Re: [PATCH 1/2] libsepol/cil: Add ability to expand some attributes in binary policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Apr 11, 2017 at 09:33:51PM +0200, Dominick Grift wrote:
> On Tue, Apr 11, 2017 at 03:17:28PM -0400, James Carter wrote:
> > On 04/11/2017 02:46 PM, Dominick Grift wrote:
> > > On Tue, Apr 11, 2017 at 08:37:22PM +0200, Dominick Grift wrote:
> > > > On Tue, Apr 11, 2017 at 01:53:42PM -0400, James Carter wrote:
> > > > > Originally, all type attributes were expanded when building a binary
> > > > > policy. As the policy grew, binary policy sizes became too large, so
> > > > > changes were made to keep attributes in the binary policy to minimize
> > > > > policy size.
> > > > > 
> > > > > Keeping attributes works well as long as each type does not have too
> > > > > many attributes. If an access check fails for types t1 and t2, then
> > > > > additional checks must be made for every attribute that t1 is a member
> > > > > of against t2 and all the attributes that t2 is a member of. This is
> > > > > O(n*m) behavior and there are cases now where this is becoming a
> > > > > performance issue.
> > > > > 
> > > > > Attributes are more aggressively removed than before. An attribute
> > > > > will now be removed if it only appears in rules where attributes are
> > > > > always expanded (typetransition, typechange, typemember, roletransition,
> > > > > rangetransition, roletype, and AV Rules with self).
> > > > > 
> > > > > Attributes that are used in constraints are always kept because the
> > > > > attribute name is stored for debugging purposes in the binary policy.
> > > > > 
> > > > > Attributes that are used in neverallow rules, but not in other AV rules,
> > > > > will be kept unless the attribute is auto-generated.
> > > > > 
> > > > > Attributes that are only used in AV rules other than neverallow rules
> > > > > are kept unless the number of types assigned to them is less than the
> > > > > value of attrs_expand_size in the CIL db. The default is 1, which means
> > > > > that any attribute that has no types assigned to it will be expanded (and
> > > > > the rule removed from the policy), which is CIL's current behavior.
> > > > 
> > > > I might be misunderstanding here but how is that CIL's current behavior.
> > > > 
> > > > With my dssp1 policy I ended up with many rules that were associated with type attributes that had no types associated with them. The attributes and rules associated with them were not removed.
> > > 
> > > I suppose that my dssp1 scenario was slightly different. As these rules used type attributes in both source as well as target, the target type attribute had a type associated with it but the source type attribute didn't. Wondering whether the source isnt actually what should count in this case ...
> > > 
> > 
> > I am not sure that I understand. Everything that I did applies to an
> > attribute whether it is used as a src or a tgt.
> 
> Take this example:
> 
> $ sesearch policy.30 -A -s vconsole_setup.unix_dgram_sockets_sendto_subj_type_attribute -t vconsole_setup.subj -c unix_dgram_socket -p sendto -ds
> allow vconsole_setup.unix_dgram_sockets_sendto_subj_type_attribute vconsole_setup.subj:unix_dgram_socket sendto;
> 
> $ seinfo policy.30 -xtvconsole_setup.unix_dgram_sockets_sendto_subj_type_attribute
> 
> Types: 0
> 

To reproduce:

git clone --recurse https://github.com/defensec/dssp1-standard
cd dssp1-standard
secilc `/bin/find ./src -type f \( -iname "*.cil" \) | /bin/cut -d/ -f2-`
sesearch policy.30 -A

> > 
> > Jim
> > 
> > > > 
> > > > 
> > > >  The
> > > > > value can be set using the function cil_set_attrs_expand_size().
> > > > > 
> > > > > Auto-generated attributes that are used only in neverallow rules are
> > > > > always expanded. The rest are kept by default, but if the value of
> > > > > attrs_expand_generated in the CIL db is set to true, they will be
> > > > > expanded. The function cil_set_attrs_expand_generated() can be used
> > > > > to set the value.
> > > > > 
> > > > > When creating the binary policy, CIL will expand all attributes that
> > > > > are being removed and it will expand all attributes with less members
> > > > > than the value specified by attrs_expand_size. So even if an attribute
> > > > > is used in a constraint or neverallow and the attribute itself will be
> > > > > included in the binary policy, it will be expanded when writing AV
> > > > > rules if it has less members than attrs_expand_size.
