This patch requires that patch [1] be installed first. [1] has been implemented on Android and was sent to the selinux list, however its merge has been defered. It will install the core hashing of file_context entries. This patch updates selinux_restorecon() replacing the per-mountpoint security.restorecon_last attribute with a per-directory security.sehash attribute computed from only those file contexts entries that partially match the directory. This is to avoid the need to walk the entire tree when any part of file_contexts changes, limiting relabels to only those parts of the tree that could have changed. One change is to add a new selabel_get_digests_all_partial_matches(3) function that is explained in the man page. This could replace the Android version of selabel_hash_all_partial_matches(3), that could then be converted into a local function. I've not updated restorecon(8) or restorecon_xattr(8) programs as they work okay (although I could rework the "selabel_opt_digest" stuff). However the man pages at least will need updating. The patch still needs more testing (I've not tried all restorecon options), however I will send a patch for the selinux-testsuite that will perform some simple tests on the new code. [1] https://lore.kernel.org/selinux/20190311222442.49824-1-xunchang@xxxxxxxxxx/ Richard Haines (1): libselinux: Save digest of all partial matches for directory libselinux/include/selinux/label.h | 5 + .../selabel_get_digests_all_partial_matches.3 | 69 ++++++ libselinux/src/label.c | 15 ++ libselinux/src/label_file.c | 51 +++++ libselinux/src/label_file.h | 4 + libselinux/src/label_internal.h | 5 + libselinux/src/selinux_restorecon.c | 204 +++++++++++++----- libselinux/utils/.gitignore | 2 + .../selabel_get_digests_all_partial_matches.c | 171 +++++++++++++++ .../utils/selabel_hash_all_partial_matches.c | 126 +++++++++++ 10 files changed, 595 insertions(+), 57 deletions(-) create mode 100644 libselinux/man/man3/selabel_get_digests_all_partial_matches.3 create mode 100644 libselinux/utils/selabel_get_digests_all_partial_matches.c create mode 100644 libselinux/utils/selabel_hash_all_partial_matches.c -- 2.20.1