On Tue, Apr 11, 2017 at 01:53:42PM -0400, James Carter wrote:
> Originally, all type attributes were expanded when building a binary
> policy. As the policy grew, binary policy sizes became too large, so
> changes were made to keep attributes in the binary policy to minimize
> policy size.
>
> Keeping attributes works well as long as each type does not have too
> many attributes. If an access check fails for types t1 and t2, then
> additional checks must be made for every attribute that t1 is a member
> of against t2 and all the attributes that t2 is a member of. This is
> O(n*m) behavior and there are cases now where this is becoming a
> performance issue.
>
> Attributes are more aggressively removed than before. An attribute
> will now be removed if it only appears in rules where attributes are
> always expanded (typetransition, typechange, typemember, roletransition,
> rangetransition, roletype, and AV Rules with self).
>
> Attributes that are used in constraints are always kept because the
> attribute name is stored for debugging purposes in the binary policy.
>
> Attributes that are used in neverallow rules, but not in other AV rules,
> will be kept unless the attribute is auto-generated.
>
> Attributes that are only used in AV rules other than neverallow rules
> are kept unless the number of types assigned to them is less than the
> value of attrs_expand_size in the CIL db. The default is 1, which means
> that any attribute that has no types assigned to it will be expanded (and
> the rule removed from the policy), which is CIL's current behavior.
I might be misunderstanding here but how is that CIL's current behavior.
With my dssp1 policy I ended up with many rules that were associated with type attributes that had no types associated with them. The attributes and rules associated with them were not removed.
The
> value can be set using the function cil_set_attrs_expand_size().
>
> Auto-generated attributes that are used only in neverallow rules are
> always expanded. The rest are kept by default, but if the value of
> attrs_expand_generated in the CIL db is set to true, they will be
> expanded. The function cil_set_attrs_expand_generated() can be used
> to set the value.
>
> When creating the binary policy, CIL will expand all attributes that
> are being removed and it will expand all attributes with less members
> than the value specified by attrs_expand_size. So even if an attribute
> is used in a constraint or neverallow and the attribute itself will be
> included in the binary policy, it will be expanded when writing AV
> rules if it has less members than attrs_expand_size.
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx>
> ---
> libsepol/cil/include/cil/cil.h | 2 +
> libsepol/cil/src/cil.c | 12 ++
> libsepol/cil/src/cil_binary.c | 253 +++++++++++++++++++++++++++----------
> libsepol/cil/src/cil_internal.h | 7 +-
> libsepol/cil/src/cil_post.c | 32 +++--
> libsepol/cil/src/cil_resolve_ast.c | 25 ++--
> libsepol/src/libsepol.map.in | 2 +
> 7 files changed, 233 insertions(+), 100 deletions(-)
>
> diff --git a/libsepol/cil/include/cil/cil.h b/libsepol/cil/include/cil/cil.h
> index c4a6fb9..4507892 100644
> --- a/libsepol/cil/include/cil/cil.h
> +++ b/libsepol/cil/include/cil/cil.h
> @@ -50,6 +50,8 @@ extern void cil_set_disable_neverallow(cil_db_t *db, int disable_neverallow);
