On Fri, 22 Apr 2022 at 17:44, Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>
> With the addition of the anon_inode class in the kernel, 'self'
> transition rules became useful, but haven't been implemented.
>
> This series implements the self keyword support in the CIL & TE
> languages and the module policydb format. The kernel policydb format
> doesn't need any changes, as type transitions are always expanded in the
> kernel policydb.
Since the type transitions are expanded a single usage of
type_transition domain self iouring_t:anon_inode "[io_uring]";
will result of thousands of filetrans entries in the binary policy.
When using a limited type-attribute
type_transition iouring_domain self iouring_t:anon_inode "[io_uring]";
what is the benefit of implementing the interface kernel_iouring_domain() as
typeattribute $1 iouring_domain;
instead of
type_transition $1 $1 iouring_t:anon_inode "[io_uring]";
?
Wouldn't true policydb support be much more efficient (not only
regarding size but also (lookup) performance)?
> The patches have been tested using the following WIP beakerlib/tmt test:
> https://src.fedoraproject.org/fork/omos/tests/selinux/blob/self-in-tt/f/libsepol/self-keyword-in-type-transitions
>
> Ondrej Mosnacek (2):
> libsepol/cil: add support for self keyword in type transitions
> libsepol,checkpolicy: add support for self keyword in type transitions
>
> checkpolicy/policy_define.c | 42 +++++-
> libsepol/cil/src/cil_binary.c | 168 +++++++++++++++------
> libsepol/cil/src/cil_resolve_ast.c | 25 ++-
> libsepol/include/sepol/policydb/policydb.h | 4 +-
> libsepol/src/expand.c | 69 ++++++---
> libsepol/src/link.c | 1 +
> libsepol/src/module_to_cil.c | 30 ++--
> libsepol/src/policydb.c | 33 +++-
> libsepol/src/write.c | 19 ++-
> secilc/test/policy.cil | 3 +
> 10 files changed, 293 insertions(+), 101 deletions(-)
>
> --
> 2.35.1
>
