| Message ID | 20190613114558.32621-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Remove redundant rules when building policydb | expand |
On 6/13/19 7:45 AM, Ondrej Mosnacek wrote: > Changes in v4: > * fix deallocation in error path in build_type_map() > * fix leaked cond nodes > * also update the man pages > * use UINT32_C for 0xFFFFFFFF constant > * squash in the RFC patches & drop the semodule patch > v3: https://lore.kernel.org/selinux/20190529073759.20548-1-omosnace@redhat.com/T/ > > Changes in v3: > * fix bad patch squashing > * rename secilc --optimize-policy option to --optimize (to be simpler > and consistent with checkpolicy and semodule) > v2: https://lore.kernel.org/selinux/20190528145912.13827-1-omosnace@redhat.com/T/ > > Changes in v2: > * fix handling of dontaudit (AVTAB_DENY) rules > * switch optimization from opt-out to opt-in everywhere > * add a patch from jwcart2 that adds optimization support to > checkpolicy as well > * add two RFC modifications (see log messages for details): > * one improves the optimization to detect also rules covered by the > union of two or more other rules (on permission set level) > * the other one drops libsemanage/semodule run-time enabling/ > disabling of optimization in favor of a global config option > v1: https://lore.kernel.org/selinux/20190523102449.9621-1-omosnace@redhat.com/T/ > > This series implements an optional optimization step when building a > policydb via semodule or secilc, which identifies and removes rules that > are redundant -- i.e. they are already covered by a more general rule > based on the type attribute hierarchy. > > Since the optimization might not always be useful (e.g. when care is > taken to not have redundant rules or when the attributes are > aggressively expanded) and might even drastically increase policy build > times under some cicumstances (for example with the DSSP standard policy > [1]), the optimization is applied only when requested explictly. > > The optimization routine eliminates: > * all allow/dontaudit/auditallow(/neverallow) rules (including xperm > variants) that are covered by another more general rule (or by a > union of other rules), > * all conditional versions of the above rules that are covered by a > more general rule either in the unconditional table or in the same > branch of the same conditional. > > The optimization doesn't process other rules, since they currently do > not support attributes. There is some room left for more precise > optimization of conditional rules, but it would likely bring only little > additional benefit. > > Travis build passed: https://travis-ci.org/WOnder93/selinux/builds/545184071 > > Tested: > * live on my Fedora 29 devel machine under normal use (no unusual AVCs > observed with the optimized policy loaded) > * using: https://gitlab.com/omos/selinux-misc/blob/master/opt_test.sh > * tests also xperm rules > * doesn't test conditionals > > [1] https://github.com/DefenSec/dssp2-standard > > James Carter (1): > checkpolicy: add flag to enable policy optimization > > Ondrej Mosnacek (3): > libsepol: add a function to optimize kernel policy > libsemanage: optionally optimize policy on rebuild > secilc: add flag to enable policy optimization > > checkpolicy/checkpolicy.8 | 3 + > checkpolicy/checkpolicy.c | 16 +- > libsemanage/man/man5/semanage.conf.5 | 5 + > libsemanage/src/conf-parse.y | 15 +- > libsemanage/src/conf-scan.l | 1 + > libsemanage/src/direct_api.c | 7 + > libsemanage/src/semanage_conf.h | 1 + > libsepol/include/sepol/policydb.h | 5 + > libsepol/include/sepol/policydb/policydb.h | 2 + > libsepol/src/libsepol.map.in | 5 + > libsepol/src/optimize.c | 378 +++++++++++++++++++++ > libsepol/src/policydb_public.c | 5 + > secilc/secilc.8.xml | 5 + > secilc/secilc.c | 16 +- > 14 files changed, 460 insertions(+), 4 deletions(-) > create mode 100644 libsepol/src/optimize.c > Acked-by: James Carter <jwcart2@tycho.nsa.gov> staged: https://github.com/SELinuxProject/selinux/pull/168
On 6/21/19 10:11 AM, jwcart2 wrote: > On 6/13/19 7:45 AM, Ondrej Mosnacek wrote: >> Changes in v4: >> * fix deallocation in error path in build_type_map() >> * fix leaked cond nodes >> * also update the man pages >> * use UINT32_C for 0xFFFFFFFF constant >> * squash in the RFC patches & drop the semodule patch >> v3: https://lore.kernel.org/selinux/20190529073759.20548-1-omosnace@redhat.com/T/ >> >> Changes in v3: >> * fix bad patch squashing >> * rename secilc --optimize-policy option to --optimize (to be simpler >> and consistent with checkpolicy and semodule) >> v2: https://lore.kernel.org/selinux/20190528145912.13827-1-omosnace@redhat.com/T/ >> >> Changes in v2: >> * fix handling of dontaudit (AVTAB_DENY) rules >> * switch optimization from opt-out to opt-in everywhere >> * add a patch from jwcart2 that adds optimization support to >> checkpolicy as well >> * add two RFC modifications (see log messages for details): >> * one improves the optimization to detect also rules covered by the >> union of two or more other rules (on permission set level) >> * the other one drops libsemanage/semodule run-time enabling/ >> disabling of optimization in favor of a global config option >> v1: https://lore.kernel.org/selinux/20190523102449.9621-1-omosnace@redhat.com/T/ >> >> This series implements an optional optimization step when building a >> policydb via semodule or secilc, which identifies and removes rules that >> are redundant -- i.e. they are already covered by a more general rule >> based on the type attribute hierarchy. >> >> Since the optimization might not always be useful (e.g. when care is >> taken to not have redundant rules or when the attributes are >> aggressively expanded) and might even drastically increase policy build >> times under some cicumstances (for example with the DSSP standard policy >> [1]), the optimization is applied only when requested explictly. >> >> The optimization routine eliminates: >> * all allow/dontaudit/auditallow(/neverallow) rules (including xperm >> variants) that are covered by another more general rule (or by a >> union of other rules), >> * all conditional versions of the above rules that are covered by a >> more general rule either in the unconditional table or in the same >> branch of the same conditional. >> >> The optimization doesn't process other rules, since they currently do >> not support attributes. There is some room left for more precise >> optimization of conditional rules, but it would likely bring only little >> additional benefit. >> >> Travis build passed: https://travis-ci.org/WOnder93/selinux/builds/545184071 >> >> Tested: >> * live on my Fedora 29 devel machine under normal use (no unusual AVCs >> observed with the optimized policy loaded) >> * using: https://gitlab.com/omos/selinux-misc/blob/master/opt_test.sh >> * tests also xperm rules >> * doesn't test conditionals >> >> [1] https://github.com/DefenSec/dssp2-standard >> >> James Carter (1): >> checkpolicy: add flag to enable policy optimization >> >> Ondrej Mosnacek (3): >> libsepol: add a function to optimize kernel policy >> libsemanage: optionally optimize policy on rebuild >> secilc: add flag to enable policy optimization >> >> checkpolicy/checkpolicy.8 | 3 + >> checkpolicy/checkpolicy.c | 16 +- >> libsemanage/man/man5/semanage.conf.5 | 5 + >> libsemanage/src/conf-parse.y | 15 +- >> libsemanage/src/conf-scan.l | 1 + >> libsemanage/src/direct_api.c | 7 + >> libsemanage/src/semanage_conf.h | 1 + >> libsepol/include/sepol/policydb.h | 5 + >> libsepol/include/sepol/policydb/policydb.h | 2 + >> libsepol/src/libsepol.map.in | 5 + >> libsepol/src/optimize.c | 378 +++++++++++++++++++++ >> libsepol/src/policydb_public.c | 5 + >> secilc/secilc.8.xml | 5 + >> secilc/secilc.c | 16 +- >> 14 files changed, 460 insertions(+), 4 deletions(-) >> create mode 100644 libsepol/src/optimize.c >> > > Acked-by: James Carter <jwcart2@tycho.nsa.gov> > > staged: https://github.com/SELinuxProject/selinux/pull/168 > Merged.
Changes in v4: * fix deallocation in error path in build_type_map() * fix leaked cond nodes * also update the man pages * use UINT32_C for 0xFFFFFFFF constant * squash in the RFC patches & drop the semodule patch v3: https://lore.kernel.org/selinux/20190529073759.20548-1-omosnace@redhat.com/T/ Changes in v3: * fix bad patch squashing * rename secilc --optimize-policy option to --optimize (to be simpler and consistent with checkpolicy and semodule) v2: https://lore.kernel.org/selinux/20190528145912.13827-1-omosnace@redhat.com/T/ Changes in v2: * fix handling of dontaudit (AVTAB_DENY) rules * switch optimization from opt-out to opt-in everywhere * add a patch from jwcart2 that adds optimization support to checkpolicy as well * add two RFC modifications (see log messages for details): * one improves the optimization to detect also rules covered by the union of two or more other rules (on permission set level) * the other one drops libsemanage/semodule run-time enabling/ disabling of optimization in favor of a global config option v1: https://lore.kernel.org/selinux/20190523102449.9621-1-omosnace@redhat.com/T/ This series implements an optional optimization step when building a policydb via semodule or secilc, which identifies and removes rules that are redundant -- i.e. they are already covered by a more general rule based on the type attribute hierarchy. Since the optimization might not always be useful (e.g. when care is taken to not have redundant rules or when the attributes are aggressively expanded) and might even drastically increase policy build times under some cicumstances (for example with the DSSP standard policy [1]), the optimization is applied only when requested explictly. The optimization routine eliminates: * all allow/dontaudit/auditallow(/neverallow) rules (including xperm variants) that are covered by another more general rule (or by a union of other rules), * all conditional versions of the above rules that are covered by a more general rule either in the unconditional table or in the same branch of the same conditional. The optimization doesn't process other rules, since they currently do not support attributes. There is some room left for more precise optimization of conditional rules, but it would likely bring only little additional benefit. Travis build passed: https://travis-ci.org/WOnder93/selinux/builds/545184071 Tested: * live on my Fedora 29 devel machine under normal use (no unusual AVCs observed with the optimized policy loaded) * using: https://gitlab.com/omos/selinux-misc/blob/master/opt_test.sh * tests also xperm rules * doesn't test conditionals [1] https://github.com/DefenSec/dssp2-standard James Carter (1): checkpolicy: add flag to enable policy optimization Ondrej Mosnacek (3): libsepol: add a function to optimize kernel policy libsemanage: optionally optimize policy on rebuild secilc: add flag to enable policy optimization checkpolicy/checkpolicy.8 | 3 + checkpolicy/checkpolicy.c | 16 +- libsemanage/man/man5/semanage.conf.5 | 5 + libsemanage/src/conf-parse.y | 15 +- libsemanage/src/conf-scan.l | 1 + libsemanage/src/direct_api.c | 7 + libsemanage/src/semanage_conf.h | 1 + libsepol/include/sepol/policydb.h | 5 + libsepol/include/sepol/policydb/policydb.h | 2 + libsepol/src/libsepol.map.in | 5 + libsepol/src/optimize.c | 378 +++++++++++++++++++++ libsepol/src/policydb_public.c | 5 + secilc/secilc.8.xml | 5 + secilc/secilc.c | 16 +- 14 files changed, 460 insertions(+), 4 deletions(-) create mode 100644 libsepol/src/optimize.c