libsepol/cil: Limit the amount of reporting for context rule conflicts

When there are conflicting context rules, the location of the
conflicting rules are written out. If there are many duplicates of
the same context rule, there will be many pairs of conflicts written
out. This hides the fact that all of the rules are the same and can
make it hard to see the different conflicts.

First, since these are warnings and not reported at the default log
verbosity level (which only reports errors), only search for the
locations of the conflicting rules when the verbosity level means
that the warnings will actually be reported.

Second, Report all the duplicate conflicting rules together.

Third, Report the first four conflicts of the same rule if when
the verbosity level is at CIL_WARN ("-v") and report all of them
when the verbosity level is at CIL_INFO or higher ("-v -v").

Fixes problem found by oss-fuzz (#39735)

Signed-off-by: James Carter <jwcart2@gmail.com>
This commit is contained in:
James Carter 2022-01-18 16:53:49 -05:00
parent c964fe14f4
commit bc26ddc59c

View File

@ -2280,8 +2280,10 @@ static int __cil_post_report_conflict(struct cil_tree_node *node, uint32_t *fini
static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)(const void *, const void *), int (*concompar)(const void *, const void *), struct cil_db *db, enum cil_flavor flavor, const char *flavor_str)
{
uint32_t count = sort->count;
uint32_t i, j = 0, removed = 0;
uint32_t i = 0, j, removed = 0;
int conflicting = 0;
int rc = SEPOL_OK;
enum cil_log_level log_level = cil_get_log_level();
if (count < 2) {
return SEPOL_OK;
@ -2289,36 +2291,43 @@ static int __cil_post_process_context_rules(struct cil_sort *sort, int (*compar)
qsort(sort->array, sort->count, sizeof(sort->array), compar);
for (i=1; i<count; i++) {
for (j=1; j<count; j++) {
if (compar(&sort->array[i], &sort->array[j]) != 0) {
j++;
i++;
if (conflicting >= 4) {
/* 2 rules were written when conflicting == 1 */
cil_log(CIL_WARN, " Only first 4 of %d conflicting rules shown\n", conflicting);
}
conflicting = 0;
} else {
removed++;
if (!db->multiple_decls ||
concompar(&sort->array[i], &sort->array[j]) != 0) {
struct cil_list_item li;
int rc2;
cil_log(CIL_WARN, "Found conflicting %s rules\n",
flavor_str);
rc = SEPOL_ERR;
li.flavor = flavor;
li.data = sort->array[i];
rc2 = cil_tree_walk(db->ast->root,
__cil_post_report_conflict,
NULL, NULL, &li);
if (rc2 != SEPOL_OK) goto exit;
li.data = sort->array[j];
rc2 = cil_tree_walk(db->ast->root,
__cil_post_report_conflict,
NULL, NULL, &li);
if (rc2 != SEPOL_OK) goto exit;
if (!db->multiple_decls || concompar(&sort->array[i], &sort->array[j]) != 0) {
conflicting++;
if (log_level >= CIL_WARN) {
struct cil_list_item li;
int rc2;
li.flavor = flavor;
if (conflicting == 1) {
cil_log(CIL_WARN, "Found conflicting %s rules\n", flavor_str);
rc = SEPOL_ERR;
li.data = sort->array[i];
rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict,
NULL, NULL, &li);
if (rc2 != SEPOL_OK) goto exit;
}
if (conflicting < 4 || log_level > CIL_WARN) {
li.data = sort->array[j];
rc2 = cil_tree_walk(db->ast->root, __cil_post_report_conflict,
NULL, NULL, &li);
if (rc2 != SEPOL_OK) goto exit;
}
}
}
}
if (i != j) {
sort->array[j] = sort->array[i];
if (i != j && !conflicting) {
sort->array[i] = sort->array[j];
}
}
sort->count = count - removed;
exit: