Re: [Non-DoD Source] [PATCH userspace v4 2/4] libsemanage: optionally optimize policy on rebuild

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jun 13, 2019 at 9:51 PM jwcart2 <jwcart2@xxxxxxxxxxxxx> wrote:
> On 6/13/19 7:45 AM, Ondrej Mosnacek wrote:
> > When building binary policy, optionally run it through
> > sepol_policydb_optimize() just before writing it out.
> >
> > Add an optimize-policy variable to semanage.conf(5) that controls
>
> Sorry I didn't notice this in v3, but why not use "optimize" instead of
> "optimize-policy"?

Since this is in a global libsemanage config file, I thought it would
be better if the name described also what is being optimized. In
secilc or checkpolicy it is more or less obvious; in the config file
it can't hurt to be more specific, IMHO.

>
> Jim
>
> > whether optimization will be applied during libsemanage operations.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > ---
> >   libsemanage/man/man5/semanage.conf.5 |  5 +++++
> >   libsemanage/src/conf-parse.y         | 15 ++++++++++++++-
> >   libsemanage/src/conf-scan.l          |  1 +
> >   libsemanage/src/direct_api.c         |  7 +++++++
> >   libsemanage/src/semanage_conf.h      |  1 +
> >   5 files changed, 28 insertions(+), 1 deletion(-)
> >
> > diff --git a/libsemanage/man/man5/semanage.conf.5 b/libsemanage/man/man5/semanage.conf.5
> > index 8f8de55a..8efc7dd5 100644
> > --- a/libsemanage/man/man5/semanage.conf.5
> > +++ b/libsemanage/man/man5/semanage.conf.5
> > @@ -121,6 +121,11 @@ and by default it is set to "false".
> >   Please note that since this option deletes all HLL files, an updated HLL compiler will not be able to recompile the original HLL file into CIL.
> >   In order to compile the original HLL file into CIL, the same HLL file will need to be reinstalled.
> >
> > +.TP
> > +.B optimize-policy
> > +When set to "true", the kernel policy will be optimized upon rebuilds.
> > +It can be set to either "true" or "false" and by default it is set to "false".
> > +
> >   .SH "SEE ALSO"
> >   .TP
> >   semanage(8)
> > diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y
> > index b527e893..9bf9364a 100644
> > --- a/libsemanage/src/conf-parse.y
> > +++ b/libsemanage/src/conf-parse.y
> > @@ -59,7 +59,7 @@ static int parse_errors;
> >           char *s;
> >   }
> >
> > -%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT
> > +%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT OPTIMIZE_POLICY
> >   %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
> >   %token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
> >   %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
> > @@ -95,6 +95,7 @@ single_opt:     module_store
> >       |       bzip_blocksize
> >       |       bzip_small
> >       |       remove_hll
> > +     |       optimize_policy
> >           ;
> >
> >   module_store:   MODULE_STORE '=' ARG {
> > @@ -268,6 +269,17 @@ remove_hll:  REMOVE_HLL'=' ARG {
> >       free($3);
> >   }
> >
> > +optimize_policy:  OPTIMIZE_POLICY '=' ARG {
> > +     if (strcasecmp($3, "false") == 0) {
> > +             current_conf->optimize_policy = 0;
> > +     } else if (strcasecmp($3, "true") == 0) {
> > +             current_conf->optimize_policy = 1;
> > +     } else {
> > +             yyerror("optimize-policy can only be 'true' or 'false'");
> > +     }
> > +     free($3);
> > +}
> > +
> >   command_block:
> >                   command_start external_opts BLOCK_END  {
> >                           if (new_external->path == NULL) {
> > @@ -352,6 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
> >       conf->bzip_small = 0;
> >       conf->ignore_module_cache = 0;
> >       conf->remove_hll = 0;
> > +     conf->optimize_policy = 0;
> >
> >       conf->save_previous = 0;
> >       conf->save_linked = 0;
> > diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l
> > index 607bbf0b..b06a896c 100644
> > --- a/libsemanage/src/conf-scan.l
> > +++ b/libsemanage/src/conf-scan.l
> > @@ -54,6 +54,7 @@ handle-unknown    return HANDLE_UNKNOWN;
> >   bzip-blocksize      return BZIP_BLOCKSIZE;
> >   bzip-small  return BZIP_SMALL;
> >   remove-hll  return REMOVE_HLL;
> > +optimize-policy return OPTIMIZE_POLICY;
> >   "[load_policy]"   return LOAD_POLICY_START;
> >   "[setfiles]"      return SETFILES_START;
> >   "[sefcontext_compile]"      return SEFCONTEXT_COMPILE_START;
> > diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> > index c58961be..0153091f 100644
> > --- a/libsemanage/src/direct_api.c
> > +++ b/libsemanage/src/direct_api.c
> > @@ -1461,6 +1461,13 @@ rebuild:
> >
> >               cil_db_destroy(&cildb);
> >
> > +             /* Remove redundancies in binary policy if requested. */
> > +             if (sh->conf->optimize_policy) {
> > +                     retval = sepol_policydb_optimize(out);
> > +                     if (retval < 0)
> > +                             goto cleanup;
> > +             }
> > +
> >               /* Write the linked policy before merging local changes. */
> >               retval = semanage_write_policydb(sh, out,
> >                                                SEMANAGE_LINKED);
> > diff --git a/libsemanage/src/semanage_conf.h b/libsemanage/src/semanage_conf.h
> > index c99ac8c7..23c4b8b4 100644
> > --- a/libsemanage/src/semanage_conf.h
> > +++ b/libsemanage/src/semanage_conf.h
> > @@ -47,6 +47,7 @@ typedef struct semanage_conf {
> >       int bzip_small;
> >       int remove_hll;
> >       int ignore_module_cache;
> > +     int optimize_policy;
> >       char *ignoredirs;       /* ";" separated of list for genhomedircon to ignore */
> >       struct external_prog *load_policy;
> >       struct external_prog *setfiles;
> >
>
>
> --
> James Carter <jwcart2@xxxxxxxxxxxxx>
> National Security Agency



--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux