| Message ID | 20220114192002.730773-1-jwcart2@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [1/2] libsepol/cil: Limit the amount of reporting for neverallow violations | expand |
Hi, as a heavy user of neverallow / neverallowx, please don't limit this. When adding a new neverallow rule there might quite a few types violating them, and having to rebuild the policy every 2 types would make fixing them incredibly annoying. If you want to limit this, then please make it opt-in or add it as a command line option. On 1/14/22 20:20, James Carter wrote: > When there is a neverallow violation, a search is made for all of > the rules that violate the neverallow. The violating rules as well > as their parents are written out to make it easier to find these > rules. > > If there is a lot of rules that violate a neverallow, then this > amount of reporting is too much. Instead, only print out the first > two rules (with their parents) that match the violated neverallow > rule along with the total number of rules that violate the > neverallow. > > Signed-off-by: James Carter <jwcart2@gmail.com> > --- > libsepol/cil/src/cil_binary.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c > index 4ac8ce8d..04a5d053 100644 > --- a/libsepol/cil/src/cil_binary.c > +++ b/libsepol/cil/src/cil_binary.c > @@ -4640,6 +4640,8 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr > char *neverallow_str; > char *allow_str; > enum cil_flavor avrule_flavor; > + int num_matching = 0; > + int count_matching = 0; > > target.rule_kind = CIL_AVRULE_ALLOWED; > target.is_extended = cil_rule->is_extended; > @@ -4666,11 +4668,19 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr > goto exit; > } > > + cil_list_for_each(i2, matching) { > + num_matching++; > + } > cil_list_for_each(i2, matching) { > n2 = i2->data; > r2 = n2->data; > __cil_print_parents(" ", n2); > __cil_print_rule(" ", allow_str, r2); > + count_matching++; > + if (count_matching >= 2) { > + cil_log(CIL_ERR, " Only first 2 of %d matching rules shown\n", num_matching); > + break; > + } > } > cil_log(CIL_ERR,"\n"); > cil_list_destroy(&matching, CIL_FALSE);
On Fri, Jan 14, 2022 at 2:44 PM bauen1 <j2468h@googlemail.com> wrote: > > Hi, > > as a heavy user of neverallow / neverallowx, please don't limit this. > > When adding a new neverallow rule there might quite a few types violating them, and having to rebuild the policy every 2 types would make fixing them incredibly annoying. > > If you want to limit this, then please make it opt-in or add it as a command line option. > I am trying to limit error messages because oss-fuzz seems to be good at creating policies that generate a lot of error messages and subsequently take a lot of time to process. But I am not going to do that at the expense of people actually using secilc. I was already thinking about making the amount of error reporting depending on the verbosity level. What would think of it limiting it to two by default, but unlimited at any higher verbosity level. I can even add a message to use "-v" to see all of the errors. Jim > On 1/14/22 20:20, James Carter wrote: > > When there is a neverallow violation, a search is made for all of > > the rules that violate the neverallow. The violating rules as well > > as their parents are written out to make it easier to find these > > rules. > > > > If there is a lot of rules that violate a neverallow, then this > > amount of reporting is too much. Instead, only print out the first > > two rules (with their parents) that match the violated neverallow > > rule along with the total number of rules that violate the > > neverallow. > > > > Signed-off-by: James Carter <jwcart2@gmail.com> > > --- > > libsepol/cil/src/cil_binary.c | 10 ++++++++++ > > 1 file changed, 10 insertions(+) > > > > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c > > index 4ac8ce8d..04a5d053 100644 > > --- a/libsepol/cil/src/cil_binary.c > > +++ b/libsepol/cil/src/cil_binary.c > > @@ -4640,6 +4640,8 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr > > char *neverallow_str; > > char *allow_str; > > enum cil_flavor avrule_flavor; > > + int num_matching = 0; > > + int count_matching = 0; > > > > target.rule_kind = CIL_AVRULE_ALLOWED; > > target.is_extended = cil_rule->is_extended; > > @@ -4666,11 +4668,19 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr > > goto exit; > > } > > > > + cil_list_for_each(i2, matching) { > > + num_matching++; > > + } > > cil_list_for_each(i2, matching) { > > n2 = i2->data; > > r2 = n2->data; > > __cil_print_parents(" ", n2); > > __cil_print_rule(" ", allow_str, r2); > > + count_matching++; > > + if (count_matching >= 2) { > > + cil_log(CIL_ERR, " Only first 2 of %d matching rules shown\n", num_matching); > > + break; > > + } > > } > > cil_log(CIL_ERR,"\n"); > > cil_list_destroy(&matching, CIL_FALSE); > > -- > bauen1 > https://dn42.bauen1.xyz/