> > > > > 
> > > > > Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx>
> > > > > ---
> > > > >  libsepol/cil/include/cil/cil.h     |   2 +
> > > > >  libsepol/cil/src/cil.c             |  12 ++
> > > > >  libsepol/cil/src/cil_binary.c      | 253 +++++++++++++++++++++++++++----------
> > > > >  libsepol/cil/src/cil_internal.h    |   7 +-
> > > > >  libsepol/cil/src/cil_post.c        |  32 +++--
> > > > >  libsepol/cil/src/cil_resolve_ast.c |  25 ++--
> > > > >  libsepol/src/libsepol.map.in       |   2 +
> > > > >  7 files changed, 233 insertions(+), 100 deletions(-)
> > > > > 
> > > > > diff --git a/libsepol/cil/include/cil/cil.h b/libsepol/cil/include/cil/cil.h
> > > > > index c4a6fb9..4507892 100644
> > > > > --- a/libsepol/cil/include/cil/cil.h
> > > > > +++ b/libsepol/cil/include/cil/cil.h
> > > > > @@ -50,6 +50,8 @@ extern void cil_set_disable_neverallow(cil_db_t *db, int disable_neverallow);
> > > > >  extern void cil_set_preserve_tunables(cil_db_t *db, int preserve_tunables);
> > > > >  extern int cil_set_handle_unknown(cil_db_t *db, int handle_unknown);
> > > > >  extern void cil_set_mls(cil_db_t *db, int mls);
> > > > > +extern void cil_set_attrs_expand_generated(struct cil_db *db, int attrs_expand_generated);
> > > > > +extern void cil_set_attrs_expand_size(struct cil_db *db, unsigned attrs_expand_size);
> > > > >  extern void cil_set_target_platform(cil_db_t *db, int target_platform);
> > > > >  extern void cil_set_policy_version(cil_db_t *db, int policy_version);
> > > > >  extern void cil_write_policy_conf(FILE *out, struct cil_db *db);
> > > > > diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
> > > > > index 7c40ad0..a64c528 100644
> > > > > --- a/libsepol/cil/src/cil.c
> > > > > +++ b/libsepol/cil/src/cil.c
> > > > > @@ -282,6 +282,8 @@ void cil_db_init(struct cil_db **db)
> > > > > 
> > > > >  	(*db)->disable_dontaudit = CIL_FALSE;
> > > > >  	(*db)->disable_neverallow = CIL_FALSE;
> > > > > +	(*db)->attrs_expand_generated = CIL_FALSE;
> > > > > +	(*db)->attrs_expand_size = 1;
> > > > >  	(*db)->preserve_tunables = CIL_FALSE;
> > > > >  	(*db)->handle_unknown = -1;
> > > > >  	(*db)->mls = -1;
> > > > > @@ -1629,6 +1631,16 @@ void cil_set_disable_neverallow(struct cil_db *db, int disable_neverallow)
> > > > >  	db->disable_neverallow = disable_neverallow;
> > > > >  }
> > > > > 
> > > > > +void cil_set_attrs_expand_generated(struct cil_db *db, int attrs_expand_generated)
> > > > > +{
> > > > > +	db->attrs_expand_generated = attrs_expand_generated;
> > > > > +}
> > > > > +
> > > > > +void cil_set_attrs_expand_size(struct cil_db *db, unsigned attrs_expand_size)
> > > > > +{
> > > > > +	db->attrs_expand_size = attrs_expand_size;
> > > > > +}
> > > > > +
> > > > >  void cil_set_preserve_tunables(struct cil_db *db, int preserve_tunables)
> > > > >  {
> > > > >  	db->preserve_tunables = preserve_tunables;
> > > > > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> > > > > index ac18c4e..e1481a4 100644
> > > > > --- a/libsepol/cil/src/cil_binary.c
> > > > > +++ b/libsepol/cil/src/cil_binary.c
> > > > > @@ -567,7 +567,7 @@ int cil_typeattribute_to_policydb(policydb_t *pdb, struct cil_typeattribute *cil
> > > > >  	char *key = NULL;
> > > > >  	type_datum_t *sepol_attr = NULL;
> > > > > 
> > > > > -	if (cil_attr->used == CIL_FALSE) {
> > > > > +	if (!cil_attr->used) {
> > > > >  		return SEPOL_OK;		
> > > > >  	}
> > > > > 
> > > > > @@ -632,7 +632,7 @@ int cil_typeattribute_to_bitmap(policydb_t *pdb, const struct cil_db *db, struct
> > > > >  	ebitmap_node_t *tnode;
> > > > >  	unsigned int i;
> > > > > 
> > > > > -	if (cil_attr->used == CIL_FALSE) {
> > > > > +	if (!cil_attr->used) {
> > > > >  		return SEPOL_OK;
> > > > >  	}
> > > > > 
> > > > > @@ -1429,46 +1429,20 @@ exit:
> > > > >  	return rc;
> > > > >  }
> > > > > 
> > > > > -static int __cil_type_datum_is_unused_attrib(struct cil_symtab_datum *src)
> > > > > +static int __cil_should_expand_attribute( const struct cil_db *db, struct cil_symtab_datum *datum)
> > > > >  {
> > > > > -	struct cil_tree_node *node = NULL;
> > > > > -	struct cil_typeattribute *attrib = NULL;
> > > > > +	struct cil_tree_node *node;
> > > > > +	struct cil_typeattribute *attr;
> > > > > 
> > > > > -	if (src->fqn == CIL_KEY_SELF) {
> > > > > -		return CIL_FALSE;
> > > > > -	}
> > > > > -
> > > > > -	node = NODE(src);
> > > > > +	node = NODE(datum);
> > > > > 
> > > > >  	if (node->flavor != CIL_TYPEATTRIBUTE) {
> > > > >  		return CIL_FALSE;
> > > > >  	}
> > > > > 
> > > > > -	attrib = (struct cil_typeattribute *) src;
> > > > > -	return ebitmap_cardinality(attrib->types) == 0;
> > > > > -}
> > > > > -
> > > > > -static int __cil_avrule_can_remove(struct cil_avrule *cil_avrule)
> > > > > -{
> > > > > -	struct cil_symtab_datum *src = cil_avrule->src;
> > > > > -	struct cil_symtab_datum *tgt = cil_avrule->tgt;
> > > > > -
> > > > > -	// Don't remove neverallow rules so they are written to
> > > > > -	// the resulting policy and can be checked by tools in
> > > > > -	// AOSP.
