On Tue, Apr 11, 2017 at 08:06:07PM +0000, Jeffrey Vander Stoep wrote:
> Using this patchset with "-G" option - we no longer see preemption on
> slowpath policy lookups.
'Gen - Just removing auto-generated attributes: "-G"'
Forgive me if I am wrong but that then means that CIL will not optimize the policy to deal with the expansion of these -negation rules by using type attributes instead:
example:
allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
Maybe android just has too many of these -negation rules. or maybe CIL can not deal with them optimally.
Anyhow: giving us the ability to tune these things seems like a good thing because not all policy is created equal (android has relatively few types but way more -negation and neverallow rules than refpolicy)
ie. fewer types but the the types have way more attributes associated with then (without using -G) due to all the -negation going on
However I am a little worried about the "new defaults" (I should test this patch with dssp2-standard)
>
> On Tue, Apr 11, 2017 at 12:28 PM James Carter <jwcart2@xxxxxxxxxxxxx> wrote:
>
> On 04/11/2017 01:53 PM, James Carter wrote:
> > The number of type attributes included in the binary policy is becomming
> a performance issue in some cases.
> >
> > This patch set more aggressives removes attributes and gives the options
> to expand and remove all auto-generated attributes and all attributes with
> fewer than a given amount of attributes assigned.
> >
> > Comparison of the number of attributes remaining in the binary policy
> > mls normal android
> > org 310 286 255
> > old 268 251 130
> > max 154 20 17
> > min 226 173 119
> > def 224 170 80
> > gen 221 170 46
> > u5 191 112 59
> >
> > Org - Number of attributes in the CIL policy
> > Old - Results without this patch set
> > Max - Remove the maximum number of attributes: "-G -X 9999"
> > Min - Remove the minimum number of attributes: "-X 0"
> > Def - The new defaults for CIL
> > Gen - Just removing auto-generated attributes: "-G"
> > U5 - Remove attributes with less than five members: "-X 5"
> >
> >
>
> In case you are interested in sizes:
>
> mls normal android
> old 2.1M 2.0M 113K
> max 68.3M 63.4M 5041K
> min 2.1M 2.0M 122K
> def 2.1M 2.0M 115K
> gen 2.2M 2.0M 136K
> u5 2.2M 2.0M 116K
>
> I would not recommend expanding all attributes.
>
> Jim
>
> > James Carter (2):
> > libsepol/cil: Add ability to expand some attributes in binary policy
> > secilc: Add options to control the expansion of attributes
> >
> > libsepol/cil/include/cil/cil.h | 2 +
> > libsepol/cil/src/cil.c | 12 ++
> > libsepol/cil/src/cil_binary.c | 253
> +++++++++++++++++++++++++++----------
> > libsepol/cil/src/cil_internal.h | 7 +-
> > libsepol/cil/src/cil_post.c | 32 +++--
> > libsepol/cil/src/cil_resolve_ast.c | 25 ++--
> > libsepol/src/libsepol.map.in | 2 +
> > secilc/secil2conf.c | 2 +
> > secilc/secilc.8.xml | 10 ++
> > secilc/secilc.c | 31 ++++-
> > 10 files changed, 275 insertions(+), 101 deletions(-)
> >
>
>
> --
> James Carter <jwcart2@xxxxxxxxxxxxx>
> National Security Agency
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to
> Selinux-request@xxxxxxxxxxxxx.
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
