->is_modified(ifaces->dbase);
>   	modified |= nodes->dtable->is_modified(nodes->dbase);
>   	modified |= dontaudit_modified;
> +	modified |= preserve_tunables_modified;
>
>   	/* If there were policy changes, or explicitly requested, rebuild the policy */
>   	if (sh->do_rebuild || modified) {
> diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
> index 647f0ee..7adc1cc 100644
> --- a/libsemanage/src/handle.c
> +++ b/libsemanage/src/handle.c
> @@ -261,6 +261,19 @@ void semanage_set_disable_dontaudit(semanage_handle_t * sh, int disable_dontaudi
>   	return;
>   }
>
> +int semanage_get_preserve_tunables(semanage_handle_t * sh)
> +{
> +	assert(sh != NULL);
> +	return sepol_get_preserve_tunables(sh->sepolh);
> +}
> +
> +void semanage_set_preserve_tunables(semanage_handle_t * sh,
> +				    int preserve_tunables)
> +{
> +	assert(sh != NULL);
> +	sepol_set_preserve_tunables(sh->sepolh, preserve_tunables);
> +}
> +
>   void semanage_set_check_contexts(semanage_handle_t * sh, int do_check_contexts)
>   {
>
> diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
> index 3222e3d..2827abe 100644
> --- a/libsemanage/src/libsemanage.map
> +++ b/libsemanage/src/libsemanage.map
> @@ -22,5 +22,6 @@ LIBSEMANAGE_1.0 {
>   	  semanage_is_connected; semanage_get_disable_dontaudit; semanage_set_disable_dontaudit;
>   	  semanage_mls_enabled;
>   	  semanage_set_check_contexts;
> +	  semanage_get_preserve_tunables; semanage_set_preserve_tunables;
>     local: *;
>   };
> diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
> index 8d6ff1c..e5f8234 100644
> --- a/libsemanage/src/semanage_store.c
> +++ b/libsemanage/src/semanage_store.c
> @@ -117,6 +117,7 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
>   	"/netfilter_contexts",
>   	"/file_contexts.homedirs",
>   	"/disable_dontaudit",
> +	"/preserve_tunables",
>   };
>
>   /* A node used in a linked list of file contexts; used for sorting.
> diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
> index a0b2dd8..eaae05e 100644
> --- a/libsemanage/src/semanage_store.h
> +++ b/libsemanage/src/semanage_store.h
> @@ -59,6 +59,7 @@ enum semanage_sandbox_defs {
>   	SEMANAGE_NC,
>   	SEMANAGE_FC_HOMEDIRS,
>   	SEMANAGE_DISABLE_DONTAUDIT,
> +	SEMANAGE_PRESERVE_TUNABLES,
>   	SEMANAGE_STORE_NUM_PATHS
>   };
>
> diff --git a/libsepol/include/sepol/handle.h b/libsepol/include/sepol/handle.h
> index 19be326..115bda1 100644
> --- a/libsepol/include/sepol/handle.h
> +++ b/libsepol/include/sepol/handle.h
> @@ -24,4 +24,11 @@ void sepol_set_expand_consume_base(sepol_handle_t * sh, int consume_base);
>   /* Destroy a sepol handle. */
>   void sepol_handle_destroy(sepol_handle_t *);
>
> +/* Get whether or not needless unused branch of tunables would be preserved */
> +int sepol_get_preserve_tunables(sepol_handle_t * sh);
> +
> +/* Set whether or not to preserve the needless unused branch of tunables,
> + * 0 is default and discard such branch, 1 preserves them */
> +void sepol_set_preserve_tunables(sepol_handle_t * sh, int preserve_tunables);
> +
>   #endif
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index d5f10a6..d67b84c 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -2678,25 +2678,29 @@ int expand_module_avrules(sepol_handle_t * handle, policydb_t * base,
>   	return copy_and_expand_avrule_block(&state);
>   }
>
> -static void discard_tunables(policydb_t *pol)
