From: jwcart2 <jwcart2@tycho.nsa.gov>
To: Ondrej Mosnacek <omosnace@redhat.com>, selinux@vger.kernel.org
Subject: Re: [Non-DoD Source] [PATCH userspace v4 0/4] Remove redundant rules when building policydb
Date: Fri, 21 Jun 2019 10:11:59 -0400 [thread overview]
Message-ID: <bdb2280a-23f3-e386-2ffb-801f0ec35c34@tycho.nsa.gov> (raw)
In-Reply-To: <20190613114558.32621-1-omosnace@redhat.com>
On 6/13/19 7:45 AM, Ondrej Mosnacek wrote:
> Changes in v4:
> * fix deallocation in error path in build_type_map()
> * fix leaked cond nodes
> * also update the man pages
> * use UINT32_C for 0xFFFFFFFF constant
> * squash in the RFC patches & drop the semodule patch
> v3: https://lore.kernel.org/selinux/20190529073759.20548-1-omosnace@redhat.com/T/
>
> Changes in v3:
> * fix bad patch squashing
> * rename secilc --optimize-policy option to --optimize (to be simpler
> and consistent with checkpolicy and semodule)
> v2: https://lore.kernel.org/selinux/20190528145912.13827-1-omosnace@redhat.com/T/
>
> Changes in v2:
> * fix handling of dontaudit (AVTAB_DENY) rules
> * switch optimization from opt-out to opt-in everywhere
> * add a patch from jwcart2 that adds optimization support to
> checkpolicy as well
> * add two RFC modifications (see log messages for details):
> * one improves the optimization to detect also rules covered by the
> union of two or more other rules (on permission set level)
> * the other one drops libsemanage/semodule run-time enabling/
> disabling of optimization in favor of a global config option
> v1: https://lore.kernel.org/selinux/20190523102449.9621-1-omosnace@redhat.com/T/
>
> This series implements an optional optimization step when building a
> policydb via semodule or secilc, which identifies and removes rules that
> are redundant -- i.e. they are already covered by a more general rule
> based on the type attribute hierarchy.
>
> Since the optimization might not always be useful (e.g. when care is
> taken to not have redundant rules or when the attributes are
> aggressively expanded) and might even drastically increase policy build
> times under some cicumstances (for example with the DSSP standard policy
> [1]), the optimization is applied only when requested explictly.
>
> The optimization routine eliminates:
> * all allow/dontaudit/auditallow(/neverallow) rules (including xperm
> variants) that are covered by another more general rule (or by a
> union of other rules),
> * all conditional versions of the above rules that are covered by a
> more general rule either in the unconditional table or in the same
> branch of the same conditional.
>
> The optimization doesn't process other rules, since they currently do
> not support attributes. There is some room left for more precise
> optimization of conditional rules, but it would likely bring only little
> additional benefit.
>
> Travis build passed: https://travis-ci.org/WOnder93/selinux/builds/545184071
>
> Tested:
> * live on my Fedora 29 devel machine under normal use (no unusual AVCs
> observed with the optimized policy loaded)
> * using: https://gitlab.com/omos/selinux-misc/blob/master/opt_test.sh
> * tests also xperm rules
> * doesn't test conditionals
>
> [1] https://github.com/DefenSec/dssp2-standard
>
> James Carter (1):
> checkpolicy: add flag to enable policy optimization
>
> Ondrej Mosnacek (3):
> libsepol: add a function to optimize kernel policy
> libsemanage: optionally optimize policy on rebuild
> secilc: add flag to enable policy optimization
>
> checkpolicy/checkpolicy.8 | 3 +
> checkpolicy/checkpolicy.c | 16 +-
> libsemanage/man/man5/semanage.conf.5 | 5 +
> libsemanage/src/conf-parse.y | 15 +-
> libsemanage/src/conf-scan.l | 1 +
> libsemanage/src/direct_api.c | 7 +
> libsemanage/src/semanage_conf.h | 1 +
> libsepol/include/sepol/policydb.h | 5 +
> libsepol/include/sepol/policydb/policydb.h | 2 +
> libsepol/src/libsepol.map.in | 5 +
> libsepol/src/optimize.c | 378 +++++++++++++++++++++
> libsepol/src/policydb_public.c | 5 +
> secilc/secilc.8.xml | 5 +
> secilc/secilc.c | 16 +-
> 14 files changed, 460 insertions(+), 4 deletions(-)
> create mode 100644 libsepol/src/optimize.c
>
Acked-by: James Carter <jwcart2@tycho.nsa.gov>
staged: https://github.com/SELinuxProject/selinux/pull/168
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
next prev parent reply other threads:[~2019-06-21 14:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-13 11:45 [PATCH userspace v4 0/4] Remove redundant rules when building policydb Ondrej Mosnacek
2019-06-13 11:45 ` [PATCH userspace v4 1/4] libsepol: add a function to optimize kernel policy Ondrej Mosnacek
2019-06-13 11:45 ` [PATCH userspace v4 2/4] libsemanage: optionally optimize policy on rebuild Ondrej Mosnacek
2019-06-13 19:51 ` [Non-DoD Source] " jwcart2
2019-06-14 10:18 ` Ondrej Mosnacek
2019-06-14 13:38 ` jwcart2
2019-06-13 11:45 ` [PATCH userspace v4 3/4] secilc: add flag to enable policy optimization Ondrej Mosnacek
2019-06-13 11:45 ` [PATCH userspace v4 4/4] checkpolicy: " Ondrej Mosnacek
2019-06-21 14:11 ` jwcart2 [this message]
2019-06-25 15:01 ` [Non-DoD Source] [PATCH userspace v4 0/4] Remove redundant rules when building policydb jwcart2
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bdb2280a-23f3-e386-2ffb-801f0ec35c34@tycho.nsa.gov \
--to=jwcart2@tycho.nsa.gov \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).