On Fri, Jan 14, 2022 at 2:44 PM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote:
>
> Hi,
>
> as a heavy user of neverallow / neverallowx, please don't limit this.
>
> When adding a new neverallow rule there might quite a few types violating them, and having to rebuild the policy every 2 types would make fixing them incredibly annoying.
>
> If you want to limit this, then please make it opt-in or add it as a command line option.
>
I am trying to limit error messages because oss-fuzz seems to be good
at creating policies that generate a lot of error messages and
subsequently take a lot of time to process.
But I am not going to do that at the expense of people actually using secilc.
I was already thinking about making the amount of error reporting
depending on the verbosity level. What would think of it limiting it
to two by default, but unlimited at any higher verbosity level. I can
even add a message to use "-v" to see all of the errors.
Jim
> On 1/14/22 20:20, James Carter wrote:
> > When there is a neverallow violation, a search is made for all of
> > the rules that violate the neverallow. The violating rules as well
> > as their parents are written out to make it easier to find these
> > rules.
> >
> > If there is a lot of rules that violate a neverallow, then this
> > amount of reporting is too much. Instead, only print out the first
> > two rules (with their parents) that match the violated neverallow
> > rule along with the total number of rules that violate the
> > neverallow.
> >
> > Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
> > ---
> > libsepol/cil/src/cil_binary.c | 10 ++++++++++
> > 1 file changed, 10 insertions(+)
> >
> > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> > index 4ac8ce8d..04a5d053 100644
> > --- a/libsepol/cil/src/cil_binary.c
> > +++ b/libsepol/cil/src/cil_binary.c
> > @@ -4640,6 +4640,8 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr
> > char *neverallow_str;
> > char *allow_str;
> > enum cil_flavor avrule_flavor;
> > + int num_matching = 0;
> > + int count_matching = 0;
> >
> > target.rule_kind = CIL_AVRULE_ALLOWED;
> > target.is_extended = cil_rule->is_extended;
> > @@ -4666,11 +4668,19 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr
> > goto exit;
> > }
> >
> > + cil_list_for_each(i2, matching) {
> > + num_matching++;
> > + }
> > cil_list_for_each(i2, matching) {
> > n2 = i2->data;
> > r2 = n2->data;
> > __cil_print_parents(" ", n2);
> > __cil_print_rule(" ", allow_str, r2);
> > + count_matching++;
> > + if (count_matching >= 2) {
> > + cil_log(CIL_ERR, " Only first 2 of %d matching rules shown\n", num_matching);
> > + break;
> > + }
> > }
> > cil_log(CIL_ERR,"\n");
> > cil_list_destroy(&matching, CIL_FALSE);
>
> --
> bauen1
> https://dn42.bauen1.xyz/