> +static void discard_tunables(sepol_handle_t *sh, policydb_t *pol)
>   {
>   	avrule_block_t *block;
>   	avrule_decl_t *decl;
>   	cond_node_t *cur_node;
>   	cond_expr_t *cur_expr;
> -	int cur_state;
> +	int cur_state, preserve_tunables = 0;
>   	avrule_t *tail, *to_be_appended;
>
> +	if (sh&&  sh->preserve_tunables)
> +		preserve_tunables = 1;
> +
>   	/* Iterate through all cond_node of all enabled decls, if a cond_node
> -	 * is about tunable, caculate its state value and concatenate one of
> -	 * its avrule list to the current decl->avrules list.
> +	 * is about tunable, calculate its state value and concatenate one of
> +	 * its avrule list to the current decl->avrules list. On the other
> +	 * hand, the disabled unused branch of a tunable would be discarded.
>   	 *
>   	 * Note, such tunable cond_node would be skipped over in expansion,
>   	 * so we won't have to worry about removing it from decl->cond_list
>   	 * here :-)
>   	 *
> -	 * If tunables and booleans co-exist in the expression of a cond_node,
> -	 * then tunables would be "transformed" as booleans.
> +	 * If tunables are requested to be preserved then they would be
> +	 * "transformed" as booleans by having their TUNABLE flag cleared.
>   	 */
>   	for (block = pol->global; block != NULL; block = block->next) {
>   		decl = block->enabled;
> @@ -2709,10 +2713,12 @@ static void discard_tunables(policydb_t *pol)
>
>   		for (cur_node = decl->cond_list; cur_node != NULL;
>   		     cur_node = cur_node->next) {
> -			int booleans, tunables;
> +			int booleans, tunables, i;
>   			cond_bool_datum_t *booldatum;
> +			cond_bool_datum_t *tmp[COND_EXPR_MAXDEPTH];
>
>   			booleans = tunables = 0;
> +			memset(tmp, 0, sizeof(cond_bool_datum_t *) * COND_EXPR_MAXDEPTH);
>
>   			for (cur_expr = cur_node->expr; cur_expr != NULL;
>   			     cur_expr = cur_expr->next) {
> @@ -2720,18 +2726,24 @@ static void discard_tunables(policydb_t *pol)
>   					continue;
>   				booldatum = pol->bool_val_to_struct[cur_expr->bool - 1];
>   				if (booldatum->flags&  COND_BOOL_FLAGS_TUNABLE)
> -					tunables++;
> +					tmp[tunables++] = booldatum;
>   				else
>   					booleans++;
>   			}
>
>   			/* bool_copy_callback() at link phase has ensured
>   			 * that no mixture of tunables and booleans in one
> -			 * expression. */
> -			assert(!(booleans&&  tunables));
> +			 * expression. However, this would be broken by the
> +			 * request to preserve tunables */
> +			if (!preserve_tunables)
> +				assert(!(booleans&&  tunables));
>
> -			if (booleans) {
> +			if (booleans || preserve_tunables) {
>   				cur_node->flags&= ~COND_NODE_FLAGS_TUNABLE;
> +				if (tunables) {
> +					for (i = 0; i<  tunables; i++)
> +						tmp[i]->flags&= ~COND_BOOL_FLAGS_TUNABLE;
> +				}
>   			} else {
>   				cur_node->flags |= COND_NODE_FLAGS_TUNABLE;
>   				cur_state = cond_evaluate_expr(pol, cur_node->expr);
> @@ -2787,7 +2799,7 @@ int expand_module(sepol_handle_t * handle,
>   	 * Originally this function is called at the very end of link phase,
>   	 * however, we need to keep the linked policy intact for analysis
>   	 * purpose. */
> -	discard_tunables(base);
> +	discard_tunables(handle, base);
>
>   	expand_state_init(&state);
>
> diff --git a/libsepol/src/handle.c b/libsepol/src/handle.c
> index 191ac57..2e9a4ad 100644