On 1/18/22 16:48, James Carter wrote: > On Fri, Jan 14, 2022 at 2:44 PM bauen1 <j2468h@googlemail.com> wrote: >> >> Hi, >> >> as a heavy user of neverallow / neverallowx, please don't limit this. >> >> When adding a new neverallow rule there might quite a few types violating them, and having to rebuild the policy every 2 types would make fixing them incredibly annoying. >> >> If you want to limit this, then please make it opt-in or add it as a command line option. >> > > I am trying to limit error messages because oss-fuzz seems to be good > at creating policies that generate a lot of error messages and > subsequently take a lot of time to process. > > But I am not going to do that at the expense of people actually using secilc. > > I was already thinking about making the amount of error reporting > depending on the verbosity level. What would think of it limiting it > to two by default, but unlimited at any higher verbosity level. I can > even add a message to use "-v" to see all of the errors. Thanks, something like that would be totally fine for me. > Jim > > >> On 1/14/22 20:20, James Carter wrote: >>> When there is a neverallow violation, a search is made for all of >>> the rules that violate the neverallow. The violating rules as well >>> as their parents are written out to make it easier to find these >>> rules. >>> >>> If there is a lot of rules that violate a neverallow, then this >>> amount of reporting is too much. Instead, only print out the first >>> two rules (with their parents) that match the violated neverallow >>> rule along with the total number of rules that violate the >>> neverallow. >>> >>> Signed-off-by: James Carter <jwcart2@gmail.com> >>> --- >>> libsepol/cil/src/cil_binary.c | 10 ++++++++++ >>> 1 file changed, 10 insertions(+) >>> >>> diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c >>> index 4ac8ce8d..04a5d053 100644 >>> --- a/libsepol/cil/src/cil_binary.c >>> +++ b/libsepol/cil/src/cil_binary.c >>> @@ -4640,6 +4640,8 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr >>> char *neverallow_str; >>> char *allow_str; >>> enum cil_flavor avrule_flavor; >>> + int num_matching = 0; >>> + int count_matching = 0; >>> >>> target.rule_kind = CIL_AVRULE_ALLOWED; >>> target.is_extended = cil_rule->is_extended; >>> @@ -4666,11 +4668,19 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr >>> goto exit; >>> } >>> >>> + cil_list_for_each(i2, matching) { >>> + num_matching++; >>> + } >>> cil_list_for_each(i2, matching) { >>> n2 = i2->data; >>> r2 = n2->data; >>> __cil_print_parents(" ", n2); >>> __cil_print_rule(" ", allow_str, r2); >>> + count_matching++; >>> + if (count_matching >= 2) { >>> + cil_log(CIL_ERR, " Only first 2 of %d matching rules shown\n", num_matching); >>> + break; >>> + } >>> } >>> cil_log(CIL_ERR,"\n"); >>> cil_list_destroy(&matching, CIL_FALSE); >> >> -- >> bauen1 >> https://dn42.bauen1.xyz/
Hi, On 1/19/22 14:04, bauen1 wrote: > > On 1/18/22 16:48, James Carter wrote: >> On Fri, Jan 14, 2022 at 2:44 PM bauen1 <j2468h@googlemail.com> wrote: >>> >>> Hi, >>> >>> as a heavy user of neverallow / neverallowx, please don't limit this. >>> >>> When adding a new neverallow rule there might quite a few types violating them, and having to rebuild the policy every 2 types would make fixing them incredibly annoying. >>> >>> If you want to limit this, then please make it opt-in or add it as a command line option. >>> >> >> I am trying to limit error messages because oss-fuzz seems to be good >> at creating policies that generate a lot of error messages and >> subsequently take a lot of time to process. >> >> But I am not going to do that at the expense of people actually using secilc. >> >> I was already thinking about making the amount of error reporting >> depending on the verbosity level. What would think of it limiting it >> to two by default, but unlimited at any higher verbosity level. I can >> even add a message to use "-v" to see all of the errors. > > Thanks, something like that would be totally fine for me. > I've also just noticed that typebounds will only print the first 2 violations. So if you make this depend on the verbosity level you might want to change that too, just to be consistent.
