selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 1/3] libsepol: Write CIL default MLS rules on separate lines
@ 2020-05-21 15:24 James Carter
  2020-05-21 15:24 ` [PATCH 2/3] libsepol: Improve writing CIL sensitivity rules James Carter
  2020-05-21 15:24 ` [PATCH 3/3] libsepol: Improve writing CIL category rules James Carter
  0 siblings, 2 replies; 5+ messages in thread
From: James Carter @ 2020-05-21 15:24 UTC (permalink / raw)
  To: selinux; +Cc: James Carter

When converting a non-MLS kernel binary policy to CIL, write the CIL
default MLS rules (since CIL requires at least one sensitivity,
and sensitivityorder statements) on separate lines.

This improves the readability of the resulting CIL policy.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/kernel_to_cil.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index ede78a20..cca77251 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -777,9 +777,9 @@ exit:
 
 static void write_default_mls_level(FILE *out)
 {
-	sepol_printf(out, "(sensitivity s0)");
-	sepol_printf(out, "(sensitivityorder (s0))");
-	sepol_printf(out, "(level %s (s0))", DEFAULT_LEVEL);
+	sepol_printf(out, "(sensitivity s0)\n");
+	sepol_printf(out, "(sensitivityorder (s0))\n");
+	sepol_printf(out, "(level %s (s0))\n", DEFAULT_LEVEL);
 }
 
 static int map_sensitivity_aliases_to_strs(char *key, void *data, void *args)
-- 
2.25.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH 2/3] libsepol: Improve writing CIL sensitivity rules
  2020-05-21 15:24 [PATCH 1/3] libsepol: Write CIL default MLS rules on separate lines James Carter
@ 2020-05-21 15:24 ` James Carter
  2020-05-21 19:16   ` Nicolas Iooss
  2020-05-21 15:24 ` [PATCH 3/3] libsepol: Improve writing CIL category rules James Carter
  1 sibling, 1 reply; 5+ messages in thread
From: James Carter @ 2020-05-21 15:24 UTC (permalink / raw)
  To: selinux; +Cc: James Carter

Improves writing of CIL sensitivity rules when converting MLS kernel
policy to CIL. No changes to functionality, but eliminate useless
checks for sensitivity aliases when using the p_sens_val_to_name
array, find the actual number of aliases before allocating memory,
and skip the sensitivity alias rules if there are no aliases.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/kernel_to_cil.c | 59 ++++++++++++++++++------------------
 1 file changed, 29 insertions(+), 30 deletions(-)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index cca77251..6103c1a6 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -782,6 +782,17 @@ static void write_default_mls_level(FILE *out)
 	sepol_printf(out, "(level %s (s0))\n", DEFAULT_LEVEL);
 }
 
+static int map_count_sensitivity_aliases(char *key, void *data, void *args)
+{
+	level_datum_t *sens = data;
+	unsigned *count = args;
+
+	if (sens->isalias)
+		(*count)++;
+
+	return SEPOL_OK;
+}
+
 static int map_sensitivity_aliases_to_strs(char *key, void *data, void *args)
 {
 	level_datum_t *sens = data;
@@ -799,26 +810,13 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
 {
 	level_datum_t *level;
 	char *prev, *name, *actual;
-	struct strs *strs;
-	unsigned i, num;
+	struct strs *strs = NULL;
+	unsigned i, num = 0;
 	int rc = 0;
 
-	rc = strs_init(&strs, pdb->p_levels.nprim);
-	if (rc != 0) {
-		goto exit;
-	}
-
 	/* sensitivities */
 	for (i=0; i < pdb->p_levels.nprim; i++) {
 		name = pdb->p_sens_val_to_name[i];
-		if (!name) continue;
-		level = hashtab_search(pdb->p_levels.table, name);
-		if (!level) {
-			rc = -1;
-			goto exit;
-		}
-		if (level->isalias) continue;
-
 		sepol_printf(out, "(sensitivity %s)\n", name);
 	}
 
@@ -827,14 +825,6 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
 	prev = NULL;
 	for (i=0; i < pdb->p_levels.nprim; i++) {
 		name = pdb->p_sens_val_to_name[i];
-		if (!name) continue;
-		level = hashtab_search(pdb->p_levels.table, name);
-		if (!level) {
-			rc = -1;
-			goto exit;
-		}
-		if (level->isalias) continue;
-
 		if (prev) {
 			sepol_printf(out, "%s ", prev);
 		}
@@ -845,6 +835,22 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
 	}
 	sepol_printf(out, "))\n");
 