> extern void cil_set_preserve_tunables(cil_db_t *db, int preserve_tunables);
> extern int cil_set_handle_unknown(cil_db_t *db, int handle_unknown);
> extern void cil_set_mls(cil_db_t *db, int mls);
> +extern void cil_set_attrs_expand_generated(struct cil_db *db, int attrs_expand_generated);
> +extern void cil_set_attrs_expand_size(struct cil_db *db, unsigned attrs_expand_size);
> extern void cil_set_target_platform(cil_db_t *db, int target_platform);
> extern void cil_set_policy_version(cil_db_t *db, int policy_version);
> extern void cil_write_policy_conf(FILE *out, struct cil_db *db);
> diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
> index 7c40ad0..a64c528 100644
> --- a/libsepol/cil/src/cil.c
> +++ b/libsepol/cil/src/cil.c
> @@ -282,6 +282,8 @@ void cil_db_init(struct cil_db **db)
>
> (*db)->disable_dontaudit = CIL_FALSE;
> (*db)->disable_neverallow = CIL_FALSE;
> + (*db)->attrs_expand_generated = CIL_FALSE;
> + (*db)->attrs_expand_size = 1;
> (*db)->preserve_tunables = CIL_FALSE;
> (*db)->handle_unknown = -1;
> (*db)->mls = -1;
> @@ -1629,6 +1631,16 @@ void cil_set_disable_neverallow(struct cil_db *db, int disable_neverallow)
> db->disable_neverallow = disable_neverallow;
> }
>
> +void cil_set_attrs_expand_generated(struct cil_db *db, int attrs_expand_generated)
> +{
> + db->attrs_expand_generated = attrs_expand_generated;
> +}
> +
> +void cil_set_attrs_expand_size(struct cil_db *db, unsigned attrs_expand_size)
> +{
> + db->attrs_expand_size = attrs_expand_size;
> +}
> +
> void cil_set_preserve_tunables(struct cil_db *db, int preserve_tunables)
> {
> db->preserve_tunables = preserve_tunables;
> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> index ac18c4e..e1481a4 100644
> --- a/libsepol/cil/src/cil_binary.c
> +++ b/libsepol/cil/src/cil_binary.c
> @@ -567,7 +567,7 @@ int cil_typeattribute_to_policydb(policydb_t *pdb, struct cil_typeattribute *cil
> char *key = NULL;
> type_datum_t *sepol_attr = NULL;
>
> - if (cil_attr->used == CIL_FALSE) {
> + if (!cil_attr->used) {
> return SEPOL_OK;
> }
>
> @@ -632,7 +632,7 @@ int cil_typeattribute_to_bitmap(policydb_t *pdb, const struct cil_db *db, struct
> ebitmap_node_t *tnode;
> unsigned int i;
>
> - if (cil_attr->used == CIL_FALSE) {
> + if (!cil_attr->used) {
> return SEPOL_OK;
> }
>
> @@ -1429,46 +1429,20 @@ exit:
> return rc;
> }
>
> -static int __cil_type_datum_is_unused_attrib(struct cil_symtab_datum *src)
> +static int __cil_should_expand_attribute( const struct cil_db *db, struct cil_symtab_datum *datum)
> {
> - struct cil_tree_node *node = NULL;
> - struct cil_typeattribute *attrib = NULL;
> + struct cil_tree_node *node;
> + struct cil_typeattribute *attr;
>
> - if (src->fqn == CIL_KEY_SELF) {
> - return CIL_FALSE;
> - }
> -
> - node = NODE(src);
> + node = NODE(datum);
>
> if (node->flavor != CIL_TYPEATTRIBUTE) {
> return CIL_FALSE;
> }
>
> - attrib = (struct cil_typeattribute *) src;
> - return ebitmap_cardinality(attrib->types) == 0;
> -}
> -
> -static int __cil_avrule_can_remove(struct cil_avrule *cil_avrule)
> -{
> - struct cil_symtab_datum *src = cil_avrule->src;
> - struct cil_symtab_datum *tgt = cil_avrule->tgt;
> -
> - // Don't remove neverallow rules so they are written to
> - // the resulting policy and can be checked by tools in
> - // AOSP.
