[refpolicy] My patchset to test "Separating tunables from booleans"

HarryCiao <harrytaurus2002@xxxxxxxxxxx> · Tue, 23 Aug 2011 10:27:36 +0000

Hi,

This is the refpolicy patchset to test along with new toolchain feature of separating tunables from booleans, generally speaking a "tunable" keyword is introduced and made use of by tunable_policy(), whereas a new boolean_policy() macro would make use of the "bool" keyword.

tunable is indeed a boolean, except that the COND_BOOL_FLAGS_TUNABLE bit would be set in the newly added member of flags in the cond_bool_datum_t structure.

Once the new toolchain feature is welcomed and merged, we could change refpolicy to shrink policy.X size significantly.

Any comments or suggestions as for how to better this new toolchain feature are greatly welcomed.

Thanks!

Harry
 		 	   		  
From 77ce182184467d434281c5aba2c86c9ee1440a57 Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
Date: Sun, 21 Aug 2011 18:19:41 +0800
Subject: [refpolicy][v0 PATCH 1/4] Add the definition of the boolean_policy marcro.

boolean_policy macro would make use of boolean for runtime conditionals,
while tunable_policy macro would use tunable rather than boolean for
build-time conditionals.

Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
---
 policy/support/loadable_module.spt |   38 +++++++++++++++++++++++++++++++----
 1 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt
index 1fe3ab3..251a5f9 100644
--- a/policy/support/loadable_module.spt
+++ b/policy/support/loadable_module.spt
@@ -120,10 +120,23 @@ define(`dflt_or_overr',`ifdef(`$1',$1,$2)')
 # This needs to be reworked so expressions
 # with parentheses can work.
 
-define(`declare_required_symbols',`
+define(`declare_required_booleans',`
 ifelse(regexp($1, `\w'), -1, `', `dnl
 bool regexp($1, `\(\w+\)', `\1');
-declare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl
+declare_required_booleans(regexp($1, `\w+\(.*\)', `\1'))dnl
+') dnl
+')
+
+##############################
+#
+# Extract tunables out of an expression.
+# This needs to be reworked so expressions
+# with parentheses can work.
+
+define(`declare_required_tunables',`
+ifelse(regexp($1, `\w'), -1, `', `dnl
+tunable regexp($1, `\(\w+\)', `\1');
+declare_required_tunables(regexp($1, `\w+\(.*\)', `\1'))dnl
 ') dnl
 ')
 
@@ -132,16 +145,31 @@ declare_required_symbols(regexp($1, `\w+\(.*\)', `\1'))dnl
 # Tunable declaration
 #
 define(`gen_tunable',`
-	bool $1 dflt_or_overr(`$1'_conf,$2);
+	tunable $1 dflt_or_overr(`$1'_conf,$2);
 ')
 
 ##############################
 #
-# Tunable policy handling
+# Build-time tunable policy handling
 #
 define(`tunable_policy',`
 	gen_require(`
-		declare_required_symbols(`$1')
+		declare_required_tunables(`$1')
+	')
+	if (`$1') {
+		$2
+	ifelse(`$3',`',`',`} else {
+		$3
+	')}
+')
+
+##############################
+#
+# Runtime boolean policy handling
+#
+define(`boolean_policy',`
+	gen_require(`
+		declare_required_booleans(`$1')
 	')
 	if (`$1') {
 		$2
-- 
1.7.0.4

From 17b41b9ea0b92aad144a2b87174d7eb6f9c383ae Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
Date: Sun, 21 Aug 2011 19:38:46 +0800
Subject: [refpolicy][v0 PATCH 2/4] user_ping is a tunable, use tunable_policy for it.

user_ping is a tunable, use tunable_policy for it.

Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
---
 policy/modules/admin/netutils.if |   10 ++++------
 1 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
index c6ca761..4164292 100644
--- a/policy/modules/admin/netutils.if
+++ b/policy/modules/admin/netutils.if
@@ -183,14 +183,13 @@ interface(`netutils_run_ping',`
 interface(`netutils_run_ping_cond',`
 	gen_require(`
 		type ping_t;
-		bool user_ping;
 	')
 
 	role $2 types ping_t;
 
-	if ( user_ping ) {
+	tunable_policy(`user_ping',`
 		netutils_domtrans_ping($1)
-	}
+	')
 ')
 
 ########################################
@@ -277,14 +276,13 @@ interface(`netutils_run_traceroute',`
 interface(`netutils_run_traceroute_cond',`
 	gen_require(`
 		type traceroute_t;
-		bool user_ping;
 	')
 
 	role $2 types traceroute_t;
 
-	if( user_ping ) {
+	tunable_policy(`user_ping',`
 		netutils_domtrans_traceroute($1)
-	}
+	')
 ')
 
 ########################################
-- 
1.7.0.4

From f50ea912509e70744f550208793bf38b1f9374e8 Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
Date: Mon, 22 Aug 2011 14:12:55 +0800
Subject: [refpolicy][v0 PATCH 3/4] mmap_low_allowed is a tunable, use tunable_policy for it

mmap_low_allowed is a tunable, use tunable_policy for it.

Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
---
 policy/modules/kernel/domain.if |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 6a1e4d1..899c9bf 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1434,14 +1434,13 @@ interface(`domain_entry_file_spec_domtrans',`
 interface(`domain_mmap_low',`
 	gen_require(`
 		attribute mmap_low_domain_type;
-		bool mmap_low_allowed;
 	')
 
 	typeattribute $1 mmap_low_domain_type;
 
-	if ( mmap_low_allowed ) {
+	tunable_policy(`mmap_low_allowed',`
 		allow $1 self:memprotect mmap_zero;
-	}
+	')
 ')
 
 ########################################
-- 
1.7.0.4

From 49e415efe1cf7d2a4dda66a1246b4cf73031829c Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
Date: Mon, 22 Aug 2011 14:15:52 +0800
Subject: [refpolicy][v0 PATCH 4/4] secure_mode_insmod is a boolean, use boolean_policy for it.

secure_mode_insmod is a boolean, use boolean_policy for it.

Signed-off-by: Harry Ciao <qingtao.cao@xxxxxxxxxxxxx>
---
 policy/modules/system/modutils.if |    8 ++------
 policy/modules/system/modutils.te |    8 ++------
 2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 9c0faab..6e7e0ef 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -152,13 +152,9 @@ interface(`modutils_domtrans_insmod_uncond',`
 ## </param>
 #
 interface(`modutils_domtrans_insmod',`
-	gen_require(`
-		bool secure_mode_insmod;
-	')
-
-	if (!secure_mode_insmod) {
+	boolean_policy(`!secure_mode_insmod',`
 		modutils_domtrans_insmod_uncond($1)
-	}
+	')
 ')
 
 ########################################
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index da014ed..143112a 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,9 +1,5 @@
 policy_module(modutils, 1.11.0)
 
-gen_require(`
-	bool secure_mode_insmod;
-')
-
 ########################################
 #
 # Declarations
@@ -178,9 +174,9 @@ userdom_use_user_terminals(insmod_t)
 
 userdom_dontaudit_search_user_home_dirs(insmod_t)
 
-if( ! secure_mode_insmod ) {
+boolean_policy(`!secure_mode_insmod',`
 	kernel_domtrans_to(insmod_t, insmod_exec_t)
-}
+')
 
 optional_policy(`
 	alsa_domtrans(insmod_t)
-- 
1.7.0.4





