Re: [PATCH v4 0/2] userspace: Implement new format of filename trans rules

Ondrej Mosnacek <omosnace@xxxxxxxxxx> · Sun, 19 Jul 2020 11:33:09 +0200

On Fri, Jul 17, 2020 at 1:48 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> These patches are the userspace side of the kernel change posted at [1].
>
> The first patch changes libsepol's internal representation of filename
> transition rules in a way similar to kernel commit c3a276111ea2
> ("selinux: optimize storage of filename transitions") [2].
>
> The second patch then builds upon that and implements reading and
> writing of a new binary policy format that uses this representation also
> in the data layout.
>
> See individual patches for more details.
>
> NOTE: This series unfortunately breaks the build of setools. Moreover,
> when an existing build of setools dynamically links against the new
> libsepol, it segfaults. Sadly, there doesn't seem to be a nice way of
> handling this, since setools relies on non-public libsepol policydb
> API/ABI. I have prepared a preliminary patch to adapt setools to these
> changes - I'll open a WIP pull request for it soon...

While testing the setools patch I found some bugs in this series, so
it'll need a respin... I also found bugs in the setools patch itself
so I haven't opened a PR yet. I think I have them all fixed now, so
stay tuned...

>
> See also this discussion about the setools impact:
> https://lore.kernel.org/selinux/daeae1d9-de29-aae0-6bde-3ad3427a5d42@xxxxxxxxxxxxx/
>
> Changes in v4:
>  - rebased on top of latest master branch
>
> Changes in v3:
>  - fixed the change in dispol.c to match the rest of the code
>  - renamed the helper functions to use the "_compat" suffix rather than
>    "_old" and "_new"
>
> Changes in v2:
>  - fixed counting rules when reading the new policy format
>
> [1] https://lore.kernel.org/selinux/20200327151941.95619-1-omosnace@xxxxxxxxxx/T/
> [2] https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?id=c3a276111ea2572399281988b3129683e2a6b60b
>
> Ondrej Mosnacek (2):
>   libsepol,checkpolicy: optimize storage of filename transitions
>   libsepol: implement POLICYDB_VERSION_COMP_FTRANS
>
>  checkpolicy/policy_define.c                |  52 ++--
>  checkpolicy/test/dispol.c                  |  20 +-
>  libsepol/cil/src/cil_binary.c              |  29 +-
>  libsepol/include/sepol/policydb/policydb.h |  18 +-
>  libsepol/src/expand.c                      |  60 +----
>  libsepol/src/kernel_to_cil.c               |  24 +-
>  libsepol/src/kernel_to_conf.c              |  24 +-
>  libsepol/src/policydb.c                    | 299 +++++++++++++++++----
>  libsepol/src/write.c                       | 101 +++++--
>  9 files changed, 428 insertions(+), 199 deletions(-)
>
> --
> 2.26.2
>

--
Ondrej Mosnacek
Software Engineer, Platform Security - SELinux kernel
Red Hat, Inc.