+	rc = hashtab_map(pdb->p_levels.table, map_count_sensitivity_aliases, &num);
+	if (rc != 0) {
+		goto exit;
+	}
+
+	if (num == 0) {
+		/* No aliases, so skip sensitivity alias rules */
+		rc = 0;
+		goto exit;
+	}
+
+	rc = strs_init(&strs, num);
+	if (rc != 0) {
+		goto exit;
+	}
+
 	rc = hashtab_map(pdb->p_levels.table, map_sensitivity_aliases_to_strs, strs);
 	if (rc != 0) {
 		goto exit;
@@ -852,16 +858,9 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
 
 	strs_sort(strs);
 
-	num = strs_num_items(strs);
-
 	/* sensitivity aliases */
 	for (i=0; i < num; i++) {
 		name = strs_read_at_index(strs, i);
-		level = hashtab_search(pdb->p_levels.table, name);
-		if (!level) {
-			rc = -1;
-			goto exit;
-		}
 		sepol_printf(out, "(sensitivityalias %s)\n", name);
 	}
 
-- 
2.25.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH 3/3] libsepol: Improve writing CIL category rules
  2020-05-21 15:24 [PATCH 1/3] libsepol: Write CIL default MLS rules on separate lines James Carter
  2020-05-21 15:24 ` [PATCH 2/3] libsepol: Improve writing CIL sensitivity rules James Carter
@ 2020-05-21 15:24 ` James Carter
  1 sibling, 0 replies; 5+ messages in thread
From: James Carter @ 2020-05-21 15:24 UTC (permalink / raw)
  To: selinux; +Cc: James Carter

Improves writing of CIL category rules when converting MLS kernel
policy to CIL. No changes to functionality, but eliminate useless
checks for category aliases when using the p_cat_val_to_name array,
find the actual number of aliases before allocating memory, and
skip the category alias rules if there are no aliases.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/kernel_to_cil.c | 59 ++++++++++++++++++------------------
 1 file changed, 29 insertions(+), 30 deletions(-)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 6103c1a6..319f3641 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -886,6 +886,17 @@ exit:
 	return rc;
 }
 
+static int map_count_category_aliases(char *key, void *data, void *args)
+{
+	cat_datum_t *cat = data;
+	unsigned *count = args;
+
+	if (cat->isalias)
+		(*count)++;
+
+	return SEPOL_OK;
+}
+
 static int map_category_aliases_to_strs(char *key, void *data, void *args)
 {
 	cat_datum_t *cat = data;
@@ -903,26 +914,13 @@ static int write_category_rules_to_cil(FILE *out, struct policydb *pdb)
 {
 	cat_datum_t *cat;
 	char *prev, *name, *actual;
-	struct strs *strs;
-	unsigned i, num;
+	struct strs *strs = NULL;
+	unsigned i, num = 0;
 	int rc = 0;
 
-	rc = strs_init(&strs, pdb->p_levels.nprim);
-	if (rc != 0) {
-		goto exit;
-	}
-
 	/* categories */
 	for (i=0; i < pdb->p_cats.nprim; i++) {
 		name = pdb->p_cat_val_to_name[i];
-		if (!name) continue;
-		cat = hashtab_search(pdb->p_cats.table, name);
-		if (!cat) {
-			rc = -1;
-			goto exit;
-		}
-		if (cat->isalias) continue;
-
 		sepol_printf(out, "(category %s)\n", name);
 	}
 
@@ -931,14 +929,6 @@ static int write_category_rules_to_cil(FILE *out, struct policydb *pdb)
 	prev = NULL;
 	for (i=0; i < pdb->p_cats.nprim; i++) {
 		name = pdb->p_cat_val_to_name[i];
-		if (!name) continue;
-		cat = hashtab_search(pdb->p_cats.table, name);
-		if (!cat) {
-			rc = -1;
-			goto exit;
-		}
-		if (cat->isalias) continue;
-
 		if (prev) {
 			sepol_printf(out, "%s ", prev);
 		}
@@ -949,6 +939,22 @@ static int write_category_rules_to_cil(FILE *out, struct policydb *pdb)
 	}
 	sepol_printf(out, "))\n");
 
+	rc = hashtab_map(pdb->p_cats.table, map_count_category_aliases, &num);
+	if (rc != 0) {
+		goto exit;
+	}
+
+	if (num == 0) {
+		/* No aliases, so skip category alias rules */
+		rc = 0;
+		goto exit;
+	}
+
+	rc = strs_init(&strs, num);
+	if (rc != 0) {
+		goto exit;
+	}
+
 	rc = hashtab_map(pdb->p_cats.table, map_category_aliases_to_strs, strs);
 	if (rc != 0) {
 		goto exit;
@@ -956,16 +962,9 @@ static int write_category_rules_to_cil(FILE *out, struct policydb *pdb)
 
 	strs_sort(strs);
 
-	num = strs_num_items(strs);
-
 	/* category aliases */
 	for (i=0; i < num; i++) {
 		name = strs_read_at_index(strs, i);
-		cat = hashtab_search(pdb->p_cats.table, name);
-		if (!cat) {
-			rc = -1;
-			goto exit;
-		}
 		sepol_printf(out, "(categoryalias %s)\n", name);
 	}
 
-- 
2.25.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 2/3] libsepol: Improve writing CIL sensitivity rules
  2020-05-21 15:24 ` [PATCH 2/3] libsepol: Improve writing CIL sensitivity rules James Carter
@ 2020-05-21 19:16   ` Nicolas Iooss
  2020-05-22 14:18     ` James Carter
  0 siblings, 1 reply; 5+ messages in thread
From: Nicolas Iooss @ 2020-05-21 19:16 UTC (permalink / raw)
  To: James Carter; +Cc: SElinux list

On Thu, May 21, 2020 at 5:25 PM James Carter <jwcart2@gmail.com> wrote:
>
> Improves writing of CIL sensitivity rules when converting MLS kernel
> policy to CIL. No changes to functionality, but eliminate useless
> checks for sensitivity aliases when using the p_sens_val_to_name
> array, find the actual number of aliases before allocating memory,
> and skip the sensitivity alias rules if there are no aliases.
>
> Signed-off-by: James Carter <jwcart2@gmail.com>
> ---
>  libsepol/src/kernel_to_cil.c | 59 ++++++++++++++++++------------------
>  1 file changed, 29 insertions(+), 30 deletions(-)
>
> diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
> index cca77251..6103c1a6 100644
> --- a/libsepol/src/kernel_to_cil.c
> +++ b/libsepol/src/kernel_to_cil.c
> @@ -782,6 +782,17 @@ static void write_default_mls_level(FILE *out)
>         sepol_printf(out, "(level %s (s0))\n", DEFAULT_LEVEL);
>  }
>
> +static int map_count_sensitivity_aliases(char *key, void *data, void *args)
> +{
> +       level_datum_t *sens = data;
> +       unsigned *count = args;
> +
> +       if (sens->isalias)
> +               (*count)++;
> +
> +       return SEPOL_OK;
> +}

Hello,
This patch looks good to me, but building fails because of an unused
parameter (here and in other patches),
https://travis-ci.org/github/fishilico/selinux/jobs/689760790#L2029 :

kernel_to_cil.c: In function ‘map_count_sensitivity_aliases’:
kernel_to_cil.c:785:48: error: unused parameter ‘key’ [-Werror=unused-parameter]
 static int map_count_sensitivity_aliases(char *key, void *data, void *args)
                                                ^~~
kernel_to_cil.c: In function ‘map_count_category_aliases’:
kernel_to_cil.c:889:45: error: unused parameter ‘key’ [-Werror=unused-parameter]
 static int map_count_category_aliases(char *key, void *data, void *args)
                                             ^~~
kernel_to_cil.c: In function ‘map_count_type_aliases’:
kernel_to_cil.c:1368:41: error: unused parameter ‘key’
[-Werror=unused-parameter]
 static int map_count_type_aliases(char *key, void *data, void *args)
                                        ^~~

Other functions use __attribute__((unused)) so you could probably use
it too in these functions.

