I plan on merging this series next week. Jim On Wed, Jan 19, 2022 at 11:35 AM James Carter <jwcart2@xxxxxxxxx> wrote: > > When reporting some errors or warnings, a search is made to find the > original or matching rule. Both neverallow and type bounds violations will > use cil_find_matching_avrule_in_ast() to find the rules in violation. For > context rules, the AST is walked to find the conflicting rule. If there are > a lot of errors or warnings, then this can take a lot of time. oss-fuzz has > generated policies that can abuse this reporting, so the desire is to limit > the reporting by default. > > By using the new function, cil_get_log_level(), the error reporting for > neverallow and type bounds violations and the warnings for context rule > conflicts can be less by default while still allowing for everything to > be reported at higher log verbosity levels. > > > James Carter (4): > libsepol/cil: Add cil_get_log_level() function > libsepol/cil: Provide more control over reporting bounds failures > libsepol/cil: Limit the neverallow violations reported > libsepol/cil: Limit the amount of reporting for context rule conflicts > > libsepol/cil/src/cil_binary.c | 20 +++++++++--- > libsepol/cil/src/cil_log.c | 5 +++ > libsepol/cil/src/cil_log.h | 2 ++ > libsepol/cil/src/cil_post.c | 57 ++++++++++++++++++++--------------- > 4 files changed, 56 insertions(+), 28 deletions(-) > > -- > 2.31.1 >
