Re: [patch] libsepol: clarify and reduce neverallow error reporting

[Joshua Brindle <method@xxxxxxxxxxxxxxx>]

Stephen Smalley wrote:
> Alter the error reporting for neverallow failures to be clearer, i.e.
> use the word neverallow instead of assertion and don't report a line number
> if we don't have that information, and bail on the first such error rather
> than flooding the user with multiple ones, since any such error is fatal.
>
> Signed-off-by:  Stephen Smalley <sds@xxxxxxxxxxxxx>
>
>   

Acked-By: Joshua Brindle <method@xxxxxxxxxxxxxxx>


> ---
>
>  libsepol/src/assertion.c |   47 ++++++++++++++++++++++++++++-------------------
>  1 file changed, 28 insertions(+), 19 deletions(-)
>
> Index: trunk/libsepol/src/assertion.c
> ===================================================================
> --- trunk/libsepol/src/assertion.c	(revision 2690)
> +++ trunk/libsepol/src/assertion.c	(working copy)
> @@ -59,11 +59,21 @@
>  	return 0;
>  
>        err:
> -	ERR(handle, "assertion on line %lu violated by allow %s %s:%s {%s };",
> -	    line, p->p_type_val_to_name[stype], p->p_type_val_to_name[ttype],
> -	    p->p_class_val_to_name[curperm->class - 1],
> -	    sepol_av_to_string(p, curperm->class,
> -			       node->datum.data & curperm->data));
> +	if (line) {
> +		ERR(handle, "neverallow on line %lu violated by allow %s %s:%s {%s };",
> +		    line, p->p_type_val_to_name[stype], 
> +		    p->p_type_val_to_name[ttype],
> +		    p->p_class_val_to_name[curperm->class - 1],
> +		    sepol_av_to_string(p, curperm->class,
> +				       node->datum.data & curperm->data));
> +	} else {
> +		ERR(handle, "neverallow violated by allow %s %s:%s {%s };",
> +		    p->p_type_val_to_name[stype], 
> +		    p->p_type_val_to_name[ttype],
> +		    p->p_class_val_to_name[curperm->class - 1],
> +		    sepol_av_to_string(p, curperm->class,
> +				       node->datum.data & curperm->data));
> +	}
>  	return -1;
>  }
>  
> @@ -74,7 +84,7 @@
>  	avtab_t te_avtab, te_cond_avtab;
>  	ebitmap_node_t *snode, *tnode;
>  	unsigned int i, j;
> -	int errors = 0;
> +	int rc;
>  
>  	if (!avrules) {
>  		/* Since assertions are stored in avrules, if it is NULL
> @@ -111,32 +121,31 @@
>  			if (a->flags & RULE_SELF) {
>  				if (check_assertion_helper
>  				    (handle, p, &te_avtab, &te_cond_avtab, i, i,
> -				     a->perms, a->line))
> -					errors++;
> +				     a->perms, a->line)) {
> +					rc = -1;
> +					goto out;
> +				}
>  			}
>  			ebitmap_for_each_bit(ttypes, tnode, j) {
>  				if (!ebitmap_node_get_bit(tnode, j))
>  					continue;
>  				if (check_assertion_helper
>  				    (handle, p, &te_avtab, &te_cond_avtab, i, j,
> -				     a->perms, a->line))
> -					errors++;
> +				     a->perms, a->line)) {
> +					rc = -1;
> +					goto out;
> +				}
>  			}
>  		}
>  	}
>  
> -	if (errors) {
> -		ERR(handle, "%d assertion violations occured", errors);
> -		avtab_destroy(&te_avtab);
> -		avtab_destroy(&te_cond_avtab);
> -		return -1;
> -	}
> -
> +	rc = 0;
> +out:
>  	avtab_destroy(&te_avtab);
>  	avtab_destroy(&te_cond_avtab);
> -	return 0;
> +	return rc;
>  
>        oom:
> -	ERR(handle, "Out of memory - unable to check assertions");
> +	ERR(handle, "Out of memory - unable to check neverallows");
>  	return -1;
>  }
>
>   



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.