On 3/27/20 3:21 PM, Stephen Smalley wrote:
On 3/27/20 11:21 AM, Ondrej Mosnacek wrote:
These patches are the userspace side of the kernel change posted at [1].
The first patch changes libsepol's internal representation of filename
transition rules in a way similar to kernel commit c3a276111ea2
("selinux: optimize storage of filename transitions") [2].
The second patch then builds upon that and implements reading and
writing of a new binary policy format that uses this representation also
in the data layout.
See individual patches for more details.
NOTE: This series unfortunately breaks the build of setools. Moreover,
when an existing build of setools dynamically links against the new
libsepol, it segfaults. Sadly, there doesn't seem to be a nice way of
handling this, since setools relies on non-public libsepol policydb
API/ABI.
I think this has happened before a few years ago when we made a
different change to those structures, and required updates on the
setools side.
Maybe we need to figure out what setools needs to be encapsulated and
exported as part of the libsepol public ABI/API, and then stop having it
peer into libsepol internals?
I'd be fine with that :)
Ultimately SETools does 2 thing for the policy access:
* iterate over the entire policy, reading data out of the various objects
* use linkages between objects in the policy, e.g. get the
type/attributes from an AV rule, get types from an attribute, etc. using
the stuff like class_val_to_struct as needed.
So if sufficient functionality to do dispol was exported, that would get
close to all that was needed. There are some optimizations I made by
digging at the structs a bit more than the above, but that could
potentially be dropped if libsepol has sufficient support. See
<https://github.com/SELinuxProject/setools/blob/master/setools/policyrep/selinuxpolicy.pxi#L673>
for the policy loading code.
--
Chris PeBenito
