On 04/12/2017 02:26 PM, James Carter wrote:
The number of type attributes included in the binary policy is becomming a performance issue in some cases.
This patch set more aggressives removes attributes and gives the options to expand and remove all auto-generated attributes and all attributes with fewer than a given amount of attributes assigned.
Comparison of the number of attributes remaining in the binary policy
mls normal android
org 310 286 255
old 268 251 130
max 71 20 17
min 226 173 119
def 223 170 80
gen 220 170 46
u5 164 112 59
Org - Number of attributes in the CIL policy
Old - Results without this patch set
Max - Remove the maximum number of attributes: "-G -X 9999"
Min - Remove the minimum number of attributes: "-X 0"
Def - The new defaults for CIL
Gen - Just removing auto-generated attributes: "-G"
U5 - Remove attributes with less than five members: "-X 5"
v2:
- Use "--expand-generated" and "--expand-size" as options for consistency.
- Fixed bug in cil_post.c:__cil_post_db_attr_helper() where cil_typeattribute_used() would not be called if the attribute type bitmap was already created.
James Carter (2):
libsepol/cil: Add ability to expand some attributes in binary policy
secilc: Add options to control the expansion of attributes
libsepol/cil/include/cil/cil.h | 2 +
libsepol/cil/src/cil.c | 12 ++
libsepol/cil/src/cil_binary.c | 253 +++++++++++++++++++++++++++----------
libsepol/cil/src/cil_internal.h | 7 +-
libsepol/cil/src/cil_post.c | 32 +++--
libsepol/cil/src/cil_resolve_ast.c | 25 ++--
libsepol/src/libsepol.map.in | 2 +
secilc/secil2conf.c | 2 +
secilc/secilc.8.xml | 10 ++
secilc/secilc.c | 31 ++++-
10 files changed, 275 insertions(+), 101 deletions(-)
These three patches have been merged.
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