> --- a/libsepol/src/handle.c
> +++ b/libsepol/src/handle.c
> @@ -18,9 +18,24 @@ sepol_handle_t *sepol_handle_create(void)
>   	sh->disable_dontaudit = 0;
>   	sh->expand_consume_base = 0;
>
> +	/* by default needless unused branch of tunables would be discarded  */
> +	sh->preserve_tunables = 0;
> +
>   	return sh;
>   }
>
> +int sepol_get_preserve_tunables(sepol_handle_t *sh)
> +{
> +	assert(sh != NULL);
> +	return sh->preserve_tunables;
> +}
> +
> +void sepol_set_preserve_tunables(sepol_handle_t * sh, int preserve_tunables)
> +{
> +	assert(sh !=NULL);
> +	sh->preserve_tunables = preserve_tunables;
> +}
> +
>   int sepol_get_disable_dontaudit(sepol_handle_t *sh)
>   {
>   	assert(sh !=NULL);
> diff --git a/libsepol/src/handle.h b/libsepol/src/handle.h
> index 254fbd8..7728d04 100644
> --- a/libsepol/src/handle.h
> +++ b/libsepol/src/handle.h
> @@ -17,7 +17,7 @@ struct sepol_handle {
>
>   	int disable_dontaudit;
>   	int expand_consume_base;
> -
> +	int preserve_tunables;
>   };
>
>   #endif
> diff --git a/libsepol/src/libsepol.map b/libsepol/src/libsepol.map
> index 719e5b7..81e0d48 100644
> --- a/libsepol/src/libsepol.map
> +++ b/libsepol/src/libsepol.map
> @@ -15,5 +15,6 @@
>   	sepol_get_disable_dontaudit;
>   	sepol_set_disable_dontaudit;
>   	sepol_set_expand_consume_base;
> +	sepol_get_preserve_tunables; sepol_set_preserve_tunables;
>     local: *;
>   };
> diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
> index 81d6a3c..5d662e7 100644
> --- a/policycoreutils/semodule/semodule.c
> +++ b/policycoreutils/semodule/semodule.c
> @@ -45,6 +45,7 @@ static int no_reload;
>   static int create_store;
>   static int build;
>   static int disable_dontaudit;
> +static int preserve_tunables;
>
>   static semanage_handle_t *sh = NULL;
>   static char *store;
> @@ -117,6 +118,7 @@ static void usage(char *progname)
>   	printf("  -h,--help        print this message and quit\n");
>   	printf("  -v,--verbose     be verbose\n");
>   	printf("  -D,--disable_dontaudit	Remove dontaudits from policy\n");
> +	printf("  -P,--preserve_tunables	Preserve tunables in policy\n");
>   }
>
>   /* Sets the global mode variable to new_mode, but only if no other
> @@ -162,6 +164,7 @@ static void parse_command_line(int argc, char **argv)
>   		{"noreload", 0, NULL, 'n'},
>   		{"build", 0, NULL, 'B'},
>   		{"disable_dontaudit", 0, NULL, 'D'},
> +		{"preserve_tunables", 0, NULL, 'P'},
>   		{"path", required_argument, NULL, 'p'},
>   		{NULL, 0, NULL, 0}
>   	};
> @@ -171,7 +174,7 @@ static void parse_command_line(int argc, char **argv)
>   	no_reload = 0;
>   	create_store = 0;
>   	while ((i =
> -		getopt_long(argc, argv, "p:s:b:hi:lvqe:d:r:u:RnBD", opts,
> +		getopt_long(argc, argv, "p:s:b:hi:lvqe:d:r:u:RnBDP", opts,
>   			    NULL)) != -1) {
>   		switch (i) {
>   		case 'b':
> @@ -220,6 +223,9 @@ static void parse_command_line(int argc, char **argv)
>   		case 'D':
>   			disable_dontaudit = 1;
>   			break;
> +		case 'P':
> +			preserve_tunables = 1;
> +			break;
>   		case '?':
>   		default:{
>   				usage(argv[0]);
> @@ -466,6 +472,8 @@ int main(int argc, char *argv[])
>   			semanage_set_disable_dontaudit(sh, 1);
>   		else if (build)
>   			semanage_set_disable_dontaudit(sh, 0);
> +		if (preserve_tunables)
> +			semanage_set_preserve_tunables(sh, 1);
>
>   		result = semanage_commit(sh);
>   	}

