| Message ID | 20220119163518.93780-1-jwcart2@gmail.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | libsepol/cil: Limit certain error and warning reports | expand |
I plan on merging this series next week. Jim On Wed, Jan 19, 2022 at 11:35 AM James Carter <jwcart2@gmail.com> wrote: > > When reporting some errors or warnings, a search is made to find the > original or matching rule. Both neverallow and type bounds violations will > use cil_find_matching_avrule_in_ast() to find the rules in violation. For > context rules, the AST is walked to find the conflicting rule. If there are > a lot of errors or warnings, then this can take a lot of time. oss-fuzz has > generated policies that can abuse this reporting, so the desire is to limit > the reporting by default. > > By using the new function, cil_get_log_level(), the error reporting for > neverallow and type bounds violations and the warnings for context rule > conflicts can be less by default while still allowing for everything to > be reported at higher log verbosity levels. > > > James Carter (4): > libsepol/cil: Add cil_get_log_level() function > libsepol/cil: Provide more control over reporting bounds failures > libsepol/cil: Limit the neverallow violations reported > libsepol/cil: Limit the amount of reporting for context rule conflicts > > libsepol/cil/src/cil_binary.c | 20 +++++++++--- > libsepol/cil/src/cil_log.c | 5 +++ > libsepol/cil/src/cil_log.h | 2 ++ > libsepol/cil/src/cil_post.c | 57 ++++++++++++++++++++--------------- > 4 files changed, 56 insertions(+), 28 deletions(-) > > -- > 2.31.1 >
On Fri, Feb 18, 2022 at 4:17 PM James Carter <jwcart2@gmail.com> wrote: > > I plan on merging this series next week. This series has been merged. Jim > Jim > > On Wed, Jan 19, 2022 at 11:35 AM James Carter <jwcart2@gmail.com> wrote: > > > > When reporting some errors or warnings, a search is made to find the > > original or matching rule. Both neverallow and type bounds violations will > > use cil_find_matching_avrule_in_ast() to find the rules in violation. For > > context rules, the AST is walked to find the conflicting rule. If there are > > a lot of errors or warnings, then this can take a lot of time. oss-fuzz has > > generated policies that can abuse this reporting, so the desire is to limit > > the reporting by default. > > > > By using the new function, cil_get_log_level(), the error reporting for > > neverallow and type bounds violations and the warnings for context rule > > conflicts can be less by default while still allowing for everything to > > be reported at higher log verbosity levels. > > > > > > James Carter (4): > > libsepol/cil: Add cil_get_log_level() function > > libsepol/cil: Provide more control over reporting bounds failures > > libsepol/cil: Limit the neverallow violations reported > > libsepol/cil: Limit the amount of reporting for context rule conflicts > > > > libsepol/cil/src/cil_binary.c | 20 +++++++++--- > > libsepol/cil/src/cil_log.c | 5 +++ > > libsepol/cil/src/cil_log.h | 2 ++ > > libsepol/cil/src/cil_post.c | 57 ++++++++++++++++++++--------------- > > 4 files changed, 56 insertions(+), 28 deletions(-) > > > > -- > > 2.31.1 > >