> > > > > -	if (cil_avrule->rule_kind == CIL_AVRULE_NEVERALLOW) {
> > > > > -		return CIL_FALSE;
> > > > > -	}
> > > > > -
> > > > > -	if (__cil_type_datum_is_unused_attrib(src)) {
> > > > > -		return CIL_TRUE;
> > > > > -	}
> > > > > -
> > > > > -	if (__cil_type_datum_is_unused_attrib(tgt)) {
> > > > > -		return CIL_TRUE;
> > > > > -	}
> > > > > +	attr = (struct cil_typeattribute *)datum;
> > > > > 
> > > > > -	return CIL_FALSE;
> > > > > +	return !attr->used || (ebitmap_cardinality(attr->types) < db->attrs_expand_size);
> > > > >  }
> > > > > 
> > > > >  int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_avrule *cil_avrule, cond_node_t *cond_node, enum cil_flavor cond_flavor)
> > > > > @@ -1478,6 +1452,9 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a
> > > > >  	struct cil_symtab_datum *src = NULL;
> > > > >  	struct cil_symtab_datum *tgt = NULL;
> > > > >  	struct cil_list *classperms = cil_avrule->perms.classperms;
> > > > > +	ebitmap_t src_bitmap, tgt_bitmap;
> > > > > +	ebitmap_node_t *snode, *tnode;
> > > > > +	unsigned int s,t;
> > > > > 
> > > > >  	if (cil_avrule->rule_kind == CIL_AVRULE_DONTAUDIT && db->disable_dontaudit == CIL_TRUE) {
> > > > >  		// Do not add dontaudit rules to binary
> > > > > @@ -1485,36 +1462,98 @@ int __cil_avrule_to_avtab(policydb_t *pdb, const struct cil_db *db, struct cil_a
> > > > >  		goto exit;
> > > > >  	}
> > > > > 
> > > > > -	if (__cil_avrule_can_remove(cil_avrule)) {
> > > > > -		rc = SEPOL_OK;
> > > > > -		goto exit;
> > > > > -	}
> > > > > -
> > > > >  	src = cil_avrule->src;
> > > > >  	tgt = cil_avrule->tgt;
> > > > > 
> > > > >  	if (tgt->fqn == CIL_KEY_SELF) {
> > > > > -		ebitmap_t type_bitmap;
> > > > > -		ebitmap_node_t *tnode;
> > > > > -		unsigned int i;
> > > > > -
> > > > > -		rc = __cil_expand_type(src, &type_bitmap);
> > > > > -		if (rc != SEPOL_OK) goto exit;
> > > > > +		rc = __cil_expand_type(src, &src_bitmap);
> > > > > +		if (rc != SEPOL_OK) {
> > > > > +			goto exit;
> > > > > +		}
> > > > > 
> > > > > -		ebitmap_for_each_bit(&type_bitmap, tnode, i) {
> > > > > -			if (!ebitmap_get_bit(&type_bitmap, i)) continue;
> > > > > +		ebitmap_for_each_bit(&src_bitmap, snode, s) {
> > > > > +			if (!ebitmap_get_bit(&src_bitmap, s)) continue;
> > > > > 
> > > > > -			src = DATUM(db->val_to_type[i]);
> > > > > +			src = DATUM(db->val_to_type[s]);
> > > > >  			rc = __cil_avrule_expand(pdb, kind, src, src, classperms, cond_node, cond_flavor);
> > > > >  			if (rc != SEPOL_OK) {
> > > > > -				ebitmap_destroy(&type_bitmap);
> > > > > +				ebitmap_destroy(&src_bitmap);
> > > > >  				goto exit;
> > > > >  			}
> > > > >  		}
> > > > > -		ebitmap_destroy(&type_bitmap);
> > > > > +		ebitmap_destroy(&src_bitmap);
> > > > >  	} else {
> > > > > -		rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor);
> > > > > -		if (rc != SEPOL_OK) goto exit;
> > > > > +		int expand_src = __cil_should_expand_attribute(db, src);
> > > > > +		int expand_tgt = __cil_should_expand_attribute(db, tgt);
> > > > > +		if (!expand_src && !expand_tgt) {
> > > > > +			rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor);
> > > > > +			if (rc != SEPOL_OK) {
> > > > > +				goto exit;
> > > > > +			}
> > > > > +		} else if (expand_src && expand_tgt) {
> > > > > +			rc = __cil_expand_type(src, &src_bitmap);
