Re: [Non-DoD Source] [PATCH userspace v4 0/4] Remove redundant rules when building policydb

From: jwcart2 <jwcart2@tycho.nsa.gov>
To: Ondrej Mosnacek <omosnace@redhat.com>, selinux@vger.kernel.org
Subject: Re: [Non-DoD Source] [PATCH userspace v4 0/4] Remove redundant rules when building policydb
Date: Fri, 21 Jun 2019 10:11:59 -0400	[thread overview]
Message-ID: <bdb2280a-23f3-e386-2ffb-801f0ec35c34@tycho.nsa.gov> (raw)
In-Reply-To: <20190613114558.32621-1-omosnace@redhat.com>

On 6/13/19 7:45 AM, Ondrej Mosnacek wrote:
> Changes in v4:
>   * fix deallocation in error path in build_type_map()
>   * fix leaked cond nodes
>   * also update the man pages
>   * use UINT32_C for 0xFFFFFFFF constant
>   * squash in the RFC patches & drop the semodule patch
> v3: https://lore.kernel.org/selinux/20190529073759.20548-1-omosnace@redhat.com/T/
> 
> Changes in v3:
>   * fix bad patch squashing
>   * rename secilc --optimize-policy option to --optimize (to be simpler
>     and consistent with checkpolicy and semodule)
> v2: https://lore.kernel.org/selinux/20190528145912.13827-1-omosnace@redhat.com/T/
> 
> Changes in v2:
>   * fix handling of dontaudit (AVTAB_DENY) rules
>   * switch optimization from opt-out to opt-in everywhere
>   * add a patch from jwcart2 that adds optimization support to
>     checkpolicy as well
>   * add two RFC modifications (see log messages for details):
>     * one improves the optimization to detect also rules covered by the
>       union of two or more other rules (on permission set level)
>     * the other one drops libsemanage/semodule run-time enabling/
>       disabling of optimization in favor of a global config option
> v1: https://lore.kernel.org/selinux/20190523102449.9621-1-omosnace@redhat.com/T/
> 
> This series implements an optional optimization step when building a
> policydb via semodule or secilc, which identifies and removes rules that
> are redundant -- i.e. they are already covered by a more general rule
> based on the type attribute hierarchy.
> 
> Since the optimization might not always be useful (e.g. when care is
> taken to not have redundant rules or when the attributes are
> aggressively expanded) and might even drastically increase policy build
> times under some cicumstances (for example with the DSSP standard policy
> [1]), the optimization is applied only when requested explictly.
> 
> The optimization routine eliminates:
>   * all allow/dontaudit/auditallow(/neverallow) rules (including xperm
>     variants) that are covered by another more general rule (or by a
>     union of other rules),
>   * all conditional versions of the above rules that are covered by a
>     more general rule either in the unconditional table or in the same
>     branch of the same conditional.
> 
> The optimization doesn't process other rules, since they currently do
> not support attributes. There is some room left for more precise
> optimization of conditional rules, but it would likely bring only little
> additional benefit.
> 
> Travis build passed: https://travis-ci.org/WOnder93/selinux/builds/545184071
> 
> Tested:
>   * live on my Fedora 29 devel machine under normal use (no unusual AVCs
>     observed with the optimized policy loaded)
>   * using: https://gitlab.com/omos/selinux-misc/blob/master/opt_test.sh
>     * tests also xperm rules
>     * doesn't test conditionals
> 
> [1] https://github.com/DefenSec/dssp2-standard
> 
> James Carter (1):
>    checkpolicy: add flag to enable policy optimization
> 
> Ondrej Mosnacek (3):
>    libsepol: add a function to optimize kernel policy
>    libsemanage: optionally optimize policy on rebuild
>    secilc: add flag to enable policy optimization
> 
>   checkpolicy/checkpolicy.8                  |   3 +
>   checkpolicy/checkpolicy.c                  |  16 +-
>   libsemanage/man/man5/semanage.conf.5       |   5 +
>   libsemanage/src/conf-parse.y               |  15 +-
>   libsemanage/src/conf-scan.l                |   1 +
>   libsemanage/src/direct_api.c               |   7 +
>   libsemanage/src/semanage_conf.h            |   1 +
>   libsepol/include/sepol/policydb.h          |   5 +
>   libsepol/include/sepol/policydb/policydb.h |   2 +
>   libsepol/src/libsepol.map.in               |   5 +
>   libsepol/src/optimize.c                    | 378 +++++++++++++++++++++
>   libsepol/src/policydb_public.c             |   5 +
>   secilc/secilc.8.xml                        |   5 +
>   secilc/secilc.c                            |  16 +-
>   14 files changed, 460 insertions(+), 4 deletions(-)
>   create mode 100644 libsepol/src/optimize.c
> 

Acked-by: James Carter <jwcart2@tycho.nsa.gov>

staged: https://github.com/SELinuxProject/selinux/pull/168

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency