On Wed, Dec 07, 2016 at 08:27:05AM -0500, Stephen Smalley wrote:
> On 12/07/2016 07:15 AM, Gary Tierney wrote:
> > Adds a check for avrules with type attributes that have a bitmap cardinality
> > of 0 (i.e., no types in their set) before adding them to the libsepol policy in
> > __cil_avrule_to_avtab(). Also adds an exception for neverallow rules to
> > prevent breaking anything from AOSP mentioned in
> > f9927d9370f90bd9d975ff933fe107ec4f93a9ac.
>
> James Carter is away for a few days, so this might be delayed in review.
>
No problem. I'll try and get the second part of this (removing typeattributes
which are only used in these dud avrules) to the list in time for reviewing
this.
> >
> > Signed-off-by: Gary Tierney <gary.tierney@xxxxxxx>
> > ---
> > libsepol/cil/src/cil_binary.c | 47 +++++++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 47 insertions(+)
> >
> > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> > index d33981b..3aa350a 100644
> > --- a/libsepol/cil/src/cil_binary.c
> > +++ b/libsepol/cil/src/cil_binary.c
> > @@ -1411,6 +1411,48 @@ exit:
> > return rc;
> > }
> >
> > +static int __cil_type_datum_is_unused_attrib(struct cil_symtab_datum *src)
> > +{
> > + struct cil_tree_node *node = NULL;
> > + struct cil_typeattribute *attrib = NULL;
> > +
> > + if (src->fqn == CIL_KEY_SELF) {
> > + return CIL_FALSE;
> > + }
> > +
> > + node = src->nodes->head->data;
> > +
> > + if (node->flavor != CIL_TYPEATTRIBUTE) {
> > + return CIL_FALSE;
> > + }
> > +
> > + attrib = (struct cil_typeattribute *) src;
> > + return ebitmap_cardinality(attrib->types) == 0;
> > +}
> > +
> > +static int __cil_avrule_can_remove(struct cil_avrule *cil_avrule)
> > +{
> > + struct cil_symtab_datum *src = cil_avrule->src;
> > + struct cil_symtab_datum *tgt = cil_avrule->tgt;
> > +
> > + // Don't remove neverallow rules so they are written to
> > + // the resulting policy and can be checked by tools in
> > + // AOSP.
> > + if (cil_avrule->rule_kind == CIL_AVRULE_NEVERALLOW) {
> > + return CIL_FALSE;
> > + }
> > +
> > + if (__cil_type_datum_is_unused_attrib(src)) {
> > + return CIL_TRUE;
> > + }
> > +
> > + if (__cil_type_datum_is_unused_attrib(tgt)) {
> > + return CIL_TRUE;
> > + }
> > +
> > + return CIL_FALSE;
> > +}
> > +
> > int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_avrule *cil_avrule, cond_node_t *cond_node, enum cil_flavor cond_flavor)
> > {
> > int rc = SEPOL_ERR;
> > @@ -1425,6 +1467,11 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a
> > goto exit;
> > }
> >
> > + if (__cil_avrule_can_remove(cil_avrule)) {
> > + rc = SEPOL_OK;
> > + goto exit;
> > + }
> > +
> > src = cil_avrule->src;
> > tgt = cil_avrule->tgt;
> >
> >
>
--
Gary Tierney
GPG fingerprint: 412C 0EF9 C305 68E6 B660 BDAF 706E D765 85AA 79D8
https://sks-keyservers.net/pks/lookup?op=get&search=0x706ED76585AA79D8
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
