Attached is the Flask Policy Parser (FPP). It can produce a policy.conf file from a patched version of Refpolicy. There is a README in the tarball that gives instructions on how to use it. FPP is not intended to replace anything in the current policy toolchain. It has been developed to support research I plan to do this year involving higher-level policy language constructs. My hope is that it will be easier to add these constructs in FPP and re-implement small parts of Refpolicy using those constructs while still being able to use the rest of Refpolicy in order to have a complete and, hopefully, working policy. FPP does very little of interest. It can't quite parse all of Refpolicy, so a small patch has to be applied to Refpolicy and a couple of others things have been re-implemented in an included file. FPP parses the patched Refpolicy and produces a policy.conf file. This means that it can only be used to generate a monolithic policy. It does, however, evaluate all optional blocks and checks that all statements (including filecons) are valid (but it does not check type hierarchies yet). FPP can also produce an unsorted file containing all filecon statements and a tree representation of the policy. FPP does do one unique thing at this time. It is capable of reducing the size of the policy.conf and the binary policy. There are three optimization options. - Level 1 removes all rules that are already covered by a rule containing an attribute. - Level 2 also tries to reduce the total number of rules using attributes. A size can be specified that will cause all attributes with that size or fewer to be expanded in an effort to try to cover the rules with an attribute containing more members. - Level 3 also removes dontaudit rules that are covered by allow rules, removes rules in conditional policy that are already specified in the base policy, and removes unused attributes (no members) and the rules involving them. None of the optimization levels should change the policy semantically. However, while levels 1 and 2 will produce no differences according to sediff, level 3 will. Steve has also noted that there are some dontaudit rules that only exist to suppress MLS constraint violations, and these would be removed by level 3 optimization. Some numbers using Refpolicy build 2909, RedHat, monolithic, all modules, and UBAC. O is the optimization level. Size specifies the maximum size of an attribute that is to be expanded. The time is the time it takes for Refpolicy to generate a monolithic policy or the total time for FPP to generate the policy.conf and checkpolicy to create the binary. Conf if the policy.conf size and Bin is the size of the binary policy. O Size Time(s) Conf(M) Bin(M) Refpolicy n/a n/a 21.0 33.71 3.68 FPP 0 n/a 26.7 22.71 3.68 FPP 1 n/a 26.2 13.70 2.33 FPP 2 1 44.2 4.04 1.09 FPP 2 64 70.8 4.01 1.08 FPP 3 1 44.4 3.58 0.93 As can be seen, FPP is at least 25% slower, but is capable of producing a policy.conf that compiles to a binary that is 25% of the size of the original at a cost of being 111% slower. Although not shown, an MLS policy is slightly larger and takes slightly longer to build. Expanding attributes turns out to be fairly useless. You save 10k for 36 seconds of work expanding attributes with 64 members or less. You only save 50k for 15 minutes of work if you expand all attributes. I leave to the reader the trivial exercise of adding these optimizations to libsepol. ;) One last thing. FPP is written in lua. Why? Because I wanted to see what lua was like. Feel free to re-implement in the language of your choice. -- James Carter <jwcart2@xxxxxxxxxxxxx> National Security Agency
Attachment:
fpp_20090218.tar.bz2
Description: application/bzip-compressed-tar
