> -----Original Message----- > From: Selinux [mailto:selinux-bounces@xxxxxxxxxxxxx] On Behalf Of Roberts, > William C > Sent: Friday, May 6, 2016 12:25 PM > To: William Roberts <bill.c.roberts@xxxxxxxxx>; James Carter > <jwcart2@xxxxxxxxxxxxx> > Cc: selinux@xxxxxxxxxxxxx > Subject: RE: [PATCH] libsepol: Change which attributes CIL keeps in the binary > policy > > > > From: Selinux [mailto:selinux-bounces@xxxxxxxxxxxxx] On Behalf Of William > Roberts > Sent: Friday, May 6, 2016 12:16 PM > To: James Carter <jwcart2@xxxxxxxxxxxxx> > Cc: selinux@xxxxxxxxxxxxx > Subject: Re: [PATCH] libsepol: Change which attributes CIL keeps in the binary > policy > > > On May 6, 2016 11:58 AM, "James Carter" <jwcart2@xxxxxxxxxxxxx> wrote: > > > > The removal of attributes that are only used in neverallow rules is > > hindering AOSP adoption of the CIL compiler. This is because AOSP > > extracts neverallow rules from its policy.conf for use in the Android > > compatibility test suite. These neverallow rules are applied against > > the binary policy being tested to check for a violation. Any > > neverallow rules with an attribute that has been removed cannot be checked. > > > > Now attributes are kept unless they are not used in any allow rule and > > they are auto-generated or named "cil_gen_require" or do not have any > > types associated with them. > > I see now, you’re keeping them unless they are generated or marked. I'm still not convinced this does what's on the tin. In the case of AOSP, the Attributes are not used in any allow rules, they are not auto-generated or named cil_gen_require And they will not have any types associated with them. So I see them being discarded. I would imagine that a match on cil_gen_require, would yield the same result as cil_attr->used. Perhaps that if cil_gen_require causes a discard, the name is bad? Can you perhaps tell me I am idiot and maybe find a more clear way to describe this. > > > > > Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx> > > --- > > libsepol/cil/src/cil_post.c | 27 +++++++++++++++++++++++++++ > > libsepol/src/module_to_cil.c | 8 +++++--- > > 2 files changed, 32 insertions(+), 3 deletions(-) > > > > diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c > > index a694b33..f8447c9 100644 > > --- a/libsepol/cil/src/cil_post.c > > +++ b/libsepol/cil/src/cil_post.c > > @@ -47,6 +47,9 @@ > > #include "cil_verify.h" > > #include "cil_symtab.h" > > > > +#define GEN_REQUIRE_ATTR "cil_gen_require" /* Also in > > +libsepol/src/module_to_cil.c */ #define TYPEATTR_INFIX "_typeattr_" > > +/* Also in libsepol/src/module_to_cil.c */ > > + > > static int __cil_expr_to_bitmap(struct cil_list *expr, ebitmap_t > > *out, int max, struct cil_db *db); > > static int __cil_expr_list_to_bitmap(struct cil_list *expr_list, > > ebitmap_t *out, int max, struct cil_db *db); > > > > @@ -1186,6 +1189,27 @@ exit: > > return SEPOL_ERR; > > } > > > > +static int cil_typeattribute_used(struct cil_typeattribute *cil_attr) > > +{ > > + if (cil_attr->used) { > > + return CIL_TRUE; > > + } > > + > > + if (strcmp(DATUM(cil_attr)->name, GEN_REQUIRE_ATTR) == 0) { > > + return CIL_FALSE; > Just by reading this patch with 0 knowledge of cil, I would imagine this would be > CIL_TRUE on a match with GEN_REQUIRED_ATTR. Especially since cardinality 0 > below returns false. > > + } > > + > > + if (strstr(DATUM(cil_attr)->name,TYPEATTR_INFIX) != NULL) { > > + return CIL_FALSE; > > + } > > + > > + if (ebitmap_cardinality(cil_attr->types) == 0) { > > + return CIL_FALSE; > > + } > > + > > + return CIL_TRUE; > > +} > > + > > static int __cil_post_db_attr_helper(struct cil_tree_node *node, > > uint32_t *finished, void *extra_args) > > { > > int rc = SEPOL_ERR; > > @@ -1208,6 +1232,9 @@ static int __cil_post_db_attr_helper(struct > > cil_tree_node *node, uint32_t *finis > > if (attr->types == NULL) { > > rc = __evaluate_type_expression(attr, db); > > if (rc != SEPOL_OK) goto exit; > > + if (cil_typeattribute_used(attr)) { > > + attr->used = CIL_TRUE; > > + } > > } > > break; > > } > > diff --git a/libsepol/src/module_to_cil.c > > b/libsepol/src/module_to_cil.c index b9a4af7..bcbb4de 100644 > > --- a/libsepol/src/module_to_cil.c > > +++ b/libsepol/src/module_to_cil.c > > @@ -58,7 +58,9 @@ FILE *out_file; > > #define STACK_SIZE 16 > > #define DEFAULT_LEVEL "systemlow" > > #define DEFAULT_OBJECT "object_r" > > -#define GEN_REQUIRE_ATTR "cil_gen_require" > > +#define GEN_REQUIRE_ATTR "cil_gen_require" /* Also in > > +libsepol/cil/src/cil_post.c */ #define TYPEATTR_INFIX "_typeattr_" > > +/* Also in libsepol/cil/src/cil_post.c */ #define ROLEATTR_INFIX "_roleattr_" > > > > __attribute__ ((format(printf, 1, 2))) > > static void log_err(const char *fmt, ...) @@ -626,9 +628,9 @@ static > > int set_to_cil_attr(struct policydb *pdb, int is_type, char ***names, > > uin > > num_attrs++; > > > > if (is_type) { > > - attr_infix = "_typeattr_"; > > + attr_infix = TYPEATTR_INFIX; > > } else { > > - attr_infix = "_roleattr_"; > > + attr_infix = ROLEATTR_INFIX; > > } > > > > len = strlen(pdb->name) + strlen(attr_infix) + > > num_digits(num_attrs) + 1; > > -- > > 2.5.5 > > > > _______________________________________________ > > Selinux mailing list > > Selinux@xxxxxxxxxxxxx > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
