Includes some minor code changes to fix errors from static type checking.
Disable unsubscriptable-object pylint check on Wrapper subclass
declarations, as this hits the bug described in PyCQA/pylint#2822.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This checks for the nonexistance of allow rules that match the criteria
set in the check's options.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
These are various functions such as parsing comma separated strings,
looking up objects in the policy, and expanding attributes.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
The object class values have not been static for many years. This has only
worked because libsepol was similarly setting static class values. This
will soon be removed, see SELinuxProject/selinux#200.
Add file object classes to the unit tests where genfscons are used. The
classes are added in the same alignment as the static values since old
policies will have these class values.
Remove static class values from sepol.pxd.
Closes#39
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
The primary motivation for the change is to correctly handle redundant
rules. Recent changes in the SELinux toolchain added support for an
optimization that removes redundant rules from a policy. These are
conditional rules that are either already specified in unconditional
policy or rules using types that are also specified more generally
through an attribute. Since attributes are always expanded in sediff,
the second type of redundant rules are already effectively removed. But
redundant conditional rules show up as differences when a binary version
of a policy that has been optimized is compared to one that has not been.
A secondary motivation for the change is to reduce memory usage and diff
times. A modern Fedora policy cannot be diffed with a system with less than
32Gb of memory and it takes over four hours to complete.
With this change AV rules are processed by creating a data structure which
consists of nested dictionaries that store BOTH the left and the right
policies. All of the keys are interned strings to save space.
The basic structure is
rule_db[cond_exp][block_bool][src][tgt][tclass]=sides
where:
cond_exp is a boolean expression
block_bool is either true or false
src is the source type
tgt is the target type
tclass is the target class
sides is a namedtuple with "left" and "right" attributes
Each side is either None or another namedtuple with "perms" and
"orig_rule" attributes
perms is the set of permissions for this rule
orig_rule is the original unexpanded rule
These changes improve diff times and memory usage.
Without the change
Time Memory Usage
Older Fedora Policy 3 min 17 sec 4.5Gb
Recent Refpolicy 4 min 19 sec 6.0Gb
Recent Fedora Policy 4 hrs 9 min 31.9Gb
With the change
Time Memory Usage
Older Fedora Policy 28 sec 1.7Gb
Recent Refpolicy 34 sec 1.9Gb
Recent Fedora Policy 4 min 45 sec 7.7Gb
Also added a unit test to check that redundant rules are removed.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
Adds the option to the infoflow analysis to filter conditional policy based on the default or user specified boolean values.
Signed-off-by: Daniel Riechers <daniel.riechers@rockwellcollins.com>
Signed-off-by: David Graziano <david.graziano@rockwellcollins.com>
The network property will return an IPv4Network or IPv6Network based on the
nodecon. If the policy has host bits set, the ipaddress module will
simply ignore the host bits, so there may be unexpected results in network
comparisons.
Closes#108
* Remove unnecessary namedtuple classes
* Simplify __str__ functions on XenContext subclasses
* Rename mem_addr to addr in Iomemcon and IomemconQuery
* Minor logging tweaks in Xen queries
* Remove type checking in DevicetreeconQuery