> - if (cil_avrule->rule_kind == CIL_AVRULE_NEVERALLOW) {
> - return CIL_FALSE;
> - }
> -
> - if (__cil_type_datum_is_unused_attrib(src)) {
> - return CIL_TRUE;
> - }
> -
> - if (__cil_type_datum_is_unused_attrib(tgt)) {
> - return CIL_TRUE;
> - }
> + attr = (struct cil_typeattribute *)datum;
>
> - return CIL_FALSE;
> + return !attr->used || (ebitmap_cardinality(attr->types) < db->attrs_expand_size);
> }
>
> int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_avrule *cil_avrule, cond_node_t *cond_node, enum cil_flavor cond_flavor)
> @@ -1478,6 +1452,9 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a
> struct cil_symtab_datum *src = NULL;
> struct cil_symtab_datum *tgt = NULL;
> struct cil_list *classperms = cil_avrule->perms.classperms;
> + ebitmap_t src_bitmap, tgt_bitmap;
> + ebitmap_node_t *snode, *tnode;
> + unsigned int s,t;
>
> if (cil_avrule->rule_kind == CIL_AVRULE_DONTAUDIT && db->disable_dontaudit == CIL_TRUE) {
> // Do not add dontaudit rules to binary
> @@ -1485,36 +1462,98 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a
> goto exit;
> }
>
> - if (__cil_avrule_can_remove(cil_avrule)) {
> - rc = SEPOL_OK;
> - goto exit;
> - }
> -
> src = cil_avrule->src;
> tgt = cil_avrule->tgt;
>
> if (tgt->fqn == CIL_KEY_SELF) {
> - ebitmap_t type_bitmap;
> - ebitmap_node_t *tnode;
> - unsigned int i;
> -
> - rc = __cil_expand_type(src, &type_bitmap);
> - if (rc != SEPOL_OK) goto exit;
> + rc = __cil_expand_type(src, &src_bitmap);
> + if (rc != SEPOL_OK) {
> + goto exit;
> + }
>
> - ebitmap_for_each_bit(&type_bitmap, tnode, i) {
> - if (!ebitmap_get_bit(&type_bitmap, i)) continue;
> + ebitmap_for_each_bit(&src_bitmap, snode, s) {
> + if (!ebitmap_get_bit(&src_bitmap, s)) continue;
>
> - src = DATUM(db->val_to_type[i]);
> + src = DATUM(db->val_to_type[s]);
> rc = __cil_avrule_expand(pdb, kind, src, src, classperms, cond_node, cond_flavor);
> if (rc != SEPOL_OK) {
> - ebitmap_destroy(&type_bitmap);
> + ebitmap_destroy(&src_bitmap);
> goto exit;
> }
> }
> - ebitmap_destroy(&type_bitmap);
> + ebitmap_destroy(&src_bitmap);
> } else {
> - rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor);
> - if (rc != SEPOL_OK) goto exit;
> + int expand_src = __cil_should_expand_attribute(db, src);
> + int expand_tgt = __cil_should_expand_attribute(db, tgt);
> + if (!expand_src && !expand_tgt) {
> + rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor);
> + if (rc != SEPOL_OK) {
> + goto exit;
> + }
> + } else if (expand_src && expand_tgt) {
> + rc = __cil_expand_type(src, &src_bitmap);
> + if (rc != SEPOL_OK) {
> + goto exit;
> + }
> +
> + rc = __cil_expand_type(tgt, &tgt_bitmap);
> + if (rc != SEPOL_OK) {
> + ebitmap_destroy(&src_bitmap);
> + goto exit;
> + }
> +
> + ebitmap_for_each_bit(&src_bitmap, snode, s) {
> + if (!ebitmap_get_bit(&src_bitmap, s)) continue;
> + src = DATUM(db->val_to_type[s]);
> + ebitmap_for_each_bit(&tgt_bitmap, tnode, t) {
> + if (!ebitmap_get_bit(&tgt_bitmap, t)) continue;
> + tgt = DATUM(db->val_to_type[t]);
> +
> + rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor);
> + if (rc != SEPOL_OK) {
> + ebitmap_destroy(&src_bitmap);
