On Wed, Sep 1, 2021 at 10:42 PM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> For every call to cil_fill_classperms_list(), the syntax of the
> whole rule, including the class permissions, has already been
> checked. There is no reason to check it again. Also, because the
> class permissions appear in the middle of some rules, like
> constraints, the syntax array does not end with CIL_SYN_END. This
> is the only case where the syntax array does not end with CIL_SYN_END.
> This prevents __cil_verify_syntax() from requiring that the syntax
> array ends with CIL_SYN_END.
>
> Remove the redundant syntax checking in cil_fill_classperms_list().
>
> Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
> ---
> v2: Same as v1
For these 3 patches:
Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
Thanks,
Nicolas
>
> libsepol/cil/src/cil_build_ast.c | 9 ---------
> 1 file changed, 9 deletions(-)
>
> diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
> index a5afc267..f0bb8c0c 100644
> --- a/libsepol/cil/src/cil_build_ast.c
> +++ b/libsepol/cil/src/cil_build_ast.c
> @@ -736,20 +736,11 @@ int cil_fill_classperms_list(struct cil_tree_node *parse_current, struct cil_lis
> {
> int rc = SEPOL_ERR;
> struct cil_tree_node *curr;
> - enum cil_syntax syntax[] = {
> - CIL_SYN_STRING | CIL_SYN_LIST,
> - };
> - int syntax_len = sizeof(syntax)/sizeof(*syntax);
>
> if (parse_current == NULL || cp_list == NULL) {
> goto exit;
> }
>
> - rc = __cil_verify_syntax(parse_current, syntax, syntax_len);
> - if (rc != SEPOL_OK) {
> - goto exit;
> - }
> -
> cil_list_init(cp_list, CIL_CLASSPERMS);
>
> curr = parse_current->cl_head;
> --
> 2.31.1
>
