On Fri, 2008-02-01 at 09:12 -0500, Joshua Brindle wrote:
> This patch should reduce the amount of peak memory required to expand
> the policy by consuming part of the input policy during expansion. It
> reduced the rss of semodule_expand with a full refpolicy from 86 to 66 meg.
>
> On a side note, if anyone knows of a good tool for profiling heap usage
> I'd like to hear, I've tried valgrind massif, google-perftools, and
> smaps and none of them seem to work that well...
>
> Signed-off-by: Joshua Brindle <method@xxxxxxxxxxxxxxx>
Looks sane, but patch is whitespace damaged here. Feel free to apply.
Acked-by: Stephen Smalley <sds@xxxxxxxxxxxxx>
>
> Index: libsemanage/src/semanage_store.c
> ===================================================================
> --- libsemanage/src/semanage_store.c (revision 2774)
> +++ libsemanage/src/semanage_store.c (working copy)
> @@ -1636,6 +1636,8 @@
> if (sepol_policydb_create(&out))
> goto err;
>
> + sepol_set_expand_consume_base(sh->sepolh, 1);
> +
> if (sepol_expand_module(sh->sepolh,
> sepol_module_package_get_policy(base), out, 0,
> expand_check)
> Index: libsepol/include/sepol/handle.h
> ===================================================================
> --- libsepol/include/sepol/handle.h (revision 2774)
> +++ libsepol/include/sepol/handle.h (working copy)
> @@ -11,6 +11,10 @@
> * not disable dontaudits, 1 disables them */
> void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
>
> +/* Set whether module_expand() should consume the base policy passed in.
> + * This should reduce the amount of memory required to expand the policy. */
> +void sepol_set_expand_consume_base(sepol_handle_t * sh, int consume_base);
> +
> /* Destroy a sepol handle. */
> void sepol_handle_destroy(sepol_handle_t *);
>
> Index: libsepol/src/handle.h
> ===================================================================
> --- libsepol/src/handle.h (revision 2774)
> +++ libsepol/src/handle.h (working copy)
> @@ -16,6 +16,7 @@
> void *msg_callback_arg;
>
> int disable_dontaudit;
> + int expand_consume_base;
>
> };
>
> Index: libsepol/src/libsepol.map
> ===================================================================
> --- libsepol/src/libsepol.map (revision 2774)
> +++ libsepol/src/libsepol.map (working copy)
> @@ -13,5 +13,6 @@
> sepol_policy_kern_*;
> sepol_policy_file_*;
> sepol_set_disable_dontaudit;
> + sepol_set_expand_consume_base;
> local: *;
> };
> Index: libsepol/src/expand.c
> ===================================================================
> --- libsepol/src/expand.c (revision 2774)
> +++ libsepol/src/expand.c (working copy)
> @@ -2134,17 +2134,17 @@
> */
> static int copy_and_expand_avrule_block(expand_state_t * state)
> {
> - avrule_block_t *curblock;
> + avrule_block_t *curblock = state->base->global;
> + avrule_block_t *prevblock;
> int retval = -1;
>
> - for (curblock = state->base->global; curblock != NULL;
> - curblock = curblock->next) {
> + while (curblock) {
> avrule_decl_t *decl = curblock->enabled;
> avrule_t *cur_avrule;
>
> if (decl == NULL) {
> /* nothing was enabled within this block */
> - continue;
> + goto cont;
> }
>
> /* copy role allows and role trans */
> @@ -2186,6 +2186,18 @@
> /* copy conditional rules */
> if (cond_node_copy(state, decl->cond_list))
> goto cleanup;
> +
> + cont:
> + prevblock = curblock;
> + curblock = curblock->next;
> +
> + if (state->handle && state->handle->expand_consume_base) {
> + /* set base top avrule block in case there
> + * is an error condition and the policy needs
> + * to be destroyed */
> + state->base->global = curblock;
> + avrule_block_destroy(prevblock);
> + }
> }
>
> retval = 0;
> Index: libsepol/src/handle.c
> ===================================================================
> --- libsepol/src/handle.c (revision 2774)
> +++ libsepol/src/handle.c (working copy)
> @@ -16,6 +16,7 @@
>
> /* by default do not disable dontaudits */
> sh->disable_dontaudit = 0;
> + sh->expand_consume_base = 0;
>
> return sh;
> }
> @@ -26,6 +27,12 @@
> sh->disable_dontaudit = disable_dontaudit;
> }
>
> +void sepol_set_expand_consume_base(sepol_handle_t *sh, int consume_base)
> +{
> + assert(sh != NULL);
> + sh->expand_consume_base = consume_base;
> +}
> +
> void sepol_handle_destroy(sepol_handle_t * sh)
> {
> free(sh);
> Index: policycoreutils/semodule_expand/semodule_expand.c
> ===================================================================
> --- policycoreutils/semodule_expand/semodule_expand.c (revision 2774)
> +++ policycoreutils/semodule_expand/semodule_expand.c (working copy)
> @@ -44,6 +44,7 @@
> sepol_policydb_t *out, *p;
> FILE *fp, *outfile;
> int check_assertions = 1;
> + sepol_handle_t *handle;
>
> while ((ch = getopt(argc, argv, "c:Vva")) != EOF) {
> switch (ch) {
> @@ -105,6 +106,10 @@
> basename = argv[optind++];
> outname = argv[optind];
>
> + handle = sepol_handle_create();
> + if (!handle)
> + exit(1);
> +
> if (sepol_policy_file_create(&pf)) {
> fprintf(stderr, "%s: Out of memory\n", argv[0]);
> exit(1);
> @@ -132,7 +137,7 @@
>
> /* linking the base takes care of enabling optional avrules */
> p = sepol_module_package_get_policy(base);
> - if (sepol_link_modules(NULL, p, NULL, 0, 0)) {
> + if (sepol_link_modules(handle, p, NULL, 0, 0)) {
> fprintf(stderr, "%s: Error while enabling avrules\n", argv[0]);
> exit(1);
> }
> @@ -144,7 +149,9 @@
> exit(1);
> }
>
> - if (sepol_expand_module(NULL, p, out, verbose, check_assertions)) {
> + sepol_set_expand_consume_base(handle, 1);
> +
> + if (sepol_expand_module(handle, p, out, verbose, check_assertions)) {
> fprintf(stderr, "%s: Error while expanding policy\n", argv[0]);
> exit(1);
> }
> @@ -174,6 +181,7 @@
> exit(1);
> }
> fclose(outfile);
> + sepol_handle_destroy(handle);
> sepol_policydb_free(out);
> sepol_policy_file_free(pf);
>
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> the words "unsubscribe selinux" without quotes as the message.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