> > > > > +			if (rc != SEPOL_OK) {
> > > > > +				goto exit;
> > > > > +			}
> > > > > +
> > > > > +			rc = __cil_expand_type(tgt, &tgt_bitmap);
> > > > > +			if (rc != SEPOL_OK) {
> > > > > +				ebitmap_destroy(&src_bitmap);
> > > > > +				goto exit;
> > > > > +			}
> > > > > +
> > > > > +			ebitmap_for_each_bit(&src_bitmap, snode, s) {
> > > > > +				if (!ebitmap_get_bit(&src_bitmap, s)) continue;
> > > > > +				src = DATUM(db->val_to_type[s]);
> > > > > +				ebitmap_for_each_bit(&tgt_bitmap, tnode, t) {
> > > > > +					if (!ebitmap_get_bit(&tgt_bitmap, t)) continue;
> > > > > +					tgt = DATUM(db->val_to_type[t]);
> > > > > +
> > > > > +					rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor);
> > > > > +					if (rc != SEPOL_OK) {
> > > > > +						ebitmap_destroy(&src_bitmap);
> > > > > +						ebitmap_destroy(&tgt_bitmap);
> > > > > +						goto exit;
> > > > > +					}
> > > > > +				}
> > > > > +			}
> > > > > +			ebitmap_destroy(&src_bitmap);
> > > > > +			ebitmap_destroy(&tgt_bitmap);
> > > > > +		} else if (expand_src) {
> > > > > +			rc = __cil_expand_type(src, &src_bitmap);
> > > > > +			if (rc != SEPOL_OK) {
> > > > > +				goto exit;
> > > > > +			}
> > > > > +
> > > > > +			ebitmap_for_each_bit(&src_bitmap, snode, s) {
> > > > > +				if (!ebitmap_get_bit(&src_bitmap, s)) continue;
> > > > > +				src = DATUM(db->val_to_type[s]);
> > > > > +
> > > > > +				rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor);
> > > > > +				if (rc != SEPOL_OK) {
> > > > > +					ebitmap_destroy(&src_bitmap);
> > > > > +					goto exit;
> > > > > +				}
> > > > > +			}
> > > > > +			ebitmap_destroy(&src_bitmap);
> > > > > +		} else { /* expand_tgt */
> > > > > +			rc = __cil_expand_type(tgt, &tgt_bitmap);
> > > > > +			if (rc != SEPOL_OK) {
> > > > > +				goto exit;
> > > > > +			}
> > > > > +
> > > > > +			ebitmap_for_each_bit(&tgt_bitmap, tnode, t) {
> > > > > +				if (!ebitmap_get_bit(&tgt_bitmap, t)) continue;
> > > > > +				tgt = DATUM(db->val_to_type[t]);
> > > > > +
> > > > > +				rc = __cil_avrule_expand(pdb, kind, src, tgt, classperms, cond_node, cond_flavor);
> > > > > +				if (rc != SEPOL_OK) {
> > > > > +					ebitmap_destroy(&tgt_bitmap);
> > > > > +					goto exit;
> > > > > +				}
> > > > > +			}
> > > > > +			ebitmap_destroy(&tgt_bitmap);
> > > > > +		}
> > > > >  	}
> > > > > 
> > > > >  	return SEPOL_OK;
> > > > > @@ -1789,11 +1828,9 @@ int cil_avrulex_to_hashtable(policydb_t *pdb, const struct cil_db *db, struct ci
> > > > >  	uint16_t kind;
> > > > >  	struct cil_symtab_datum *src = NULL;
> > > > >  	struct cil_symtab_datum *tgt = NULL;
> > > > > -	ebitmap_t type_bitmap;
> > > > > -	ebitmap_node_t *tnode;
> > > > > -	unsigned int i;
> > > > > -
> > > > > -	ebitmap_init(&type_bitmap);
> > > > > +	ebitmap_t src_bitmap, tgt_bitmap;
> > > > > +	ebitmap_node_t *snode, *tnode;
> > > > > +	unsigned int s,t;
> > > > > 
> > > > >  	if (cil_avrulex->rule_kind == CIL_AVRULE_DONTAUDIT && db->disable_dontaudit == CIL_TRUE) {
> > > > >  		// Do not add dontaudit rules to binary
> > > > > @@ -1806,28 +1843,97 @@ int cil_avrulex_to_hashtable(policydb_t *pdb, const struct cil_db *db, struct ci
> > > > >  	tgt = cil_avrulex->tgt;
> > > > > 
> > > > >  	if (tgt->fqn == CIL_KEY_SELF) {
> > > > > -		rc = __cil_expand_type(src, &type_bitmap);
> > > > > +		rc = __cil_expand_type(src, &src_bitmap);
