From: Ondrej Mosnacek <omosnace@redhat.com>
To: selinux@vger.kernel.org
Subject: [PATCH userspace v3 2/7] libsemanage: optionally optimize policy on rebuild
Date: Wed, 29 May 2019 09:37:54 +0200 [thread overview]
Message-ID: <20190529073759.20548-3-omosnace@redhat.com> (raw)
In-Reply-To: <20190529073759.20548-1-omosnace@redhat.com>
When building binary policy, optionally run it through
sepol_policydb_optimize() just before writing it out.
Add a semanage_set_optimize() function to specify whether the
optimization should be applied or not.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
libsemanage/include/semanage/handle.h | 4 ++++
libsemanage/src/direct_api.c | 7 +++++++
libsemanage/src/handle.c | 13 +++++++++++++
libsemanage/src/handle.h | 1 +
libsemanage/src/libsemanage.map | 5 +++++
5 files changed, 30 insertions(+)
diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
index c8165900..f23be35a 100644
--- a/libsemanage/include/semanage/handle.h
+++ b/libsemanage/include/semanage/handle.h
@@ -66,6 +66,10 @@ void semanage_set_reload(semanage_handle_t * handle, int do_reload);
* 1 for yes, 0 for no (default) */
void semanage_set_rebuild(semanage_handle_t * handle, int do_rebuild);
+/* set whether to optimize the policy (remove redundancies) when built.
+ * 1 for yes, 0 for no (default) */
+void semanage_set_optimize(semanage_handle_t * handle, int do_optimize);
+
/* Fills *compiler_path with the location of the hll compiler sh->conf->compiler_directory_path
* corresponding to lang_ext.
* Upon success returns 0, -1 on error. */
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
index c58961be..95cbee81 100644
--- a/libsemanage/src/direct_api.c
+++ b/libsemanage/src/direct_api.c
@@ -1461,6 +1461,13 @@ rebuild:
cil_db_destroy(&cildb);
+ /* Remove redundancies in binary policy if requested. */
+ if (sh->do_optimize) {
+ retval = sepol_policydb_optimize(out);
+ if (retval < 0)
+ goto cleanup;
+ }
+
/* Write the linked policy before merging local changes. */
retval = semanage_write_policydb(sh, out,
SEMANAGE_LINKED);
diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
index e5109aef..8f4530c2 100644
--- a/libsemanage/src/handle.c
+++ b/libsemanage/src/handle.c
@@ -88,6 +88,10 @@ semanage_handle_t *semanage_handle_create(void)
* If any changes are made, this flag is ignored */
sh->do_rebuild = 0;
+ /* By default do not optimize policy on rebuild.
+ * If the policy is not being rebuilt, this flag is ignored. */
+ sh->do_optimize = 0;
+
sh->commit_err = 0;
/* By default always reload policy after commit if SELinux is enabled. */
@@ -125,6 +129,15 @@ void semanage_set_rebuild(semanage_handle_t * sh, int do_rebuild)
return;
}
+void semanage_set_optimize(semanage_handle_t * sh, int do_optimize)
+{
+
+ assert(sh != NULL);
+
+ sh->do_optimize = do_optimize;
+ return;
+}
+
void semanage_set_reload(semanage_handle_t * sh, int do_reload)
{
diff --git a/libsemanage/src/handle.h b/libsemanage/src/handle.h
index a91907b0..b8fbf120 100644
--- a/libsemanage/src/handle.h
+++ b/libsemanage/src/handle.h
@@ -62,6 +62,7 @@ struct semanage_handle {
int is_in_transaction;
int do_reload; /* whether to reload policy after commit */
int do_rebuild; /* whether to rebuild policy if there were no changes */
+ int do_optimize; /* whether to optimize the built policy */
int commit_err; /* set by semanage_direct_commit() if there are
* any errors when building or committing the
* sandbox to kernel policy at /etc/selinux
diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
index 02036696..535bd9b5 100644
--- a/libsemanage/src/libsemanage.map
+++ b/libsemanage/src/libsemanage.map
@@ -63,3 +63,8 @@ LIBSEMANAGE_1.1 {
semanage_module_remove_key;
semanage_set_store_root;
} LIBSEMANAGE_1.0;
+
+LIBSEMANAGE_1.2 {
+ global:
+ semanage_set_optimize;
+} LIBSEMANAGE_1.1;
--
2.20.1
next prev parent reply other threads:[~2019-05-29 7:38 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-29 7:37 [PATCH userspace v3 0/7] Remove redundant rules when building policydb Ondrej Mosnacek
2019-05-29 7:37 ` [PATCH userspace v3 1/7] libsepol: add a function to optimize kernel policy Ondrej Mosnacek
2019-05-29 7:37 ` Ondrej Mosnacek [this message]
2019-05-29 7:37 ` [PATCH userspace v3 3/7] semodule: add flag to enable policy optimization Ondrej Mosnacek
2019-05-29 7:37 ` [PATCH userspace v3 4/7] secilc: " Ondrej Mosnacek
2019-05-29 7:37 ` [PATCH userspace v3 5/7] checkpolicy: " Ondrej Mosnacek
2019-05-29 7:37 ` [PATCH userspace v3 6/7] [RFC] lisepol: slightly more thorough optimization Ondrej Mosnacek
2019-06-06 11:38 ` Ondrej Mosnacek
2019-05-29 7:37 ` [PATCH userspace v3 7/7] [RFC] libsemanage: switch to config file entry Ondrej Mosnacek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190529073759.20548-3-omosnace@redhat.com \
--to=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.