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [v1 PATCH 2/7] Separate tunable from boolean during compile.

[Harry Ciao]

Please ignore this patch, I would re-send it with 0/7 patch for extra 
comments for the v1 patchset.

Sorry for any inconvenience!

Thanks,
Harry

On 08/29/2011 03:53 PM, Harry Ciao wrote:
> Both boolean and tunable keywords are processed by define_bool_tunable(),
> argument 0 and 1 would be passed for boolean and tunable respectively.
> For tunable, a TUNABLE flag would be set in cond_bool_datum_t.flags.
>
> Note, when creating an if-else conditional we can not know if the
> tunable identifier is indeed a tunable(for example, a boolean may be
> misused in tunable_policy() or vice versa), thus the TUNABLE flag
> for cond_node_t would be calculated and used in expansion when all
> booleans/tunables copied during link.
>
> Signed-off-by: Harry Ciao<qingtao.cao@windriver.com>
> ---
>   checkpolicy/module_compiler.c |   16 +++++++++++++++-
>   checkpolicy/module_compiler.h |    1 +
>   checkpolicy/policy_define.c   |    4 +++-
>   checkpolicy/policy_define.h   |    2 +-
>   checkpolicy/policy_parse.y    |    8 +++++++-
>   checkpolicy/policy_scan.l     |    2 ++
>   libsepol/src/conditional.c    |    1 +
>   7 files changed, 30 insertions(+), 4 deletions(-)
>
> diff --git a/checkpolicy/module_compiler.c b/checkpolicy/module_compiler.c
> index 1c1d1d5..ffffaf1 100644
> --- a/checkpolicy/module_compiler.c
> +++ b/checkpolicy/module_compiler.c
> @@ -1045,7 +1045,7 @@ int require_user(int pass)
>   	}
>   }
>
> -int require_bool(int pass)
> +static int require_bool_tunable(int pass, int is_tunable)
>   {
>   	char *id = queue_remove(id_queue);
>   	cond_bool_datum_t *booldatum = NULL;
> @@ -1063,6 +1063,8 @@ int require_bool(int pass)
>   		yyerror("Out of memory!");
>   		return -1;
>   	}
> +	if (is_tunable)
> +		booldatum->flags |= COND_BOOL_FLAGS_TUNABLE;
>   	retval =
>   	    require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
>   			&booldatum->s.value,&booldatum->s.value);
> @@ -1094,6 +1096,16 @@ int require_bool(int pass)
>   	}
>   }
>
> +int require_bool(int pass)
> +{
> +	return require_bool_tunable(pass, 0);
> +}
> +
> +int require_tunable(int pass)
> +{
> +	return require_bool_tunable(pass, 1);
> +}
> +
>   int require_sens(int pass)
>   {
>   	char *id = queue_remove(id_queue);
> @@ -1328,6 +1340,8 @@ void append_cond_list(cond_list_t * cond)
>   		     tmp = tmp->next) ;
>   		tmp->next = cond->avfalse_list;
>   	}
> +
> +	old_cond->flags |= cond->flags;
>   }
>
>   void append_avrule(avrule_t * avrule)
> diff --git a/checkpolicy/module_compiler.h b/checkpolicy/module_compiler.h
> index 45a21cd..72c2d9b 100644
> --- a/checkpolicy/module_compiler.h
> +++ b/checkpolicy/module_compiler.h
> @@ -58,6 +58,7 @@ int require_attribute(int pass);
>   int require_attribute_role(int pass);
>   int require_user(int pass);
>   int require_bool(int pass);
> +int require_tunable(int pass);
>   int require_sens(int pass);
>   int require_cat(int pass);
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index ded27f7..1bf669c 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -1494,7 +1494,7 @@ avrule_t *define_cond_compute_type(int which)
>   	return avrule;
>   }
>
> -int define_bool(void)
> +int define_bool_tunable(int is_tunable)
>   {
>   	char *id, *bool_value;
>   	cond_bool_datum_t *datum;
> @@ -1524,6 +1524,8 @@ int define_bool(void)
>   		return -1;
>   	}
>   	memset(datum, 0, sizeof(cond_bool_datum_t));
> +	if (is_tunable)
> +		datum->flags |= COND_BOOL_FLAGS_TUNABLE;
