| Message ID | 20200717114804.762125-1-omosnace@redhat.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | userspace: Implement new format of filename trans rules | expand |
On Fri, Jul 17, 2020 at 1:48 PM Ondrej Mosnacek <omosnace@redhat.com> wrote: > These patches are the userspace side of the kernel change posted at [1]. > > The first patch changes libsepol's internal representation of filename > transition rules in a way similar to kernel commit c3a276111ea2 > ("selinux: optimize storage of filename transitions") [2]. > > The second patch then builds upon that and implements reading and > writing of a new binary policy format that uses this representation also > in the data layout. > > See individual patches for more details. > > NOTE: This series unfortunately breaks the build of setools. Moreover, > when an existing build of setools dynamically links against the new > libsepol, it segfaults. Sadly, there doesn't seem to be a nice way of > handling this, since setools relies on non-public libsepol policydb > API/ABI. I have prepared a preliminary patch to adapt setools to these > changes - I'll open a WIP pull request for it soon... While testing the setools patch I found some bugs in this series, so it'll need a respin... I also found bugs in the setools patch itself so I haven't opened a PR yet. I think I have them all fixed now, so stay tuned... > > See also this discussion about the setools impact: > https://lore.kernel.org/selinux/daeae1d9-de29-aae0-6bde-3ad3427a5d42@tycho.nsa.gov/ > > Changes in v4: > - rebased on top of latest master branch > > Changes in v3: > - fixed the change in dispol.c to match the rest of the code > - renamed the helper functions to use the "_compat" suffix rather than > "_old" and "_new" > > Changes in v2: > - fixed counting rules when reading the new policy format > > [1] https://lore.kernel.org/selinux/20200327151941.95619-1-omosnace@redhat.com/T/ > [2] https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?id=c3a276111ea2572399281988b3129683e2a6b60b > > Ondrej Mosnacek (2): > libsepol,checkpolicy: optimize storage of filename transitions > libsepol: implement POLICYDB_VERSION_COMP_FTRANS > > checkpolicy/policy_define.c | 52 ++-- > checkpolicy/test/dispol.c | 20 +- > libsepol/cil/src/cil_binary.c | 29 +- > libsepol/include/sepol/policydb/policydb.h | 18 +- > libsepol/src/expand.c | 60 +---- > libsepol/src/kernel_to_cil.c | 24 +- > libsepol/src/kernel_to_conf.c | 24 +- > libsepol/src/policydb.c | 299 +++++++++++++++++---- > libsepol/src/write.c | 101 +++++-- > 9 files changed, 428 insertions(+), 199 deletions(-) > > -- > 2.26.2 > -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.
These patches are the userspace side of the kernel change posted at [1]. The first patch changes libsepol's internal representation of filename transition rules in a way similar to kernel commit c3a276111ea2 ("selinux: optimize storage of filename transitions") [2]. The second patch then builds upon that and implements reading and writing of a new binary policy format that uses this representation also in the data layout. See individual patches for more details. NOTE: This series unfortunately breaks the build of setools. Moreover, when an existing build of setools dynamically links against the new libsepol, it segfaults. Sadly, there doesn't seem to be a nice way of handling this, since setools relies on non-public libsepol policydb API/ABI. I have prepared a preliminary patch to adapt setools to these changes - I'll open a WIP pull request for it soon... See also this discussion about the setools impact: https://lore.kernel.org/selinux/daeae1d9-de29-aae0-6bde-3ad3427a5d42@tycho.nsa.gov/ Changes in v4: - rebased on top of latest master branch Changes in v3: - fixed the change in dispol.c to match the rest of the code - renamed the helper functions to use the "_compat" suffix rather than "_old" and "_new" Changes in v2: - fixed counting rules when reading the new policy format [1] https://lore.kernel.org/selinux/20200327151941.95619-1-omosnace@redhat.com/T/ [2] https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?id=c3a276111ea2572399281988b3129683e2a6b60b Ondrej Mosnacek (2): libsepol,checkpolicy: optimize storage of filename transitions libsepol: implement POLICYDB_VERSION_COMP_FTRANS checkpolicy/policy_define.c | 52 ++-- checkpolicy/test/dispol.c | 20 +- libsepol/cil/src/cil_binary.c | 29 +- libsepol/include/sepol/policydb/policydb.h | 18 +- libsepol/src/expand.c | 60 +---- libsepol/src/kernel_to_cil.c | 24 +- libsepol/src/kernel_to_conf.c | 24 +- libsepol/src/policydb.c | 299 +++++++++++++++++---- libsepol/src/write.c | 101 +++++-- 9 files changed, 428 insertions(+), 199 deletions(-)