On 06/18/2015 04:26 PM, James Carter wrote: > On 06/18/2015 09:56 AM, Stephen Smalley wrote: >> On 06/17/2015 03:58 PM, James Carter wrote: >>> The largest change to the user and role bounds checking was to put >>> them in their own functions, so they could be called independently. >>> >>> The type bounds checking was changed to check one type bounds at >>> a time. An expanded avtab is still created, but now only the rules >>> of the parent type are expanded. If violations are discovered, >>> a list of avtab_ptr_t's provides details. This list is used to >>> display error messages for backwards compatibility and will be >>> used by CIL to provide a more detailed error message. >>> >>> Memory usage is reduced from 9,355M to 126M and time is reduced >>> from 9 sec to 2 sec. >>> >>> Signed-off-by: James Carter <jwcart2@xxxxxxxxxxxxx> >> >> Can we optimize the case where there are no bounded users/roles/types at >> all in the policy, and quickly return in that situation? Seems like we >> could just quickly walk them and check to see if any are bounded before >> we start doing anything else. Surprised we don't already do that. >> > > I am not sure how to do it faster. > > I am walking the types table [The statement: > hashtab_map(p->p_types.table, bounds_check_type_callback, &args);] and > only calling bounds_check_type() if the type has a bounds. > > Is there a faster way? So is there any avtab allocation if there are no bounded types? That's what I wanted to ensure we avoid or at least minimize. I was surprised that you indicated that we have significant memory and time usage from the old hierarchy checker since there are no bounded types in the default policy; I had assumed that it would optimize for that case, just as we quickly bail out of the assertion checker if there are no neverallows before even doing an avtab_init. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