On Fri, Feb 11, 2022 at 8:03 PM bauen1 <j2468h@googlemail.com> wrote: > > Hi, > > On 1/19/22 14:04, bauen1 wrote: > > > > On 1/18/22 16:48, James Carter wrote: > >> On Fri, Jan 14, 2022 at 2:44 PM bauen1 <j2468h@googlemail.com> wrote: > >>> > >>> Hi, > >>> > >>> as a heavy user of neverallow / neverallowx, please don't limit this. > >>> > >>> When adding a new neverallow rule there might quite a few types violating them, and having to rebuild the policy every 2 types would make fixing them incredibly annoying. > >>> > >>> If you want to limit this, then please make it opt-in or add it as a command line option. > >>> > >> > >> I am trying to limit error messages because oss-fuzz seems to be good > >> at creating policies that generate a lot of error messages and > >> subsequently take a lot of time to process. > >> > >> But I am not going to do that at the expense of people actually using secilc. > >> > >> I was already thinking about making the amount of error reporting > >> depending on the verbosity level. What would think of it limiting it > >> to two by default, but unlimited at any higher verbosity level. I can > >> even add a message to use "-v" to see all of the errors. > > > > Thanks, something like that would be totally fine for me. > > > > I've also just noticed that typebounds will only print the first 2 violations. > So if you make this depend on the verbosity level you might want to change that too, just to be consistent. > Yes, I did send out a v2 that changes the typebounds error reporting to depend on the verbosity level as well. That patch set was sent out on January 19th. Thanks, Jim > -- > bauen1 > https://dn42.bauen1.xyz/
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c index 4ac8ce8d..04a5d053 100644 --- a/libsepol/cil/src/cil_binary.c +++ b/libsepol/cil/src/cil_binary.c @@ -4640,6 +4640,8 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr char *neverallow_str; char *allow_str; enum cil_flavor avrule_flavor; + int num_matching = 0; + int count_matching = 0; target.rule_kind = CIL_AVRULE_ALLOWED; target.is_extended = cil_rule->is_extended; @@ -4666,11 +4668,19 @@ static int __cil_print_neverallow_failure(const struct cil_db *db, struct cil_tr goto exit; } + cil_list_for_each(i2, matching) { + num_matching++; + } cil_list_for_each(i2, matching) { n2 = i2->data; r2 = n2->data; __cil_print_parents(" ", n2); __cil_print_rule(" ", allow_str, r2); + count_matching++; + if (count_matching >= 2) { + cil_log(CIL_ERR, " Only first 2 of %d matching rules shown\n", num_matching); + break; + } } cil_log(CIL_ERR,"\n"); cil_list_destroy(&matching, CIL_FALSE);
When there is a neverallow violation, a search is made for all of the rules that violate the neverallow. The violating rules as well as their parents are written out to make it easier to find these rules. If there is a lot of rules that violate a neverallow, then this amount of reporting is too much. Instead, only print out the first two rules (with their parents) that match the violated neverallow rule along with the total number of rules that violate the neverallow. Signed-off-by: James Carter <jwcart2@gmail.com> --- libsepol/cil/src/cil_binary.c | 10 ++++++++++ 1 file changed, 10 insertions(+)