SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: jwcart2 <jwcart2@tycho.nsa.gov>
To: Ondrej Mosnacek <omosnace@redhat.com>, selinux@vger.kernel.org
Subject: Re: [Non-DoD Source] [PATCH userspace v4 2/4] libsemanage: optionally optimize policy on rebuild
Date: Thu, 13 Jun 2019 15:51:54 -0400
Message-ID: <0e7cdb7f-b4a1-8ac7-e837-9bbb7523f4ff@tycho.nsa.gov> (raw)
In-Reply-To: <20190613114558.32621-3-omosnace@redhat.com>

On 6/13/19 7:45 AM, Ondrej Mosnacek wrote:
> When building binary policy, optionally run it through
> sepol_policydb_optimize() just before writing it out.
> 
> Add an optimize-policy variable to semanage.conf(5) that controls

Sorry I didn't notice this in v3, but why not use "optimize" instead of 
"optimize-policy"?

Jim

> whether optimization will be applied during libsemanage operations.
> 
> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> ---
>   libsemanage/man/man5/semanage.conf.5 |  5 +++++
>   libsemanage/src/conf-parse.y         | 15 ++++++++++++++-
>   libsemanage/src/conf-scan.l          |  1 +
>   libsemanage/src/direct_api.c         |  7 +++++++
>   libsemanage/src/semanage_conf.h      |  1 +
>   5 files changed, 28 insertions(+), 1 deletion(-)
> 
> diff --git a/libsemanage/man/man5/semanage.conf.5 b/libsemanage/man/man5/semanage.conf.5
> index 8f8de55a..8efc7dd5 100644
> --- a/libsemanage/man/man5/semanage.conf.5
> +++ b/libsemanage/man/man5/semanage.conf.5
> @@ -121,6 +121,11 @@ and by default it is set to "false".
>   Please note that since this option deletes all HLL files, an updated HLL compiler will not be able to recompile the original HLL file into CIL.
>   In order to compile the original HLL file into CIL, the same HLL file will need to be reinstalled.
>   
> +.TP
> +.B optimize-policy
> +When set to "true", the kernel policy will be optimized upon rebuilds.
> +It can be set to either "true" or "false" and by default it is set to "false".
> +
>   .SH "SEE ALSO"
>   .TP
>   semanage(8)
> diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y
> index b527e893..9bf9364a 100644
> --- a/libsemanage/src/conf-parse.y
> +++ b/libsemanage/src/conf-parse.y
> @@ -59,7 +59,7 @@ static int parse_errors;
>           char *s;
>   }
>   
> -%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT
> +%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT OPTIMIZE_POLICY
>   %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
>   %token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
>   %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
> @@ -95,6 +95,7 @@ single_opt:     module_store
>   	|	bzip_blocksize
>   	|	bzip_small
>   	|	remove_hll
> +	|	optimize_policy
>           ;
>   
>   module_store:   MODULE_STORE '=' ARG {
> @@ -268,6 +269,17 @@ remove_hll:  REMOVE_HLL'=' ARG {
>   	free($3);
>   }
>   
> +optimize_policy:  OPTIMIZE_POLICY '=' ARG {
> +	if (strcasecmp($3, "false") == 0) {
> +		current_conf->optimize_policy = 0;
> +	} else if (strcasecmp($3, "true") == 0) {
> +		current_conf->optimize_policy = 1;
> +	} else {
> +		yyerror("optimize-policy can only be 'true' or 'false'");
> +	}
> +	free($3);
> +}
> +
>   command_block:
>                   command_start external_opts BLOCK_END  {
>                           if (new_external->path == NULL) {
> @@ -352,6 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
>   	conf->bzip_small = 0;
>   	conf->ignore_module_cache = 0;
>   	conf->remove_hll = 0;
> +	conf->optimize_policy = 0;
>   
>   	conf->save_previous = 0;
>   	conf->save_linked = 0;
> diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l
> index 607bbf0b..b06a896c 100644
> --- a/libsemanage/src/conf-scan.l
> +++ b/libsemanage/src/conf-scan.l
> @@ -54,6 +54,7 @@ handle-unknown    return HANDLE_UNKNOWN;
>   bzip-blocksize	return BZIP_BLOCKSIZE;
>   bzip-small	return BZIP_SMALL;
>   remove-hll	return REMOVE_HLL;
> +optimize-policy return OPTIMIZE_POLICY;
>   "[load_policy]"   return LOAD_POLICY_START;
>   "[setfiles]"      return SETFILES_START;
>   "[sefcontext_compile]"      return SEFCONTEXT_COMPILE_START;
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index c58961be..0153091f 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -1461,6 +1461,13 @@ rebuild:
>   
>   		cil_db_destroy(&cildb);
>   
> +		/* Remove redundancies in binary policy if requested. */
> +		if (sh->conf->optimize_policy) {
> +			retval = sepol_policydb_optimize(out);
> +			if (retval < 0)
> +				goto cleanup;
> +		}
> +
>   		/* Write the linked policy before merging local changes. */
>   		retval = semanage_write_policydb(sh, out,
>   						 SEMANAGE_LINKED);
> diff --git a/libsemanage/src/semanage_conf.h b/libsemanage/src/semanage_conf.h
> index c99ac8c7..23c4b8b4 100644
> --- a/libsemanage/src/semanage_conf.h
> +++ b/libsemanage/src/semanage_conf.h
> @@ -47,6 +47,7 @@ typedef struct semanage_conf {
>   	int bzip_small;
>   	int remove_hll;
>   	int ignore_module_cache;
> +	int optimize_policy;
>   	char *ignoredirs;	/* ";" separated of list for genhomedircon to ignore */
>   	struct external_prog *load_policy;
>   	struct external_prog *setfiles;
> 


-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency

  reply index

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-13 11:45 [PATCH userspace v4 0/4] Remove redundant rules when building policydb Ondrej Mosnacek
2019-06-13 11:45 ` [PATCH userspace v4 1/4] libsepol: add a function to optimize kernel policy Ondrej Mosnacek
2019-06-13 11:45 ` [PATCH userspace v4 2/4] libsemanage: optionally optimize policy on rebuild Ondrej Mosnacek
2019-06-13 19:51   ` jwcart2 [this message]
2019-06-14 10:18     ` [Non-DoD Source] " Ondrej Mosnacek
2019-06-14 13:38       ` jwcart2
2019-06-13 11:45 ` [PATCH userspace v4 3/4] secilc: add flag to enable policy optimization Ondrej Mosnacek
2019-06-13 11:45 ` [PATCH userspace v4 4/4] checkpolicy: " Ondrej Mosnacek
2019-06-21 14:11 ` [Non-DoD Source] [PATCH userspace v4 0/4] Remove redundant rules when building policydb jwcart2
2019-06-25 15:01   ` jwcart2

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0e7cdb7f-b4a1-8ac7-e837-9bbb7523f4ff@tycho.nsa.gov \
    --to=jwcart2@tycho.nsa.gov \
    --cc=omosnace@redhat.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org selinux@archiver.kernel.org
	public-inbox-index selinux


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/ public-inbox