Check for if if parameters don't match comment

[dburgener]

No description provided.

[cgzones]

Parsing the interface/template header might also help inferring the kind of the parameter (type, type or type attribute (some interfaces support passing an attribute some don't), role, role or role attribute, textual prefix, ...) to improve the understanding of the policy.

Also inferring the number of parameters can help finding irregular calls (too few/many used) or unused parameters in the interface/template itself.

[dburgener]

With the exception of "unused parameters in the interface/template itself", I think we could also infer all of those situations from the contents of the interface?

In general, the documentation comments seem to be in extremely poor shape, so I'd be inclined to treat a difference between the comment and the actual behavior of the interface as a bug in the comment rather than vice versa.

[cgzones]

One major obstacle of inferring is the common usage of macros in interfaces, e.g. domtrans_pattern($1, foo_exec_t, foo_t) or read_file_pattern($1, foo_conf_t, foo_conf_t), where we currently cannot infer $1 to be type_or_attribute.