All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ondrej Mosnacek <omosnace@redhat.com>
To: selinux@vger.kernel.org
Subject: [PATCH userspace v2 6/7] [RFC] lisepol: slightly more thorough optimization
Date: Tue, 28 May 2019 16:59:11 +0200	[thread overview]
Message-ID: <20190528145912.13827-7-omosnace@redhat.com> (raw)
In-Reply-To: <20190528145912.13827-1-omosnace@redhat.com>

Removes also rules that are covered only by a union of two or more
rules. There are usually only a few of such rules (if any), but there
should be almost no (policy build) perfomance cost for this.

Side effect: clears all permission bits covered by a more general rule
-> might slow down avtab lookups (only a single rule will now match each
query)
---
 libsepol/src/optimize.c | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/libsepol/src/optimize.c b/libsepol/src/optimize.c
index b3859b6c..abb711e7 100644
--- a/libsepol/src/optimize.c
+++ b/libsepol/src/optimize.c
@@ -73,36 +73,38 @@ static void destroy_type_map(const policydb_t *p, ebitmap_t *type_map)
 	free(type_map);
 }
 
-static int match_xperms(const uint32_t *p1, const uint32_t *p2)
+static int process_xperms(uint32_t *p1, const uint32_t *p2)
 {
 	size_t i;
+	int ret = 1;
 
 	for (i = 0; i < EXTENDED_PERMS_LEN; i++) {
-		if ((p2[i] & p1[i]) != p1[i])
-			return 0;
+		p1[i] &= ~p2[i];
+		if (p1[i] != 0)
+			ret = 0;
 	}
-	return 1;
+	return ret;
 }
 
-static int match_avtab_datum(uint16_t specified,
-			     const avtab_datum_t *d1, const avtab_datum_t *d2)
+static int process_avtab_datum(uint16_t specified,
+			       avtab_datum_t *d1, const avtab_datum_t *d2)
 {
 	/* inverse logic needed for AUDITDENY rules */
 	if (specified & AVTAB_AUDITDENY)
-		return (d1->data & d2->data) == d2->data;
+		return (d1->data |= ~d2->data) == 0xFFFFFFFF;
 
 	if (specified & AVTAB_AV)
-		return (d2->data & d1->data) == d1->data;
+		return (d1->data &= ~d2->data) == 0;
 
 	if (specified & AVTAB_XPERMS) {
-		const avtab_extended_perms_t *x1 = d1->xperms;
+		avtab_extended_perms_t *x1 = d1->xperms;
 		const avtab_extended_perms_t *x2 = d2->xperms;
 
 		if (x1->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
 			if (x2->specified == AVTAB_XPERMS_IOCTLFUNCTION) {
 				if (x1->driver != x2->driver)
 					return 0;
-				return match_xperms(x1->perms, x2->perms);
+				return process_xperms(x1->perms, x2->perms);
 			}
 			if (x2->specified == AVTAB_XPERMS_IOCTLDRIVER)
 				return xperm_test(x1->driver, x2->perms);
@@ -111,7 +113,7 @@ static int match_avtab_datum(uint16_t specified,
 				return 0;
 
 			if (x2->specified == AVTAB_XPERMS_IOCTLDRIVER)
-				return match_xperms(x1->perms, x2->perms);
+				return process_xperms(x1->perms, x2->perms);
 		}
 		return 0;
 	}
@@ -152,7 +154,7 @@ static int is_avrule_redundant(avtab_ptr_t entry, avtab_t *tab,
 			if (!d2)
 				continue;
 
-			if (match_avtab_datum(key.specified, d1, d2))
+			if (process_avtab_datum(key.specified, d1, d2))
 				return 1;
 		}
 	}
@@ -205,7 +207,7 @@ static int is_cond_rule_redundant(avtab_ptr_t e1, cond_av_list_t *list,
 		if (!ebitmap_get_bit(&type_map[t1], t2))
 			continue;
 
-		if (match_avtab_datum(k1, &e1->datum, &e2->datum))
+		if (process_avtab_datum(k1, &e1->datum, &e2->datum))
 			return 1;
 	}
 	return 0;
-- 
2.20.1


  parent reply	other threads:[~2019-05-28 14:59 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-28 14:59 [PATCH userspace v2 0/7] Remove redundant rules when building policydb Ondrej Mosnacek
2019-05-28 14:59 ` [PATCH userspace v2 1/7] libsepol: add a function to optimize kernel policy Ondrej Mosnacek
2019-05-29 20:32   ` [Non-DoD Source] " jwcart2
2019-05-30 11:46     ` Ondrej Mosnacek
2019-05-30 16:55       ` Stephen Smalley
2019-05-31  7:39         ` Ondrej Mosnacek
2019-05-28 14:59 ` [PATCH userspace v2 2/7] libsemanage: optionally optimize policy on rebuild Ondrej Mosnacek
2019-05-28 14:59 ` [PATCH userspace v2 3/7] semodule: add flag to enable policy optimization Ondrej Mosnacek
2019-05-28 14:59 ` [PATCH userspace v2 4/7] secilc: " Ondrej Mosnacek
2019-05-28 16:32   ` Dominick Grift
2019-05-28 17:01     ` Ondrej Mosnacek
2019-05-28 14:59 ` [PATCH userspace v2 5/7] checkpolicy: " Ondrej Mosnacek
2019-05-28 14:59 ` Ondrej Mosnacek [this message]
2019-05-28 14:59 ` [PATCH userspace v2 7/7] [RFC] libsemanage: switch to config file entry Ondrej Mosnacek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190528145912.13827-7-omosnace@redhat.com \
    --to=omosnace@redhat.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.