> > > > >  		if (rc != SEPOL_OK) goto exit;
> > > > > 
> > > > > -		ebitmap_for_each_bit(&type_bitmap, tnode, i) {
> > > > > -			if (!ebitmap_get_bit(&type_bitmap, i)) continue;
> > > > > +		ebitmap_for_each_bit(&src_bitmap, snode, s) {
> > > > > +			if (!ebitmap_get_bit(&src_bitmap, s)) continue;
> > > > > 
> > > > > -			src = DATUM(db->val_to_type[i]);
> > > > > +			src = DATUM(db->val_to_type[s]);
> > > > >  			rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, src, cil_avrulex->perms.x.permx, args);
> > > > >  			if (rc != SEPOL_OK) {
> > > > >  				goto exit;
> > > > >  			}
> > > > >  		}
> > > > > +		ebitmap_destroy(&src_bitmap);
> > > > >  	} else {
> > > > > -		rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args);
> > > > > -		if (rc != SEPOL_OK) goto exit;
> > > > > +		int expand_src = __cil_should_expand_attribute(db, src);
> > > > > +		int expand_tgt = __cil_should_expand_attribute(db, tgt);
> > > > > +
> > > > > +		if (!expand_src && !expand_tgt) {
> > > > > +			rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args);
> > > > > +			if (rc != SEPOL_OK) {
> > > > > +				goto exit;
> > > > > +			}
> > > > > +		} else if (expand_src && expand_tgt) {
> > > > > +			rc = __cil_expand_type(src, &src_bitmap);
> > > > > +			if (rc != SEPOL_OK) {
> > > > > +				goto exit;
> > > > > +			}
> > > > > +
> > > > > +			rc = __cil_expand_type(tgt, &tgt_bitmap);
> > > > > +			if (rc != SEPOL_OK) {
> > > > > +				ebitmap_destroy(&src_bitmap);
> > > > > +				goto exit;
> > > > > +			}
> > > > > +
> > > > > +			ebitmap_for_each_bit(&src_bitmap, snode, s) {
> > > > > +				if (!ebitmap_get_bit(&src_bitmap, s)) continue;
> > > > > +				src = DATUM(db->val_to_type[s]);
> > > > > +				ebitmap_for_each_bit(&tgt_bitmap, tnode, t) {
> > > > > +					if (!ebitmap_get_bit(&tgt_bitmap, t)) continue;
> > > > > +					tgt = DATUM(db->val_to_type[t]);
> > > > > +
> > > > > +					rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args);
> > > > > +					if (rc != SEPOL_OK) {
> > > > > +						ebitmap_destroy(&src_bitmap);
> > > > > +						ebitmap_destroy(&tgt_bitmap);
> > > > > +						goto exit;
> > > > > +					}
> > > > > +				}
> > > > > +			}
> > > > > +			ebitmap_destroy(&src_bitmap);
> > > > > +			ebitmap_destroy(&tgt_bitmap);
> > > > > +		} else if (expand_src) {
> > > > > +			rc = __cil_expand_type(src, &src_bitmap);
> > > > > +			if (rc != SEPOL_OK) {
> > > > > +				goto exit;
> > > > > +			}
> > > > > +
> > > > > +			ebitmap_for_each_bit(&src_bitmap, snode, s) {
> > > > > +				if (!ebitmap_get_bit(&src_bitmap, s)) continue;
> > > > > +				src = DATUM(db->val_to_type[s]);
> > > > > +
> > > > > +				rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args);
> > > > > +				if (rc != SEPOL_OK) {
> > > > > +					ebitmap_destroy(&src_bitmap);
> > > > > +					goto exit;
> > > > > +				}
> > > > > +			}
> > > > > +			ebitmap_destroy(&src_bitmap);
> > > > > +		} else { /* expand_tgt */
> > > > > +			rc = __cil_expand_type(tgt, &tgt_bitmap);
> > > > > +			if (rc != SEPOL_OK) {
> > > > > +				goto exit;
> > > > > +			}
> > > > > +
> > > > > +			ebitmap_for_each_bit(&tgt_bitmap, tnode, t) {
> > > > > +				if (!ebitmap_get_bit(&tgt_bitmap, t)) continue;
> > > > > +				tgt = DATUM(db->val_to_type[t]);
> > > > > +