>   	ret = declare_symbol(SYM_BOOLS, id, datum,&value,&value);
>   	switch (ret) {
>   	case -3:{
> diff --git a/checkpolicy/policy_define.h b/checkpolicy/policy_define.h
> index fc8cd4d..92a9be7 100644
> --- a/checkpolicy/policy_define.h
> +++ b/checkpolicy/policy_define.h
> @@ -21,7 +21,7 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void* arg2);
>   int define_attrib(void);
>   int define_attrib_role(void);
>   int define_av_perms(int inherits);
> -int define_bool(void);
> +int define_bool_tunable(int is_tunable);
>   int define_category(void);
>   int define_class(void);
>   int define_common_perms(void);
> diff --git a/checkpolicy/policy_parse.y b/checkpolicy/policy_parse.y
> index 0a17bdc..49ac15f 100644
> --- a/checkpolicy/policy_parse.y
> +++ b/checkpolicy/policy_parse.y
> @@ -101,6 +101,7 @@ typedef int (* require_func_t)();
>   %token ALIAS
>   %token ATTRIBUTE
>   %token BOOL
> +%token TUNABLE
>   %token IF
>   %token ELSE
>   %token TYPE_TRANSITION
> @@ -269,6 +270,7 @@ te_decl			: attribute_def
>                           | typeattribute_def
>                           | typebounds_def
>                           | bool_def
> +			| tunable_def
>                           | transition_def
>                           | range_trans_def
>                           | te_avtab_def
> @@ -295,8 +297,11 @@ opt_attr_list           : ',' id_comma_list
>   			|
>   			;
>   bool_def                : BOOL identifier bool_val ';'
> -                        {if (define_bool()) return -1;}
> +                        { if (define_bool_tunable(0)) return -1; }
>                           ;
> +tunable_def		: TUNABLE identifier bool_val ';'
> +			{ if (define_bool_tunable(1)) return -1; }
> +			;
>   bool_val                : CTRUE
>    			{ if (insert_id("T",0)) return -1; }
>                           | CFALSE
> @@ -820,6 +825,7 @@ require_decl_def        : ROLE        { $$ = require_role; }
>                           | ATTRIBUTE_ROLE   { $$ = require_attribute_role; }
>                           | USER        { $$ = require_user; }
>                           | BOOL        { $$ = require_bool; }
> +			| TUNABLE     { $$ = require_tunable; }
>                           | SENSITIVITY { $$ = require_sens; }
>                           | CATEGORY    { $$ = require_cat; }
>                           ;
> diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
> index ed27bbe..a61e0db 100644
> --- a/checkpolicy/policy_scan.l
> +++ b/checkpolicy/policy_scan.l
> @@ -92,6 +92,8 @@ TYPE |
>   type				{ return(TYPE); }
>   BOOL |
>   bool                            { return(BOOL); }
> +TUNABLE |
> +tunable				{ return(TUNABLE); }
>   IF |
>   if				{ return(IF); }
>   ELSE |
> diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c
> index 1482387..efdedb0 100644
> --- a/libsepol/src/conditional.c
> +++ b/libsepol/src/conditional.c
> @@ -160,6 +160,7 @@ cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node)
>   		for (i = 0; i<  min(node->nbools, COND_MAX_BOOLS); i++)
>   			new_node->bool_ids[i] = node->bool_ids[i];
>   		new_node->expr_pre_comp = node->expr_pre_comp;
> +		new_node->flags = node->flags;
>   	}
>
>   	return new_node;

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

v1 Discard unused tunables from raw policy

[Harry Ciao]

Special Notes
---------------
1. So far the latest master toolchain seems to have a segfault problem related
   with the commit of "libsemanage: patch for MCS/MLS in user files", which
   would be gone if we revert that commit or specify
   "disable-genhomedircon = true" in semanage.conf.
   
