Re: [PATCH 1/2] libsepol: do not write empty class definitions

James Carter <jwcart2@xxxxxxxxx> · Wed, 11 Jan 2023 10:53:37 -0500



On Tue, Jan 10, 2023 at 10:27 AM James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Thu, Jan 5, 2023 at 12:27 PM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> >
> > Do not write class definitions for classes without any permission and
> > any inherited common class.  The classes are already declared in
> > write_class_decl_rules_to_conf().  Skipping those empty definitions,
> > which are equal to the corresponding class declarations, will enable to
> > parse the generated policy conf file with checkpolicy, as checkpolicy
> > does not accept class declarations after initial sid declarations.
> >
> > This will enable simple round-trip tests with checkpolicy.
> >
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Acked-by: James Carter <jwcart2@xxxxxxxxx>
>
Merged.
Thanks,
Jim

> > ---
> >  libsepol/src/kernel_to_conf.c | 21 +++++++++++++--------
> >  1 file changed, 13 insertions(+), 8 deletions(-)
> >
> > diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
> > index 63dffd9b..73b72b5d 100644
> > --- a/libsepol/src/kernel_to_conf.c
> > +++ b/libsepol/src/kernel_to_conf.c
> > @@ -591,16 +591,21 @@ static int write_class_and_common_rules_to_conf(FILE *out, struct policydb *pdb)
> >                 class = pdb->class_val_to_struct[i];
> >                 if (!class) continue;
> >                 name = pdb->p_class_val_to_name[i];
> > -               sepol_printf(out, "class %s", name);
> > -               if (class->comkey) {
> > -                       sepol_printf(out, " inherits %s", class->comkey);
> > -               }
> >                 perms = class_or_common_perms_to_str(&class->permissions);
> > -               if (perms) {
> > -                       sepol_printf(out, " { %s }", perms);
> > -                       free(perms);
> > +               /* Do not write empty classes, their declaration was alreedy
> > +                * printed in write_class_decl_rules_to_conf() */
> > +               if (perms || class->comkey) {
> > +                       sepol_printf(out, "class %s", name);
> > +                       if (class->comkey) {
> > +                               sepol_printf(out, " inherits %s", class->comkey);
> > +                       }
> > +
> > +                       if (perms) {
> > +                               sepol_printf(out, " { %s }", perms);
> > +                               free(perms);
> > +                       }
> > +                       sepol_printf(out, "\n");
> >                 }
> > -               sepol_printf(out, "\n");
> >         }
> >
> >  exit:
> > --
> > 2.39.0
> >