On Tue, Mar 28, 2017 at 7:28 PM, James Carter <jwcart2@xxxxxxxxxxxxx> wrote:
> CIL does not allow type or role sets in certain rules (such as allow
> rules). It does, however, allow sets in typeattributeset and
> roleattributeset statements. Because of this, when module_to_cil
> translates a policy into CIL, it creates a new attribute for each
> set that it encounters. But often the same set is used multiple times
> which means that more attributes are created then necessary. As the
> number of attributes increases the time required for the kernel to
> make each policy decision increases which can be a problem.
>
> To help reduce the number of attributes in a kernel policy,
> when module_to_cil encounters a role or type set search to see if the
> set was encountered already and, if it was, use the previously
> generated attribute instead of creating a new one.
>
> Testing on Android and Refpolicy policies show that this reduces the
> number of attributes generated by about 40%.
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx>
> ---
> libsepol/src/module_to_cil.c | 593 +++++++++++++++++++++----------------------
> 1 file changed, 283 insertions(+), 310 deletions(-)
>
> diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
> index 6c33b94..4ea8a83 100644
> --- a/libsepol/src/module_to_cil.c
> +++ b/libsepol/src/module_to_cil.c
>
> [...]
>
> +static char *get_new_attr_name(struct policydb *pdb, int is_type)
> {
> static unsigned int num_attrs = 0;
> - int rc = -1;
> int len, rlen;
> - const char *attr_infix;
> - char *attr;
> + char *infix;
> + char *attr_name = NULL;
Why is infix "char *" instead of "const char *", like attr_infix was?
I am seeing a compiler warning with -Wwrite-strings ("error:
assignment discards ‘const’ qualifier from pointer target type" on
"infix = TYPEATTR_INFIX").
Cheers,
Nicolas
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