2. After using the "-P" option for semodule to preserve all tunables, the
   "preserve_tunables" flag file created in module store would be preserved
   after "make load" completes, resulting in builds after that would inherit
   same behavior until this flag file is mannually removed.
   
   Other options such as "-D/--disalbe_dontaudit" shares the same behavior.


Major differences from v0
---------------------------
1. As suggested by Chris, the mixture of tunables and booleans in one
   expression won't be allowed, so bail out with error rather than printing
   information message in bool_copy_callback() in link.c;

2. As suggested by Joshua, move the separate_tunables() from the very end of
   link to the very beginning of expand (and renamed to discard_tunables()
   now), this is for the interest of preserving the linked policy intact for
   analysis purpose;

3. As required by Dan and suggested by Joshua, add a new flag
   "preserve_tunables" in sepol_handle_t to save and pass a new option "-P"
   from semodule to the expand phase, so that all tunables would be treated
   as booleans and preserved in the raw policy for debug purpose.


Tests I've done
----------------
1. Apply below patchset for refpolicy to cope with toolchain:

   0001-Add-the-definition-of-the-boolean_policy-marcro.patch
   0002-user_ping-is-a-tunable-use-tunable_policy-for-it.patch
   0003-mmap_low_allowed-is-a-tunable-use-tunable_policy-for.patch
   0004-secure_mode_insmod-is-a-boolean-use-boolean_policy-f.patch

   Mostly these patches would add a new boolean_policy() macro and make
   the tunable_policy() macro use "tunable" keyword rather than "bool".

2. We can see the size of policy.X droped significantly from 466k to 316k.

3. With the checkpolicy tool, we can see there are only 4 booleans preserved in
   the raw policy:

   Choose:  f
   secure_mode : 0
   pppd_can_insmod : 0
   secure_mode_insmod : 0
   secure_mode_policyload : 0

4. So far the "console_login" tunable defaults to true, we can see the related
   type_change rules for console_device_t in its conditionals are available in
   the raw policy:

   11 rules match the search criteria.
   Number of enabled conditional rules: 0
   Number of disabled conditional rules: 0
   
   type_change auditadm_t console_device_t : chr_file user_tty_device_t;
   type_change dbadm_t console_device_t : chr_file user_tty_device_t;
   type_change guest_t console_device_t : chr_file user_tty_device_t;
   type_change logadm_t console_device_t : chr_file user_tty_device_t;
   type_change secadm_t console_device_t : chr_file user_tty_device_t;
   type_change staff_t console_device_t : chr_file user_tty_device_t;
   type_change sysadm_t console_device_t : chr_file user_tty_device_t;
   type_change unconfined_t console_device_t : chr_file user_tty_device_t;
   type_change user_t console_device_t : chr_file user_tty_device_t;
   type_change webadm_t console_device_t : chr_file user_tty_device_t;
   type_change xguest_t console_device_t : chr_file user_tty_device_t;

5. Re-build policy with console_login defaults to false, then all above
   type_change rules for console_device_t would be gone:

   0 rules match the search criteria.
   Number of enabled conditional rules: 0
   Number of disabled conditional rules: 0
   
   (And the raw policy's size would further goes down from 3163312 bytes
    to 3163180 bytes)
   
6. Specifiy the "-P" option for semodule to preserve all tunables:

   ls /usr/share/selinux/refpolicy/*.pp | grep -v base.pp | sudo /usr/sbin/semodule -P -s refpolicy -b /usr/share/selinux/refpolicy/base.pp

   And we can see that the size of raw policy would be back to 466k with all
   tunables preserved as booleans:

   cao@cao-laptop:/etc/selinux/refpolicy$ ls -lt policy/
   total 12240
   -rw-r--r--. 1 root root 4666684 2011-08-29 14:49 policy.24
   cao@cao-laptop:/etc/selinux/refpolicy$
   
