On 03/28/2017 05:22 PM, Nicolas Iooss wrote:
On Tue, Mar 28, 2017 at 7:28 PM, James Carter <jwcart2@xxxxxxxxxxxxx> wrote:CIL does not allow type or role sets in certain rules (such as allow rules). It does, however, allow sets in typeattributeset and roleattributeset statements. Because of this, when module_to_cil translates a policy into CIL, it creates a new attribute for each set that it encounters. But often the same set is used multiple times which means that more attributes are created then necessary. As the number of attributes increases the time required for the kernel to make each policy decision increases which can be a problem. To help reduce the number of attributes in a kernel policy, when module_to_cil encounters a role or type set search to see if the set was encountered already and, if it was, use the previously generated attribute instead of creating a new one. Testing on Android and Refpolicy policies show that this reduces the number of attributes generated by about 40%. Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx> --- libsepol/src/module_to_cil.c | 593 +++++++++++++++++++++---------------------- 1 file changed, 283 insertions(+), 310 deletions(-) diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 6c33b94..4ea8a83 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c [...] +static char *get_new_attr_name(struct policydb *pdb, int is_type) { static unsigned int num_attrs = 0; - int rc = -1; int len, rlen; - const char *attr_infix; - char *attr; + char *infix; + char *attr_name = NULL;Why is infix "char *" instead of "const char *", like attr_infix was? I am seeing a compiler warning with -Wwrite-strings ("error: assignment discards ‘const’ qualifier from pointer target type" on "infix = TYPEATTR_INFIX").
It should be "const char *". Thanks, Jim
Cheers, Nicolas
-- James Carter <jwcart2@xxxxxxxxxxxxx> National Security Agency _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