> > > > > +				rc = __cil_avrulex_to_hashtable_helper(pdb, kind, src, tgt, cil_avrulex->perms.x.permx, args);
> > > > > +				if (rc != SEPOL_OK) {
> > > > > +					ebitmap_destroy(&tgt_bitmap);
> > > > > +					goto exit;
> > > > > +				}
> > > > > +			}
> > > > > +			ebitmap_destroy(&tgt_bitmap);
> > > > > +		}
> > > > >  	}
> > > > > 
> > > > > -	rc = SEPOL_OK;
> > > > > +	return SEPOL_OK;
> > > > > 
> > > > >  exit:
> > > > > -	ebitmap_destroy(&type_bitmap);
> > > > > -
> > > > >  	return rc;
> > > > >  }
> > > > > 
> > > > > @@ -2417,12 +2523,19 @@ int __cil_constrain_expr_datum_to_sepol_expr(policydb_t *pdb, const struct cil_d
> > > > >  		if (pdb->policyvers >= POLICYDB_VERSION_CONSTRAINT_NAMES) {
> > > > >  			rc = __cil_get_sepol_type_datum(pdb, item->data, &sepol_type);
> > > > >  			if (rc != SEPOL_OK) {
> > > > > -				ebitmap_destroy(&type_bitmap);
> > > > > -				goto exit;
> > > > > +				if (FLAVOR(item->data) == CIL_TYPEATTRIBUTE) {
> > > > > +					struct cil_typeattribute *attr = item->data;
> > > > > +					if (!attr->used) {
> > > > > +						rc = 0;
> > > > > +					}
> > > > > +				}
> > > > >  			}
> > > > > 
> > > > > -			if (ebitmap_set_bit(&expr->type_names->types, sepol_type->s.value - 1, 1)) {
> > > > > -				ebitmap_destroy(&type_bitmap);
> > > > > +			if (sepol_type) {
> > > > > +				rc = ebitmap_set_bit(&expr->type_names->types, sepol_type->s.value - 1, 1);
> > > > > +			}
> > > > > +
> > > > > +			if (rc != SEPOL_OK) {
> > > > >  				goto exit;
> > > > >  			}
> > > > >  		}
> > > > > diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
> > > > > index 03672bb..efa2cd6 100644
> > > > > --- a/libsepol/cil/src/cil_internal.h
> > > > > +++ b/libsepol/cil/src/cil_internal.h
> > > > > @@ -306,6 +306,8 @@ struct cil_db {
> > > > >  	struct cil_user **val_to_user;
> > > > >  	int disable_dontaudit;
> > > > >  	int disable_neverallow;
> > > > > +	int attrs_expand_generated;
> > > > > +	unsigned attrs_expand_size;
> > > > >  	int preserve_tunables;
> > > > >  	int handle_unknown;
> > > > >  	int mls;
> > > > > @@ -513,11 +515,14 @@ struct cil_type	{
> > > > >  	int value;
> > > > >  };
> > > > > 
> > > > > +#define CIL_ATTR_AVRULE     0x01
> > > > > +#define CIL_ATTR_NEVERALLOW 0x02
> > > > > +#define CIL_ATTR_CONSTRAINT 0x04
> > > > >  struct cil_typeattribute {
> > > > >  	struct cil_symtab_datum datum;
> > > > >  	struct cil_list *expr_list;
> > > > >  	ebitmap_t *types;
> > > > > -	int used;	// whether or not this typeattribute was used and should be added to the binary
> > > > > +	int used;	// whether or not this attribute was used in a binary policy rule
> > > > >  };
> > > > > 
> > > > >  struct cil_typeattributeset {
> > > > > diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
> > > > > index 089c02f..ae62ddb 100644
> > > > > --- a/libsepol/cil/src/cil_post.c
> > > > > +++ b/libsepol/cil/src/cil_post.c
> > > > > @@ -1188,22 +1188,32 @@ exit:
> > > > >  	return SEPOL_ERR;
> > > > >  }
> > > > > 
> > > > > -static int cil_typeattribute_used(struct cil_typeattribute *cil_attr)
> > > > > +static int cil_typeattribute_used(struct cil_typeattribute *attr, struct cil_db *db)
> > > > >  {
> > > > > -	if (cil_attr->used) {
> > > > > -		return CIL_TRUE;
> > > > > +	if (!attr->used) {
> > > > > +		return CIL_FALSE;
> > > > >  	}
> > > > > 
> > > > > -	if (strcmp(DATUM(cil_attr)->name, GEN_REQUIRE_ATTR) == 0) {