   Choose:  f
   allow_ftpd_full_access : 0
   allow_zebra_write_config : 0
   cdrecord_read_content : 0
   fcron_crond : 0
   mmap_low_allowed : 0
   samba_share_fusefs : 0
   sepgsql_enable_users_ddl : 1
   allow_ftpd_use_cifs : 0
   allow_java_execstack : 0
   cron_can_relabel : 0
   openvpn_enable_homedirs : 0
   samba_export_all_ro : 0
   secure_mode : 0
   spamassassin_can_network : 0
   virt_use_sysfs : 0
   xserver_object_manager : 0
   allow_cvs_read_shadow : 0
   allow_gssd_read_tmp : 1
   allow_httpd_bugzilla_script_anon_write : 0
   fenced_can_network_connect : 0
   httpd_enable_ftp_server : 0
   httpd_use_nfs : 0
   nfs_export_all_ro : 0
   qemu_use_usb : 1
   user_dmesg : 0
   virt_use_nfs : 0
   xguest_mount_media : 1
   allow_httpd_munin_script_anon_write : 0
   allow_httpd_squid_script_anon_write : 0
   allow_mplayer_execstack : 0
   named_write_master_zones : 0
   portage_use_nfs : 0
   pppd_can_insmod : 0
   qemu_use_nfs : 1
   virt_use_samba : 0
   virt_use_usb : 1
   xend_run_blktap : 1
   allow_httpd_anon_write : 0
   allow_httpd_user_script_anon_write : 0
   allow_ssh_keysign : 0
   cobbler_anon_write : 0
   entropyd_use_audio : 0
   exim_can_connect_db : 0
   httpd_can_network_relay : 0
   samba_create_home_dirs : 0
   samba_enable_home_dirs : 0
   spamd_enable_home_dirs : 1
   telepathy_tcp_connect_generic_network_ports : 0
   use_lpd_server : 0
   user_direct_mouse : 0
   allow_httpd_mediawiki_script_anon_write : 0
   allow_httpd_prewikka_script_anon_write : 0
   allow_rsync_anon_write : 0
   clamd_use_jit : 0
   httpd_tty_comm : 0
   httpd_unified : 0
   init_upstart : 0
   qemu_full_network : 0
   qemu_use_comm : 0
   rsync_export_all_ro : 0
   secure_mode_insmod : 0
   squid_connect_any : 0
   user_ping : 0
   virt_use_comm : 0
   allow_execmod : 0
   httpd_use_gpg : 0
   samba_share_nfs : 0
   user_tcp_server : 0
   user_ttyfile_stat : 0
   virt_use_fusefs : 0
   allow_user_postgresql_connect : 0
   console_login : 0
   httpd_builtin_scripting : 0
   httpd_can_sendmail : 0
   httpd_enable_cgi : 0
   racoon_read_shadow : 0
   allow_ftpd_use_nfs : 0
   allow_httpd_mojomojo_script_anon_write : 0
   samba_run_unconfined : 0
   wine_mmap_zero_ignore : 0
   xen_use_nfs : 0
   allow_execheap : 0
   allow_execstack : 0
   allow_httpd_nagios_script_anon_write : 0
   allow_httpd_w3c_validator_script_anon_write : 0
   rgmanager_can_network_connect : 0
   samba_domain_controller : 0
   samba_export_all_rw : 0
   varnishd_connect_any : 0
   allow_kerberos : 0
   global_ssp : 0
   gpg_agent_env_file : 0
   httpd_dbus_avahi : 0
   mozilla_read_content : 0
   nfs_export_all_rw : 0
   sepgsql_unconfined_dbadm : 1
   sftpd_anon_write : 0
   webadm_manage_user_files : 0
   allow_httpd_apcupsd_cgi_script_anon_write : 0
   ftp_home_dir : 0
   httpd_enable_homedirs : 0
   httpd_ssi_exec : 0
   httpd_use_cifs : 0
   mysql_connect_any : 0
   pppd_for_user : 0
   qemu_use_cifs : 1
   sftpd_enable_homedirs : 0
   squid_use_tproxy : 0
   telepathy_connect_all_ports : 0
   xguest_connect_network : 1
   allow_httpd_awstats_script_anon_write : 0
   allow_httpd_cvs_script_anon_write : 0
   allow_httpd_git_script_anon_write : 0
   allow_httpd_smokeping_cgi_script_anon_write : 0
   allow_httpd_sys_script_anon_write : 0
   allow_saslauthd_read_shadow : 0
   allow_ypbind : 0
   sftpd_full_access : 0
   user_rw_noexattrfile : 0
   allow_ptrace : 0
   dbadm_manage_user_files : 0
   exim_manage_user_files : 0
   puppet_manage_all_files : 0
   secure_mode_policyload : 0
   tftp_anon_write : 0
   use_samba_home_dirs : 0
   xend_run_qemu : 1
   allow_mount_anyfile : 0
   allow_user_mysql_connect : 0
   dbadm_read_user_files : 0
   exim_read_user_files : 0
   httpd_can_network_connect : 0
   mail_read_content : 0
   smartmon_3ware : 0
   ssh_sysadm_login : 0
   webadm_read_user_files : 0
   xdm_sysadm_login : 0
   xguest_use_bluetooth : 1
   allow_execmem : 0
   allow_ftpd_anon_write : 0
   allow_httpd_cobbler_script_anon_write : 0
   allow_httpd_nutups_cgi_script_anon_write : 0
   allow_nfsd_anon_write : 0
   allow_polyinstantiation : 0
   allow_smbd_anon_write : 0
   allow_write_xshm : 0
   httpd_can_network_connect_db : 0
   privoxy_connect_any : 0
   tor_bind_all_unreserved_ports : 0
   use_nfs_home_dirs : 0
   vbetool_mmap_zero_ignore : 0
   