> + ebitmap_destroy(&tgt_bitmap);
> + goto exit;
> + }
> + }
> + }
> + ebitmap_destroy(&src_bitmap);
> + ebitmap_destroy(&tgt_bitmap);
> + } else if (expand_src) {
> + rc = __cil_expand_type(src, &src_bitmap);
> + if (rc != SEPOL_OK) {
> + goto exit;
> + }
> +
> + ebitmap_for_each_bit(&src_bitmap, snode, s) {
> + if (!ebitmap_get_bit(&src_bitmap, s)) continue;
> + src = DATUM(db->val_to_type[s]);
> +
> + rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor);
> + if (rc != SEPOL_OK) {
> + ebitmap_destroy(&src_bitmap);
> + goto exit;
> + }
> + }
> + ebitmap_destroy(&src_bitmap);
> + } else { /* expand_tgt */
> + rc = __cil_expand_type(tgt, &tgt_bitmap);
> + if (rc != SEPOL_OK) {
> + goto exit;
> + }
> +
> + ebitmap_for_each_bit(&tgt_bitmap, tnode, t) {
> + if (!ebitmap_get_bit(&tgt_bitmap, t)) continue;
> + tgt = DATUM(db->val_to_type[t]);
> +
> + rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor);
> + if (rc != SEPOL_OK) {
> + ebitmap_destroy(&tgt_bitmap);
> + goto exit;
> + }
> + }
> + ebitmap_destroy(&tgt_bitmap);
> + }
> }
>
> return SEPOL_OK;
> @@ -1789,11 +1828,9 @@ int cil_avrulex_to_hashtable(policydb_t *pdb, const struct cil_db *db, struct ci
> uint16_t kind;
> struct cil_symtab_datum *src = NULL;
> struct cil_symtab_datum *tgt = NULL;
> - ebitmap_t type_bitmap;
> - ebitmap_node_t *tnode;
> - unsigned int i;
> -
> - ebitmap_init(&type_bitmap);
> + ebitmap_t src_bitmap, tgt_bitmap;
> + ebitmap_node_t *snode, *tnode;
> + unsigned int s,t;
>
> if (cil_avrulex->rule_kind == CIL_AVRULE_DONTAUDIT && db->disable_dontaudit == CIL_TRUE) {
> // Do not add dontaudit rules to binary
> @@ -1806,28 +1843,97 @@ int cil_avrulex_to_hashtable(policydb_t *pdb, const struct cil_db *db, struct ci
> tgt = cil_avrulex->tgt;
>
> if (tgt->fqn == CIL_KEY_SELF) {
> - rc = __cil_expand_type(src, &type_bitmap);
> + rc = __cil_expand_type(src, &src_bitmap);
> if (rc != SEPOL_OK) goto exit;
>
> - ebitmap_for_each_bit(&type_bitmap, tnode, i) {
> - if (!ebitmap_get_bit(&type_bitmap, i)) continue;
> + ebitmap_for_each_bit(&src_bitmap, snode, s) {
> + if (!ebitmap_get_bit(&src_bitmap, s)) continue;
>
> - src = DATUM(db->val_to_type[i]);
> + src = DATUM(db->val_to_type[s]);
> rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, src, cil_avrulex->perms.x.permx, args);
> if (rc != SEPOL_OK) {
> goto exit;
> }
> }
> + ebitmap_destroy(&src_bitmap);
> } else {
> - rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args);
> - if (rc != SEPOL_OK) goto exit;
> + int expand_src = __cil_should_expand_attribute(db, src);
> + int expand_tgt = __cil_should_expand_attribute(db, tgt);
> +
> + if (!expand_src && !expand_tgt) {
> + rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args);
> + if (rc != SEPOL_OK) {
> + goto exit;
> + }
> + } else if (expand_src && expand_tgt) {
> + rc = __cil_expand_type(src, &src_bitmap);
> + if (rc != SEPOL_OK) {
> + goto exit;
> + }
> +
> + rc = __cil_expand_type(tgt, &tgt_bitmap);
> + if (rc != SEPOL_OK) {
> + ebitmap_destroy(&src_bitmap);
> + goto exit;
> + }
> +
> + ebitmap_for_each_bit(&src_bitmap, snode, s) {