> > > > > -		return CIL_FALSE;
> > > > > +	if (attr->used & CIL_ATTR_CONSTRAINT) {
> > > > > +		return CIL_TRUE;
> > > > >  	}
> > > > > 
> > > > > -	if (strstr(DATUM(cil_attr)->name,TYPEATTR_INFIX) != NULL) {
> > > > > -		return CIL_FALSE;
> > > > > +	if (db->attrs_expand_generated || attr->used == CIL_ATTR_NEVERALLOW) {
> > > > > +		if (strcmp(DATUM(attr)->name, GEN_REQUIRE_ATTR) == 0) {
> > > > > +			return CIL_FALSE;
> > > > > +		} else if (strstr(DATUM(attr)->name, TYPEATTR_INFIX) != NULL) {
> > > > > +			return CIL_FALSE;
> > > > > +		}
> > > > > +
> > > > > +		if (attr->used == CIL_ATTR_NEVERALLOW) {
> > > > > +			return CIL_TRUE;
> > > > > +		}
> > > > >  	}
> > > > > 
> > > > > -	if (ebitmap_cardinality(cil_attr->types) == 0) {
> > > > > -		return CIL_FALSE;
> > > > > +	if (attr->used == CIL_ATTR_AVRULE) {
> > > > > +		if (ebitmap_cardinality(attr->types) < db->attrs_expand_size) {
> > > > > +			return CIL_FALSE;
> > > > > +		}
> > > > >  	}
> > > > > 
> > > > >  	return CIL_TRUE;
> > > > > @@ -1231,9 +1241,7 @@ static int __cil_post_db_attr_helper(struct cil_tree_node *node, uint32_t *finis
> > > > >  		if (attr->types == NULL) {
> > > > >  			rc = __evaluate_type_expression(attr, db);
> > > > >  			if (rc != SEPOL_OK) goto exit;
> > > > > -			if (cil_typeattribute_used(attr)) {
> > > > > -				attr->used = CIL_TRUE;
> > > > > -			}
> > > > > +			attr->used = cil_typeattribute_used(attr, db);
> > > > >  		}
> > > > >  		break;
> > > > >  	}
> > > > > diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
> > > > > index 1870501..6da44ba 100644
> > > > > --- a/libsepol/cil/src/cil_resolve_ast.c
> > > > > +++ b/libsepol/cil/src/cil_resolve_ast.c
> > > > > @@ -269,13 +269,13 @@ exit:
> > > > >  	return rc;
> > > > >  }
> > > > > 
> > > > > -int cil_type_used(struct cil_symtab_datum *datum)
> > > > > +int cil_type_used(struct cil_symtab_datum *datum, int used)
> > > > >  {
> > > > >  	struct cil_typeattribute *attr = NULL;
> > > > > 
> > > > >  	if (FLAVOR(datum) == CIL_TYPEATTRIBUTE) {
> > > > >  		attr = (struct cil_typeattribute*)datum;
> > > > > -		attr->used = CIL_TRUE;
> > > > > +		attr->used |= used;
> > > > >  	}
> > > > > 
> > > > >  	return 0;
> > > > > @@ -307,6 +307,7 @@ int cil_resolve_avrule(struct cil_tree_node *current, void *extra_args)
> > > > >  	struct cil_symtab_datum *src_datum = NULL;
> > > > >  	struct cil_symtab_datum *tgt_datum = NULL;
> > > > >  	struct cil_symtab_datum *permx_datum = NULL;
> > > > > +	int used;
> > > > >  	int rc = SEPOL_ERR;
> > > > > 
> > > > >  	if (args != NULL) {
> > > > > @@ -318,9 +319,6 @@ int cil_resolve_avrule(struct cil_tree_node *current, void *extra_args)
> > > > >  		goto exit;
> > > > >  	}
> > > > >  	rule->src = src_datum;
> > > > > -	if (rule->rule_kind != CIL_AVRULE_NEVERALLOW) {
> > > > > -		cil_type_used(src_datum);
> > > > > -	}
> > > > >  		
> > > > >  	if (rule->tgt_str == CIL_KEY_SELF) {
> > > > >  		rule->tgt = db->selftype;
> > > > > @@ -330,9 +328,10 @@ int cil_resolve_avrule(struct cil_tree_node *current, void *extra_args)
> > > > >  			goto exit;
> > > > >  		}
> > > > >  		rule->tgt = tgt_datum;
> > > > > -		if (rule->rule_kind != CIL_AVRULE_NEVERALLOW) {
> > > > > -			cil_type_used(tgt_datum);
> > > > > -		}
> > > > > +		used = (rule->rule_kind == CIL_AVRULE_NEVERALLOW) ?
