Re: [PATCH 2/3] libsepol: Improve writing CIL sensitivity rules

Nicolas Iooss <nicolas.iooss@xxxxxxx> · Thu, 21 May 2020 21:16:16 +0200

On Thu, May 21, 2020 at 5:25 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> Improves writing of CIL sensitivity rules when converting MLS kernel
> policy to CIL. No changes to functionality, but eliminate useless
> checks for sensitivity aliases when using the p_sens_val_to_name
> array, find the actual number of aliases before allocating memory,
> and skip the sensitivity alias rules if there are no aliases.
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
> ---
>  libsepol/src/kernel_to_cil.c | 59 ++++++++++++++++++------------------
>  1 file changed, 29 insertions(+), 30 deletions(-)
>
> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
> index cca77251..6103c1a6 100644
> --- a/libsepol/src/kernel_to_cil.c
> +++ b/libsepol/src/kernel_to_cil.c
> @@ -782,6 +782,17 @@ static void write_default_mls_level(FILE *out)
>         sepol_printf(out, "(level %s (s0))\n", DEFAULT_LEVEL);
>  }
>
> +static int map_count_sensitivity_aliases(char *key, void *data, void *args)
> +{
> +       level_datum_t *sens = data;
> +       unsigned *count = args;
> +
> +       if (sens->isalias)
> +               (*count)++;
> +
> +       return SEPOL_OK;
> +}

Hello,
This patch looks good to me, but building fails because of an unused
parameter (here and in other patches),
https://travis-ci.org/github/fishilico/selinux/jobs/689760790#L2029 :

kernel_to_cil.c: In function ‘map_count_sensitivity_aliases’:
kernel_to_cil.c:785:48: error: unused parameter ‘key’ [-Werror=unused-parameter]
 static int map_count_sensitivity_aliases(char *key, void *data, void *args)
                                                ^~~
kernel_to_cil.c: In function ‘map_count_category_aliases’:
kernel_to_cil.c:889:45: error: unused parameter ‘key’ [-Werror=unused-parameter]
 static int map_count_category_aliases(char *key, void *data, void *args)
                                             ^~~
kernel_to_cil.c: In function ‘map_count_type_aliases’:
kernel_to_cil.c:1368:41: error: unused parameter ‘key’
[-Werror=unused-parameter]
 static int map_count_type_aliases(char *key, void *data, void *args)
                                        ^~~

Other functions use __attribute__((unused)) so you could probably use
it too in these functions.

Thanks,
Nicolas

> +
>  static int map_sensitivity_aliases_to_strs(char *key, void *data, void *args)
>  {
>         level_datum_t *sens = data;
> @@ -799,26 +810,13 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
>  {
>         level_datum_t *level;
>         char *prev, *name, *actual;
> -       struct strs *strs;
> -       unsigned i, num;
> +       struct strs *strs = NULL;
> +       unsigned i, num = 0;
>         int rc = 0;
>
> -       rc = strs_init(&strs, pdb->p_levels.nprim);
> -       if (rc != 0) {
> -               goto exit;
> -       }
> -
>         /* sensitivities */
>         for (i=0; i < pdb->p_levels.nprim; i++) {
>                 name = pdb->p_sens_val_to_name[i];
> -               if (!name) continue;
> -               level = hashtab_search(pdb->p_levels.table, name);
> -               if (!level) {
> -                       rc = -1;
> -                       goto exit;
> -               }
> -               if (level->isalias) continue;
> -
>                 sepol_printf(out, "(sensitivity %s)\n", name);
>         }
>
> @@ -827,14 +825,6 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
>         prev = NULL;
>         for (i=0; i < pdb->p_levels.nprim; i++) {
>                 name = pdb->p_sens_val_to_name[i];
> -               if (!name) continue;
> -               level = hashtab_search(pdb->p_levels.table, name);
> -               if (!level) {
> -                       rc = -1;
> -                       goto exit;
> -               }
> -               if (level->isalias) continue;
> -
>                 if (prev) {
>                         sepol_printf(out, "%s ", prev);
>                 }
> @@ -845,6 +835,22 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
>         }
>         sepol_printf(out, "))\n");
>
> +       rc = hashtab_map(pdb->p_levels.table, map_count_sensitivity_aliases, &num);
> +       if (rc != 0) {
> +               goto exit;
> +       }
> +
> +       if (num == 0) {
> +               /* No aliases, so skip sensitivity alias rules */
> +               rc = 0;
> +               goto exit;
> +       }
> +
> +       rc = strs_init(&strs, num);
> +       if (rc != 0) {
> +               goto exit;
> +       }
> +
>         rc = hashtab_map(pdb->p_levels.table, map_sensitivity_aliases_to_strs, strs);
>         if (rc != 0) {
>                 goto exit;
> @@ -852,16 +858,9 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
>
>         strs_sort(strs);
>
> -       num = strs_num_items(strs);
> -
>         /* sensitivity aliases */
>         for (i=0; i < num; i++) {
>                 name = strs_read_at_index(strs, i);
> -               level = hashtab_search(pdb->p_levels.table, name);
> -               if (!level) {
> -                       rc = -1;
> -                       goto exit;
> -               }
>                 sepol_printf(out, "(sensitivityalias %s)\n", name);
>         }
>
> --
> 2.25.4
>