> + if (!ebitmap_get_bit(&src_bitmap, s)) continue;
> + src = DATUM(db->val_to_type[s]);
> + ebitmap_for_each_bit(&tgt_bitmap, tnode, t) {
> + if (!ebitmap_get_bit(&tgt_bitmap, t)) continue;
> + tgt = DATUM(db->val_to_type[t]);
> +
> + rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args);
> + if (rc != SEPOL_OK) {
> + ebitmap_destroy(&src_bitmap);
> + ebitmap_destroy(&tgt_bitmap);
> + goto exit;
> + }
> + }
> + }
> + ebitmap_destroy(&src_bitmap);
> + ebitmap_destroy(&tgt_bitmap);
> + } else if (expand_src) {
> + rc = __cil_expand_type(src, &src_bitmap);
> + if (rc != SEPOL_OK) {
> + goto exit;
> + }
> +
> + ebitmap_for_each_bit(&src_bitmap, snode, s) {
> + if (!ebitmap_get_bit(&src_bitmap, s)) continue;
> + src = DATUM(db->val_to_type[s]);
> +
> + rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args);
> + if (rc != SEPOL_OK) {
> + ebitmap_destroy(&src_bitmap);
> + goto exit;
> + }
> + }
> + ebitmap_destroy(&src_bitmap);
> + } else { /* expand_tgt */
> + rc = __cil_expand_type(tgt, &tgt_bitmap);
> + if (rc != SEPOL_OK) {
> + goto exit;
> + }
> +
> + ebitmap_for_each_bit(&tgt_bitmap, tnode, t) {
> + if (!ebitmap_get_bit(&tgt_bitmap, t)) continue;
> + tgt = DATUM(db->val_to_type[t]);
> +
> + rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args);
> + if (rc != SEPOL_OK) {
> + ebitmap_destroy(&tgt_bitmap);
> + goto exit;
> + }
> + }
> + ebitmap_destroy(&tgt_bitmap);
> + }
> }
>
> - rc = SEPOL_OK;
> + return SEPOL_OK;
>
> exit:
> - ebitmap_destroy(&type_bitmap);
> -
> return rc;
> }
>
> @@ -2417,12 +2523,19 @@ int __cil_constrain_expr_datum_to_sepol_expr(policydb_t *pdb, const struct cil_d
> if (pdb->policyvers >= POLICYDB_VERSION_CONSTRAINT_NAMES) {
> rc = __cil_get_sepol_type_datum(pdb, item->data, &sepol_type);
> if (rc != SEPOL_OK) {
> - ebitmap_destroy(&type_bitmap);
> - goto exit;
> + if (FLAVOR(item->data) == CIL_TYPEATTRIBUTE) {
> + struct cil_typeattribute *attr = item->data;
> + if (!attr->used) {
> + rc = 0;
> + }
> + }
> }
>
> - if (ebitmap_set_bit(&expr->type_names->types, sepol_type->s.value - 1, 1)) {
> - ebitmap_destroy(&type_bitmap);
> + if (sepol_type) {
> + rc = ebitmap_set_bit(&expr->type_names->types, sepol_type->s.value - 1, 1);
> + }
> +
> + if (rc != SEPOL_OK) {
> goto exit;
> }
> }
> diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
> index 03672bb..efa2cd6 100644
> --- a/libsepol/cil/src/cil_internal.h
> +++ b/libsepol/cil/src/cil_internal.h
> @@ -306,6 +306,8 @@ struct cil_db {
> struct cil_user **val_to_user;
> int disable_dontaudit;
> int disable_neverallow;
> + int attrs_expand_generated;
> + unsigned attrs_expand_size;
> int preserve_tunables;
> int handle_unknown;
> int mls;
> @@ -513,11 +515,14 @@ struct cil_type {
> int value;
> };
>
> +#define CIL_ATTR_AVRULE 0x01
> +#define CIL_ATTR_NEVERALLOW 0x02
> +#define CIL_ATTR_CONSTRAINT 0x04
> struct cil_typeattribute {
> struct cil_symtab_datum datum;
> struct cil_list *expr_list;
> ebitmap_t *types;
> - int used; // whether or not this typeattribute was used and should be added to the binary
> + int used; // whether or not this attribute was used in a binary policy rule
