When reporting some errors or warnings, a search is made to find the original or matching rule. Both neverallow and type bounds violations will use cil_find_matching_avrule_in_ast() to find the rules in violation. For context rules, the AST is walked to find the conflicting rule. If there are a lot of errors or warnings, then this can take a lot of time. oss-fuzz has generated policies that can abuse this reporting, so the desire is to limit the reporting by default. By using the new function, cil_get_log_level(), the error reporting for neverallow and type bounds violations and the warnings for context rule conflicts can be less by default while still allowing for everything to be reported at higher log verbosity levels. James Carter (4): libsepol/cil: Add cil_get_log_level() function libsepol/cil: Provide more control over reporting bounds failures libsepol/cil: Limit the neverallow violations reported libsepol/cil: Limit the amount of reporting for context rule conflicts libsepol/cil/src/cil_binary.c | 20 +++++++++--- libsepol/cil/src/cil_log.c | 5 +++ libsepol/cil/src/cil_log.h | 2 ++ libsepol/cil/src/cil_post.c | 57 ++++++++++++++++++++--------------- 4 files changed, 56 insertions(+), 28 deletions(-) -- 2.31.1