Thanks,
Nicolas

> +
>  static int map_sensitivity_aliases_to_strs(char *key, void *data, void *args)
>  {
>         level_datum_t *sens = data;
> @@ -799,26 +810,13 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
>  {
>         level_datum_t *level;
>         char *prev, *name, *actual;
> -       struct strs *strs;
> -       unsigned i, num;
> +       struct strs *strs = NULL;
> +       unsigned i, num = 0;
>         int rc = 0;
>
> -       rc = strs_init(&strs, pdb->p_levels.nprim);
> -       if (rc != 0) {
> -               goto exit;
> -       }
> -
>         /* sensitivities */
>         for (i=0; i < pdb->p_levels.nprim; i++) {
>                 name = pdb->p_sens_val_to_name[i];
> -               if (!name) continue;
> -               level = hashtab_search(pdb->p_levels.table, name);
> -               if (!level) {
> -                       rc = -1;
> -                       goto exit;
> -               }
> -               if (level->isalias) continue;
> -
>                 sepol_printf(out, "(sensitivity %s)\n", name);
>         }
>
> @@ -827,14 +825,6 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
>         prev = NULL;
>         for (i=0; i < pdb->p_levels.nprim; i++) {
>                 name = pdb->p_sens_val_to_name[i];
> -               if (!name) continue;
> -               level = hashtab_search(pdb->p_levels.table, name);
> -               if (!level) {
> -                       rc = -1;
> -                       goto exit;
> -               }
> -               if (level->isalias) continue;
> -
>                 if (prev) {
>                         sepol_printf(out, "%s ", prev);
>                 }
> @@ -845,6 +835,22 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
>         }
>         sepol_printf(out, "))\n");
>
> +       rc = hashtab_map(pdb->p_levels.table, map_count_sensitivity_aliases, &num);
> +       if (rc != 0) {
> +               goto exit;
> +       }
> +
> +       if (num == 0) {
> +               /* No aliases, so skip sensitivity alias rules */
> +               rc = 0;
> +               goto exit;
> +       }
> +
> +       rc = strs_init(&strs, num);
> +       if (rc != 0) {
> +               goto exit;
> +       }
> +
>         rc = hashtab_map(pdb->p_levels.table, map_sensitivity_aliases_to_strs, strs);
>         if (rc != 0) {
>                 goto exit;
> @@ -852,16 +858,9 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
>
>         strs_sort(strs);
>
> -       num = strs_num_items(strs);
> -
>         /* sensitivity aliases */
>         for (i=0; i < num; i++) {
>                 name = strs_read_at_index(strs, i);
> -               level = hashtab_search(pdb->p_levels.table, name);
> -               if (!level) {
> -                       rc = -1;
> -                       goto exit;
> -               }
>                 sepol_printf(out, "(sensitivityalias %s)\n", name);
>         }
>
> --
> 2.25.4
>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 2/3] libsepol: Improve writing CIL sensitivity rules
  2020-05-21 19:16   ` Nicolas Iooss
@ 2020-05-22 14:18     ` James Carter
  0 siblings, 0 replies; 5+ messages in thread
From: James Carter @ 2020-05-22 14:18 UTC (permalink / raw)
  To: Nicolas Iooss; +Cc: SElinux list

On Thu, May 21, 2020 at 3:16 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> On Thu, May 21, 2020 at 5:25 PM James Carter <jwcart2@gmail.com> wrote:
> >
> > Improves writing of CIL sensitivity rules when converting MLS kernel
> > policy to CIL. No changes to functionality, but eliminate useless
> > checks for sensitivity aliases when using the p_sens_val_to_name
> > array, find the actual number of aliases before allocating memory,
> > and skip the sensitivity alias rules if there are no aliases.
> >
> > Signed-off-by: James Carter <jwcart2@gmail.com>
> > ---
> >  libsepol/src/kernel_to_cil.c | 59 ++++++++++++++++++------------------
> >  1 file changed, 29 insertions(+), 30 deletions(-)
> >
> > diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
> > index cca77251..6103c1a6 100644
> > --- a/libsepol/src/kernel_to_cil.c
> > +++ b/libsepol/src/kernel_to_cil.c
> > @@ -782,6 +782,17 @@ static void write_default_mls_level(FILE *out)
> >         sepol_printf(out, "(level %s (s0))\n", DEFAULT_LEVEL);
> >  }
> >
> > +static int map_count_sensitivity_aliases(char *key, void *data, void *args)
> > +{
> > +       level_datum_t *sens = data;
> > +       unsigned *count = args;
> > +
> > +       if (sens->isalias)
> > +               (*count)++;
> > +
> > +       return SEPOL_OK;
> > +}
>
> Hello,
> This patch looks good to me, but building fails because of an unused
> parameter (here and in other patches),
> https://travis-ci.org/github/fishilico/selinux/jobs/689760790#L2029 :
>
> kernel_to_cil.c: In function ‘map_count_sensitivity_aliases’:
> kernel_to_cil.c:785:48: error: unused parameter ‘key’ [-Werror=unused-parameter]
>  static int map_count_sensitivity_aliases(char *key, void *data, void *args)
>                                                 ^~~
> kernel_to_cil.c: In function ‘map_count_category_aliases’:
> kernel_to_cil.c:889:45: error: unused parameter ‘key’ [-Werror=unused-parameter]
>  static int map_count_category_aliases(char *key, void *data, void *args)
>                                              ^~~
> kernel_to_cil.c: In function ‘map_count_type_aliases’:
> kernel_to_cil.c:1368:41: error: unused parameter ‘key’
> [-Werror=unused-parameter]
>  static int map_count_type_aliases(char *key, void *data, void *args)
>                                         ^~~
>
> Other functions use __attribute__((unused)) so you could probably use
> it too in these functions.
>

Thanks, I'll update these patches and resend.

Jim

> Thanks,
> Nicolas
>
> > +
> >  static int map_sensitivity_aliases_to_strs(char *key, void *data, void *args)
> >  {
> >         level_datum_t *sens = data;
> > @@ -799,26 +810,13 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
> >  {
> >         level_datum_t *level;
> >         char *prev, *name, *actual;
> > -       struct strs *strs;
> > -       unsigned i, num;
> > +       struct strs *strs = NULL;
> > +       unsigned i, num = 0;
> >         int rc = 0;
> >
> > -       rc = strs_init(&strs, pdb->p_levels.nprim);
> > -       if (rc != 0) {
> > -               goto exit;
> > -       }
> > -
> >         /* sensitivities */
> >         for (i=0; i < pdb->p_levels.nprim; i++) {
> >                 name = pdb->p_sens_val_to_name[i];
> > -               if (!name) continue;
> > -               level = hashtab_search(pdb->p_levels.table, name);
> > -               if (!level) {
> > -                       rc = -1;
> > -                       goto exit;
> > -               }
> > -               if (level->isalias) continue;
> > -
> >                 sepol_printf(out, "(sensitivity %s)\n", name);
> >         }
> >
> > @@ -827,14 +825,6 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
> >         prev = NULL;
> >         for (i=0; i < pdb->p_levels.nprim; i++) {
> >                 name = pdb->p_sens_val_to_name[i];
> > -               if (!name) continue;
> > -               level = hashtab_search(pdb->p_levels.table, name);
> > -               if (!level) {
> > -                       rc = -1;
> > -                       goto exit;
> > -               }
> > -               if (level->isalias) continue;
> > -
> >                 if (prev) {
> >                         sepol_printf(out, "%s ", prev);
> >                 }
> > @@ -845,6 +835,22 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
> >         }
> >         sepol_printf(out, "))\n");
> >
> > +       rc = hashtab_map(pdb->p_levels.table, map_count_sensitivity_aliases, &num);
> > +       if (rc != 0) {
> > +               goto exit;
> > +       }
> > +
> > +       if (num == 0) {
> > +               /* No aliases, so skip sensitivity alias rules */
> > +               rc = 0;
> > +               goto exit;
> > +       }
> > +
> > +       rc = strs_init(&strs, num);
> > +       if (rc != 0) {
> > +               goto exit;
> > +       }
> > +
> >         rc = hashtab_map(pdb->p_levels.table, map_sensitivity_aliases_to_strs, strs);
> >         if (rc != 0) {
> >                 goto exit;
> > @@ -852,16 +858,9 @@ static int write_sensitivity_rules_to_cil(FILE *out, struct policydb *pdb)
> >
> >         strs_sort(strs);
> >
> > -       num = strs_num_items(strs);
> > -
> >         /* sensitivity aliases */
> >         for (i=0; i < num; i++) {
> >                 name = strs_read_at_index(strs, i);
> > -               level = hashtab_search(pdb->p_levels.table, name);
> > -               if (!level) {
> > -                       rc = -1;
> > -                       goto exit;
> > -               }
> >                 sepol_printf(out, "(sensitivityalias %s)\n", name);
> >         }
> >
> > --
> > 2.25.4
> >
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-05-22 14:18 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-21 15:24 [PATCH 1/3] libsepol: Write CIL default MLS rules on separate lines James Carter
2020-05-21 15:24 ` [PATCH 2/3] libsepol: Improve writing CIL sensitivity rules James Carter
2020-05-21 19:16   ` Nicolas Iooss
2020-05-22 14:18     ` James Carter
2020-05-21 15:24 ` [PATCH 3/3] libsepol: Improve writing CIL category rules James Carter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).