> };
>
> struct cil_typeattributeset {
> diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
> index 089c02f..ae62ddb 100644
> --- a/libsepol/cil/src/cil_post.c
> +++ b/libsepol/cil/src/cil_post.c
> @@ -1188,22 +1188,32 @@ exit:
> return SEPOL_ERR;
> }
>
> -static int cil_typeattribute_used(struct cil_typeattribute *cil_attr)
> +static int cil_typeattribute_used(struct cil_typeattribute *attr, struct cil_db *db)
> {
> - if (cil_attr->used) {
> - return CIL_TRUE;
> + if (!attr->used) {
> + return CIL_FALSE;
> }
>
> - if (strcmp(DATUM(cil_attr)->name, GEN_REQUIRE_ATTR) == 0) {
> - return CIL_FALSE;
> + if (attr->used & CIL_ATTR_CONSTRAINT) {
> + return CIL_TRUE;
> }
>
> - if (strstr(DATUM(cil_attr)->name,TYPEATTR_INFIX) != NULL) {
> - return CIL_FALSE;
> + if (db->attrs_expand_generated || attr->used == CIL_ATTR_NEVERALLOW) {
> + if (strcmp(DATUM(attr)->name, GEN_REQUIRE_ATTR) == 0) {
> + return CIL_FALSE;
> + } else if (strstr(DATUM(attr)->name, TYPEATTR_INFIX) != NULL) {
> + return CIL_FALSE;
> + }
> +
> + if (attr->used == CIL_ATTR_NEVERALLOW) {
> + return CIL_TRUE;
> + }
> }
>
> - if (ebitmap_cardinality(cil_attr->types) == 0) {
> - return CIL_FALSE;
> + if (attr->used == CIL_ATTR_AVRULE) {
> + if (ebitmap_cardinality(attr->types) < db->attrs_expand_size) {
> + return CIL_FALSE;
> + }
> }
>
> return CIL_TRUE;
> @@ -1231,9 +1241,7 @@ static int __cil_post_db_attr_helper(struct cil_tree_node *node, uint32_t *finis
> if (attr->types == NULL) {
> rc = __evaluate_type_expression(attr, db);
> if (rc != SEPOL_OK) goto exit;
> - if (cil_typeattribute_used(attr)) {
> - attr->used = CIL_TRUE;
> - }
> + attr->used = cil_typeattribute_used(attr, db);
> }
> break;
> }
> diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
> index 1870501..6da44ba 100644
> --- a/libsepol/cil/src/cil_resolve_ast.c
> +++ b/libsepol/cil/src/cil_resolve_ast.c
> @@ -269,13 +269,13 @@ exit:
> return rc;
> }
>
> -int cil_type_used(struct cil_symtab_datum *datum)
> +int cil_type_used(struct cil_symtab_datum *datum, int used)
> {
> struct cil_typeattribute *attr = NULL;
>
> if (FLAVOR(datum) == CIL_TYPEATTRIBUTE) {
> attr = (struct cil_typeattribute*)datum;
> - attr->used = CIL_TRUE;
> + attr->used |= used;
> }
>
> return 0;
> @@ -307,6 +307,7 @@ int cil_resolve_avrule(struct cil_tree_node *current, void *extra_args)
> struct cil_symtab_datum *src_datum = NULL;
> struct cil_symtab_datum *tgt_datum = NULL;
> struct cil_symtab_datum *permx_datum = NULL;
> + int used;
> int rc = SEPOL_ERR;
>
> if (args != NULL) {
> @@ -318,9 +319,6 @@ int cil_resolve_avrule(struct cil_tree_node *current, void *extra_args)
> goto exit;
> }
> rule->src = src_datum;
> - if (rule->rule_kind != CIL_AVRULE_NEVERALLOW) {
> - cil_type_used(src_datum);
> - }
>
> if (rule->tgt_str == CIL_KEY_SELF) {
> rule->tgt = db->selftype;
> @@ -330,9 +328,10 @@ int cil_resolve_avrule(struct cil_tree_node *current, void *extra_args)
> goto exit;
> }
> rule->tgt = tgt_datum;
> - if (rule->rule_kind != CIL_AVRULE_NEVERALLOW) {
> - cil_type_used(tgt_datum);
> - }
> + used = (rule->rule_kind == CIL_AVRULE_NEVERALLOW) ?
