libsepol: Refactored bounds (hierarchy) checking code

The largest change to the user and role bounds checking was to put them in their own functions, so they could be called independently. The type bounds checking was changed to check one type bounds at a time. An expanded avtab is still created, but now only the rules of the parent type are expanded. If violations are discovered, a list of avtab_ptr_t's provides details. This list is used to display error messages for backwards compatibility and will be used by CIL to provide a more detailed error message. Memory usage is reduced from 9,355M to 126M and time is reduced from 9 sec to 2 sec. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2024-12-12 09:05:00 +00:00 · 2015-06-10 14:34:22 -04:00 · 2015-06-10 14:34:22 -04:00 · 798faf1227
commit 798faf1227
parent 9e6840e6a2
2 changed files with 677 additions and 430 deletions
--- a/libsepol/include/sepol/policydb/hierarchy.h
+++ b/libsepol/include/sepol/policydb/hierarchy.h
@ -25,11 +25,22 @@
 #ifndef _SEPOL_POLICYDB_HIERARCHY_H_
 #define _SEPOL_POLICYDB_HIERARCHY_H_

+#include <sepol/policydb/avtab.h>
 #include <sepol/policydb/policydb.h>
 #include <sys/cdefs.h>

 __BEGIN_DECLS

+extern int hierarchy_add_bounds(sepol_handle_t *handle, policydb_t *p);
+
+extern void bounds_destroy_bad(avtab_ptr_t cur);
+extern int bounds_check_type(sepol_handle_t *handle, policydb_t *p, uint32_t child,
+			     uint32_t parent, avtab_ptr_t *bad, int *numbad);
+
+extern int bounds_check_users(sepol_handle_t *handle, policydb_t *p);
+extern int bounds_check_roles(sepol_handle_t *handle, policydb_t *p);
+extern int bounds_check_types(sepol_handle_t *handle, policydb_t *p);
+
 extern int hierarchy_check_constraints(sepol_handle_t * handle, policydb_t * p);

 __END_DECLS
--- a/libsepol/src/hierarchy.c
+++ b/libsepol/src/hierarchy.c