Re: [PATCH v2 2/2] setfiles: drop ABORT_ON_ERRORS and related code

Petr Lautrbach <plautrba@xxxxxxxxxx> · Mon, 01 Feb 2021 15:05:37 +0100

Nicolas Iooss <nicolas.iooss@xxxxxxx> writes:

> On Sun, Jan 31, 2021 at 11:39 AM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote:
>>
>> Petr Lautrbach <plautrba@xxxxxxxxxx> writes:
>>
>> > `setfiles -d` doesn't have any impact on number of errors before it
>> > aborts. It always aborts on first invalid context in spec file.
>> >
>> > Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
>> > ---
>> >  policycoreutils/setfiles/Makefile      |  3 ---
>> >  policycoreutils/setfiles/ru/setfiles.8 |  2 +-
>> >  policycoreutils/setfiles/setfiles.8    |  3 +--
>> >  policycoreutils/setfiles/setfiles.c    | 18 ------------------
>> >  4 files changed, 2 insertions(+), 24 deletions(-)
>> >
>> > diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
>> > index bc5a8db789a5..a3bbbe116b7f 100644
>> > --- a/policycoreutils/setfiles/Makefile
>> > +++ b/policycoreutils/setfiles/Makefile
>> > @@ -5,8 +5,6 @@ SBINDIR ?= /sbin
>> >  MANDIR = $(PREFIX)/share/man
>> >  AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
>> >
>> > -ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
>> > -
>> >  CFLAGS ?= -g -Werror -Wall -W
>> >  override LDLIBS += -lselinux -lsepol
>> >
>> > @@ -26,7 +24,6 @@ restorecon_xattr: restorecon_xattr.o restore.o
>> >
>> >  man:
>> >       @cp -af setfiles.8 setfiles.8.man
>> > -     @sed -i "s/ABORT_ON_ERRORS/$(ABORT_ON_ERRORS)/g" setfiles.8.man
>> >
>> >  install: all
>> >       [ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
>> > diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8
>> > index 27815a3f1eee..910101452625 100644
>> > --- a/policycoreutils/setfiles/ru/setfiles.8
>> > +++ b/policycoreutils/setfiles/ru/setfiles.8
>> > @@ -47,7 +47,7 @@ setfiles \- установить SELinux-контексты безопаснос
>> >  проверить действительность контекстов относительно указанной двоичной политики.
>> >  .TP
>> >  .B \-d
>> > -показать, какая спецификация соответствует каждому из файлов (не прекращать проверку после получения ошибок ABORT_ON_ERRORS).
>> > +показать, какая спецификация соответствует каждому из файлов.
>> >  .TP
>> >  .BI \-e \ directory
>> >  исключить каталог (чтобы исключить более одного каталога, этот параметр необходимо использовать соответствующее количество раз).
>> > diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
>> > index e328a5628682..4d28bc9a95c1 100644
>> > --- a/policycoreutils/setfiles/setfiles.8
>> > +++ b/policycoreutils/setfiles/setfiles.8
>> > @@ -57,8 +57,7 @@ option will force a replacement of the entire context.
>> >  check the validity of the contexts against the specified binary policy.
>> >  .TP
>> >  .B \-d
>> > -show what specification matched each file (do not abort validation
>> > -after ABORT_ON_ERRORS errors).
>> > +show what specification matched each file.
>> >  .TP
>> >  .BI \-e \ directory
>> >  directory to exclude (repeat option for more than one directory).
>> > diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
>> > index 10692d6d94a0..92616571ef2a 100644
>> > --- a/policycoreutils/setfiles/setfiles.c
>> > +++ b/policycoreutils/setfiles/setfiles.c
>> > @@ -23,14 +23,6 @@ static int nerr;
>> >
>> >  #define STAT_BLOCK_SIZE 1
>> >
>> > -/* setfiles will abort its operation after reaching the
>> > - * following number of errors (e.g. invalid contexts),
>> > - * unless it is used in "debug" mode (-d option).
>> > - */
>> > -#ifndef ABORT_ON_ERRORS
>> > -#define ABORT_ON_ERRORS      10
>> > -#endif
>> > -
>> >  #define SETFILES "setfiles"
>> >  #define RESTORECON "restorecon"
>> >  static int iamrestorecon;
>> > @@ -56,15 +48,6 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
>> >       exit(-1);
>> >  }
>> >
>> > -void inc_err(void)
>> > -{
>> > -     nerr++;
>> > -     if (nerr > ABORT_ON_ERRORS - 1 && !r_opts.debug) {
>> > -             fprintf(stderr, "Exiting after %d errors.\n", ABORT_ON_ERRORS);
>> > -             exit(-1);
>> > -     }
>> > -}
>> > -
>> >  void set_rootpath(const char *arg)
>> >  {
>> >       if (strlen(arg) == 1 && strncmp(arg, "/", 1) == 0) {
>> > @@ -97,7 +80,6 @@ int canoncon(char **contextp)
>> >               *contextp = tmpcon;
>> >       } else if (errno != ENOENT) {
>> >               rc = -1;
>> > -             inc_err();
>> >       }
>> >
>> >       return rc;
>> > --
>> > 2.30.0
>>
>>
>> If there's no objection I'd like to merge both patches before Wednesday
>> so they'll part of rc2.
>
> I took a look and both patches look good to me. Nevertheless
> policycoreutils/setfiles/setfiles.c stil contains a "static int nerr;"
> which becomes unused, after this patch. This variable should probably
> be dropped, for example with:
>
> diff --git a/policycoreutils/setfiles/setfiles.c
> b/policycoreutils/setfiles/setfiles.c
> index 92616571ef2a..f018d161aa9e 100644
> --- a/policycoreutils/setfiles/setfiles.c
> +++ b/policycoreutils/setfiles/setfiles.c
> @@ -19,7 +19,6 @@ static int warn_no_match;
>  static int null_terminated;
>  static int request_digest;
>  static struct restore_opts r_opts;
> -static int nerr;
>
>  #define STAT_BLOCK_SIZE 1
>
> @@ -161,7 +160,6 @@ int main(int argc, char **argv)
>   warn_no_match = 0;
>   request_digest = 0;
>   policyfile = NULL;
> - nerr = 0;
>
>   r_opts.abort_on_error = 0;
>   r_opts.progname = strdup(argv[0]);
> @@ -427,9 +425,6 @@ int main(int argc, char **argv)
>   r_opts.selabel_opt_digest = (request_digest ? (char *)1 : NULL);
>   r_opts.selabel_opt_path = altpath;
>
> - if (nerr)
> - exit(-1);
> -
>   restore_init(&r_opts);
>
>   if (use_input_file) {
>
> This clean-up could be done after you merged the patches. So:
> Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>

Merged.

> Thanks!
> Nicolas