> + CIL_ATTR_NEVERALLOW : CIL_ATTR_AVRULE;
> + cil_type_used(src_datum, used); /* src not used if tgt is self */
> + cil_type_used(tgt_datum, used);
> }
>
> if (!rule->is_extended) {
> @@ -376,14 +375,12 @@ int cil_resolve_type_rule(struct cil_tree_node *current, void *extra_args)
> goto exit;
> }
> rule->src = src_datum;
> - cil_type_used(src_datum);
>
> rc = cil_resolve_name(current, rule->tgt_str, CIL_SYM_TYPES, extra_args, &tgt_datum);
> if (rc != SEPOL_OK) {
> goto exit;
> }
> rule->tgt = tgt_datum;
> - cil_type_used(tgt_datum);
>
> rc = cil_resolve_name(current, rule->obj_str, CIL_SYM_CLASSES, extra_args, &obj_datum);
> if (rc != SEPOL_OK) {
> @@ -589,14 +586,12 @@ int cil_resolve_nametypetransition(struct cil_tree_node *current, void *extra_ar
> goto exit;
> }
> nametypetrans->src = src_datum;
> - cil_type_used(src_datum);
>
> rc = cil_resolve_name(current, nametypetrans->tgt_str, CIL_SYM_TYPES, extra_args, &tgt_datum);
> if (rc != SEPOL_OK) {
> goto exit;
> }
> nametypetrans->tgt = tgt_datum;
> - cil_type_used(tgt_datum);
>
> rc = cil_resolve_name(current, nametypetrans->obj_str, CIL_SYM_CLASSES, extra_args, &obj_datum);
> if (rc != SEPOL_OK) {
> @@ -647,14 +642,12 @@ int cil_resolve_rangetransition(struct cil_tree_node *current, void *extra_args)
> goto exit;
> }
> rangetrans->src = src_datum;
> - cil_type_used(src_datum);
>
> rc = cil_resolve_name(current, rangetrans->exec_str, CIL_SYM_TYPES, extra_args, &exec_datum);
> if (rc != SEPOL_OK) {
> goto exit;
> }
> rangetrans->exec = exec_datum;
> - cil_type_used(exec_datum);
>
> rc = cil_resolve_name(current, rangetrans->obj_str, CIL_SYM_CLASSES, extra_args, &obj_datum);
> if (rc != SEPOL_OK) {
> @@ -1006,7 +999,6 @@ int cil_resolve_roletype(struct cil_tree_node *current, void *extra_args)
> goto exit;
> }
> roletype->type = (struct cil_type*)type_datum;
> - cil_type_used(type_datum);
>
> return SEPOL_OK;
>
> @@ -1035,7 +1027,6 @@ int cil_resolve_roletransition(struct cil_tree_node *current, void *extra_args)
> goto exit;
> }
> roletrans->tgt = tgt_datum;
> - cil_type_used(tgt_datum);
>
> rc = cil_resolve_name(current, roletrans->obj_str, CIL_SYM_CLASSES, extra_args, &obj_datum);
> if (rc != SEPOL_OK) {
> @@ -3108,7 +3099,7 @@ int cil_resolve_expr(enum cil_flavor expr_type, struct cil_list *str_expr, struc
> }
>
> if (sym_index == CIL_SYM_TYPES && (expr_type == CIL_CONSTRAIN || expr_type == CIL_VALIDATETRANS)) {
> - cil_type_used(res_datum);
> + cil_type_used(res_datum, CIL_ATTR_CONSTRAINT);
> }
>
> cil_list_append(*datum_expr, CIL_DATUM, res_datum);
> diff --git a/libsepol/src/libsepol.map.in b/libsepol/src/libsepol.map.in
> index 5e68fcb..4042640 100644
> --- a/libsepol/src/libsepol.map.in
> +++ b/libsepol/src/libsepol.map.in
> @@ -45,6 +45,8 @@ LIBSEPOL_1.1 {
> cil_set_target_platform;
> cil_set_policy_version;
> cil_set_mls;
> + cil_set_attrs_expand_generated;
> + cil_set_attrs_expand_size;
> cil_write_policy_conf;
> sepol_ppfile_to_module_package;
> sepol_module_package_to_cil;
> --
> 2.7.4
>
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