   Choose:
   
7. Monolithic policy builds ok:   
   cao@cao-laptop:/work/selinux/refpolicy$ sudo make policy
   ......
   cao@cao-laptop:/work/selinux/refpolicy$ ls -lt policy.24
   -rw-r--r--. 1 root root 3163312 2011-08-29 15:00 policy.24
   cao@cao-laptop:/work/selinux/refpolicy$

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[v1 PATCH 6/7] Skip tunable identifier and cond_node_t in expansion.

[Harry Ciao]

The effective branch of a tunable has been appended to its home
decl->avrules list during link, in expansion we should just skip tunables
from expanding their rules into te_cond_avtab hashtab and adding to the
out->cond_list queue.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
---
 libsepol/src/expand.c |   13 +++++++++++++
 1 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index be41243..d5f10a6 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -1014,6 +1014,11 @@ static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 		return 0;
 	}
 
+	if (bool->flags & COND_BOOL_FLAGS_TUNABLE) {
+		/* Skip tunables */
+		return 0;
+	}
+
 	if (state->verbose)
 		INFO(state->handle, "copying boolean %s", id);
 
@@ -1046,6 +1051,7 @@ static int bool_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 	state->boolmap[bool->s.value - 1] = new_bool->s.value;
 
 	new_bool->state = bool->state;
+	new_bool->flags = bool->flags;
 
 	return 0;
 }
@@ -1940,6 +1946,13 @@ static int cond_node_copy(expand_state_t * state, cond_node_t * cn)
 	if (cond_node_copy(state, cn->next)) {
 		return -1;
 	}
+	
+	/* If current cond_node_t is of tunable, its effective branch
+	 * has been appended to its home decl->avrules list during link
+	 * and now we should just skip it. */
+	if (cn->flags & COND_NODE_FLAGS_TUNABLE)
+		return 0;
+
 	if (cond_normalize_expr(state->base, cn)) {
 		ERR(state->handle, "Error while normalizing conditional");
 		return -1;
-- 
1.7.0.4


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.