> > > > > +			CIL_ATTR_NEVERALLOW : CIL_ATTR_AVRULE;
> > > > > +		cil_type_used(src_datum, used); /* src not used if tgt is self */
> > > > > +		cil_type_used(tgt_datum, used);
> > > > >  	}
> > > > > 
> > > > >  	if (!rule->is_extended) {
> > > > > @@ -376,14 +375,12 @@ int cil_resolve_type_rule(struct cil_tree_node *current, void *extra_args)
> > > > >  		goto exit;
> > > > >  	}
> > > > >  	rule->src = src_datum;
> > > > > -	cil_type_used(src_datum);
> > > > > 
> > > > >  	rc = cil_resolve_name(current, rule->tgt_str, CIL_SYM_TYPES, extra_args, &tgt_datum);
> > > > >  	if (rc != SEPOL_OK) {
> > > > >  		goto exit;
> > > > >  	}
> > > > >  	rule->tgt = tgt_datum;
> > > > > -	cil_type_used(tgt_datum);
> > > > > 
> > > > >  	rc = cil_resolve_name(current, rule->obj_str, CIL_SYM_CLASSES, extra_args, &obj_datum);
> > > > >  	if (rc != SEPOL_OK) {
> > > > > @@ -589,14 +586,12 @@ int cil_resolve_nametypetransition(struct cil_tree_node *current, void *extra_ar
> > > > >  		goto exit;
> > > > >  	}
> > > > >  	nametypetrans->src = src_datum;
> > > > > -	cil_type_used(src_datum);
> > > > > 
> > > > >  	rc = cil_resolve_name(current, nametypetrans->tgt_str, CIL_SYM_TYPES, extra_args, &tgt_datum);
> > > > >  	if (rc != SEPOL_OK) {
> > > > >  		goto exit;
> > > > >  	}
> > > > >  	nametypetrans->tgt = tgt_datum;
> > > > > -	cil_type_used(tgt_datum);
> > > > > 
> > > > >  	rc = cil_resolve_name(current, nametypetrans->obj_str, CIL_SYM_CLASSES, extra_args, &obj_datum);
> > > > >  	if (rc != SEPOL_OK) {
> > > > > @@ -647,14 +642,12 @@ int cil_resolve_rangetransition(struct cil_tree_node *current, void *extra_args)
> > > > >  		goto exit;
> > > > >  	}
> > > > >  	rangetrans->src = src_datum;
> > > > > -	cil_type_used(src_datum);
> > > > > 
> > > > >  	rc = cil_resolve_name(current, rangetrans->exec_str, CIL_SYM_TYPES, extra_args, &exec_datum);
> > > > >  	if (rc != SEPOL_OK) {
> > > > >  		goto exit;
> > > > >  	}
> > > > >  	rangetrans->exec = exec_datum;
> > > > > -	cil_type_used(exec_datum);
> > > > > 
> > > > >  	rc = cil_resolve_name(current, rangetrans->obj_str, CIL_SYM_CLASSES, extra_args, &obj_datum);
> > > > >  	if (rc != SEPOL_OK) {
> > > > > @@ -1006,7 +999,6 @@ int cil_resolve_roletype(struct cil_tree_node *current, void *extra_args)
> > > > >  		goto exit;
> > > > >  	}
> > > > >  	roletype->type = (struct cil_type*)type_datum;
> > > > > -	cil_type_used(type_datum);
> > > > > 
> > > > >  	return SEPOL_OK;
> > > > > 
> > > > > @@ -1035,7 +1027,6 @@ int cil_resolve_roletransition(struct cil_tree_node *current, void *extra_args)
> > > > >  		goto exit;
> > > > >  	}
> > > > >  	roletrans->tgt = tgt_datum;
> > > > > -	cil_type_used(tgt_datum);
> > > > > 
> > > > >  	rc = cil_resolve_name(current, roletrans->obj_str, CIL_SYM_CLASSES, extra_args, &obj_datum);
> > > > >  	if (rc != SEPOL_OK) {
> > > > > @@ -3108,7 +3099,7 @@ int cil_resolve_expr(enum cil_flavor expr_type, struct cil_list *str_expr, struc
> > > > >  			}
> > > > > 
> > > > >  			if (sym_index == CIL_SYM_TYPES && (expr_type == CIL_CONSTRAIN || expr_type == CIL_VALIDATETRANS)) {
> > > > > -				cil_type_used(res_datum);
> > > > > +				cil_type_used(res_datum, CIL_ATTR_CONSTRAINT);
> > > > >  			}
> > > > > 
> > > > >  			cil_list_append(*datum_expr, CIL_DATUM, res_datum);
> > > > > diff --git a/libsepol/src/libsepol.map.in b/libsepol/src/libsepol.map.in
> > > > > index 5e68fcb..4042640 100644
> > > > > --- a/libsepol/src/libsepol.map.in
> > > > > +++ b/libsepol/src/libsepol.map.in
> > > > > @@ -45,6 +45,8 @@ LIBSEPOL_1.1 {
> > > > >  	cil_set_target_platform;
> > > > >  	cil_set_policy_version;
> > > > >  	cil_set_mls;
> > > > > +	cil_set_attrs_expand_generated;
> > > > > +	cil_set_attrs_expand_size;
> > > > >  	cil_write_policy_conf;
> > > > >  	sepol_ppfile_to_module_package;
> > > > >  	sepol_module_package_to_cil;
> > > > > --
> > > > > 2.7.4
> > > > > 
> > > > > _______________________________________________
> > > > > Selinux mailing list
> > > > > Selinux@xxxxxxxxxxxxx
> > > > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> > > > > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
> > > > 
> > > > --
> > > > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> > > > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> > > > Dominick Grift
> > > 
> > > 
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > Selinux mailing list
> > > Selinux@xxxxxxxxxxxxx
> > > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> > > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
> > > 
> > 
> > 
> > -- 
> > James Carter <jwcart2@xxxxxxxxxxxxx>
> > National Security Agency
> > _______________________________________________
> > Selinux mailing list
> > Selinux@xxxxxxxxxxxxx
> > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
> 
> -- 
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift



-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux