mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-24 15:02:44 +00:00
b8213acff8
Add sepol_policydb_optimize(), which checks a kernel policy for redundant rules (i.e. those that are covered by an existing more general rule) and removes them. Results on Fedora 29 policy: WITHOUT OPTIMIZATION: # time semodule -B real 0m21,280s user 0m18,636s sys 0m2,525s $ wc -c /sys/fs/selinux/policy 8692158 /sys/fs/selinux/policy $ seinfo (edited) Allow: 113159 Dontaudit: 10297 Total: 123156 WITH OPTIMIZATION ENABLED: # time semodule -B real 0m22,825s user 0m20,178s sys 0m2,520s $ wc -c /sys/fs/selinux/policy 8096158 /sys/fs/selinux/policy $ seinfo (edited) Allow: 66334 Dontaudit: 7480 Total: 73814 Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
158 lines
4.7 KiB
C
158 lines
4.7 KiB
C
#ifndef _SEPOL_POLICYDB_H_
|
|
#define _SEPOL_POLICYDB_H_
|
|
|
|
#include <stddef.h>
|
|
#include <stdio.h>
|
|
|
|
#include <sepol/handle.h>
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
struct sepol_policy_file;
|
|
typedef struct sepol_policy_file sepol_policy_file_t;
|
|
|
|
struct sepol_policydb;
|
|
typedef struct sepol_policydb sepol_policydb_t;
|
|
|
|
/* Policy file public interfaces. */
|
|
|
|
/* Create and free memory associated with a policy file. */
|
|
extern int sepol_policy_file_create(sepol_policy_file_t ** pf);
|
|
extern void sepol_policy_file_free(sepol_policy_file_t * pf);
|
|
|
|
/*
|
|
* Set the policy file to represent a binary policy memory image.
|
|
* Subsequent operations using the policy file will read and write
|
|
* the image located at the specified address with the specified length.
|
|
* If 'len' is 0, then merely compute the necessary length upon
|
|
* subsequent policydb write operations in order to determine the
|
|
* necessary buffer size to allocate.
|
|
*/
|
|
extern void sepol_policy_file_set_mem(sepol_policy_file_t * pf,
|
|
char *data, size_t len);
|
|
|
|
/*
|
|
* Get the size of the buffer needed to store a policydb write
|
|
* previously done on this policy file.
|
|
*/
|
|
extern int sepol_policy_file_get_len(sepol_policy_file_t * pf, size_t * len);
|
|
|
|
/*
|
|
* Set the policy file to represent a FILE.
|
|
* Subsequent operations using the policy file will read and write
|
|
* to the FILE.
|
|
*/
|
|
extern void sepol_policy_file_set_fp(sepol_policy_file_t * pf, FILE * fp);
|
|
|
|
/*
|
|
* Associate a handle with a policy file, for use in
|
|
* error reporting from subsequent calls that take the
|
|
* policy file as an argument.
|
|
*/
|
|
extern void sepol_policy_file_set_handle(sepol_policy_file_t * pf,
|
|
sepol_handle_t * handle);
|
|
|
|
/* Policydb public interfaces. */
|
|
|
|
/* Create and free memory associated with a policydb. */
|
|
extern int sepol_policydb_create(sepol_policydb_t ** p);
|
|
extern void sepol_policydb_free(sepol_policydb_t * p);
|
|
|
|
/* Legal types of policies that the policydb can represent. */
|
|
#define SEPOL_POLICY_KERN 0
|
|
#define SEPOL_POLICY_BASE 1
|
|
#define SEPOL_POLICY_MOD 2
|
|
|
|
/*
|
|
* Range of policy versions for the kernel policy type supported
|
|
* by this library.
|
|
*/
|
|
extern int sepol_policy_kern_vers_min(void);
|
|
extern int sepol_policy_kern_vers_max(void);
|
|
|
|
/*
|
|
* Set the policy type as specified, and automatically initialize the
|
|
* policy version accordingly to the maximum version supported for the
|
|
* policy type.
|
|
* Returns -1 if the policy type is not legal.
|
|
*/
|
|
extern int sepol_policydb_set_typevers(sepol_policydb_t * p, unsigned int type);
|
|
|
|
/*
|
|
* Set the policy version to a different value.
|
|
* Returns -1 if the policy version is not in the supported range for
|
|
* the (previously set) policy type.
|
|
*/
|
|
extern int sepol_policydb_set_vers(sepol_policydb_t * p, unsigned int vers);
|
|
|
|
/* Set how to handle unknown class/perms. */
|
|
#define SEPOL_DENY_UNKNOWN 0
|
|
#define SEPOL_REJECT_UNKNOWN 2
|
|
#define SEPOL_ALLOW_UNKNOWN 4
|
|
extern int sepol_policydb_set_handle_unknown(sepol_policydb_t * p,
|
|
unsigned int handle_unknown);
|
|
|
|
/* Set the target platform */
|
|
#define SEPOL_TARGET_SELINUX 0
|
|
#define SEPOL_TARGET_XEN 1
|
|
extern int sepol_policydb_set_target_platform(sepol_policydb_t * p,
|
|
int target_platform);
|
|
|
|
/*
|
|
* Optimize the policy by removing redundant rules.
|
|
*/
|
|
extern int sepol_policydb_optimize(sepol_policydb_t * p);
|
|
|
|
/*
|
|
* Read a policydb from a policy file.
|
|
* This automatically sets the type and version based on the
|
|
* image contents.
|
|
*/
|
|
extern int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf);
|
|
|
|
/*
|
|
* Write a policydb to a policy file.
|
|
* The generated image will be in the binary format corresponding
|
|
* to the policy version associated with the policydb.
|
|
*/
|
|
extern int sepol_policydb_write(sepol_policydb_t * p, sepol_policy_file_t * pf);
|
|
|
|
/*
|
|
* Extract a policydb from a binary policy memory image.
|
|
* This is equivalent to sepol_policydb_read with a policy file
|
|
* set to refer to memory.
|
|
*/
|
|
extern int sepol_policydb_from_image(sepol_handle_t * handle,
|
|
void *data, size_t len,
|
|
sepol_policydb_t * p);
|
|
|
|
/*
|
|
* Generate a binary policy memory image from a policydb.
|
|
* This is equivalent to sepol_policydb_write with a policy file
|
|
* set to refer to memory, but internally handles computing the
|
|
* necessary length and allocating an appropriately sized memory
|
|
* buffer for the caller.
|
|
*/
|
|
extern int sepol_policydb_to_image(sepol_handle_t * handle,
|
|
sepol_policydb_t * p,
|
|
void **newdata, size_t * newlen);
|
|
|
|
/*
|
|
* Check whether the policydb has MLS enabled.
|
|
*/
|
|
extern int sepol_policydb_mls_enabled(const sepol_policydb_t * p);
|
|
|
|
/*
|
|
* Check whether the compatibility mode for SELinux network
|
|
* checks should be enabled when using this policy.
|
|
*/
|
|
extern int sepol_policydb_compat_net(const sepol_policydb_t * p);
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif
|