From c60d3ea1641874a944590ed8ae5e53fddb308366 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Tue, 25 Apr 2017 12:59:46 -0700
Subject: [PATCH] Do not warn about empty typesets in neverallows

Empty typeset is not an issue in neverallow rules. The reason is that
it's completly normal for scontext or tcontext of neverallow rules to
evaluate to an empty type set. For example, there are neverallow rules
whose purpose is to test that all types with particular powers are
associated with a particular attribute:
  neverallow {
    untrusted_app_all
    -untrusted_app
    -untrusted_app_25
  } domain:process fork;

Test: sepolicy-analyze neverallow -w -n \
          'neverallow {} {}:binder call;'
      produces empty output instead of "Warning!  Empty type set"
Bug: 37357742
Change-Id: Id61b4fe22fafaf0522d8769dd4e23dfde6cd9f45
---
 tools/sepolicy-analyze/neverallow.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index b288ea7ac..26ce14468 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -173,9 +173,6 @@ static int read_typeset(policydb_t *policydb, char **ptr, char *end,
         }
     }
 
-    if (warn && ebitmap_length(&typeset->types) == 0 && !(*flags))
-        fprintf(stderr, "Warning!  Empty type set\n");
-
     *ptr = p;
     return 0;
 err:
-- 
GitLab