On Thu, May 23, 2019 at 12:24:45PM +0200, Ondrej Mosnacek wrote: > This series implements an optional optimization step when building > a policydb via semodule or secilc, which identifies and removes rules > that are redundant -- i.e. they are already covered by a more general > rule based on attribute inheritance. Some stats with dssp2-standard: [kcinimod@myguest dssp2-standard]$ time secilc -n `find . -name *.cil` -o policy.31.noopt real 0m9.278s user 0m7.036s sys 0m2.017s [kcinimod@myguest dssp2-standard]$ time secilc `find . -name *.cil` -o policy.31.opt real 0m19.343s user 0m16.939s sys 0m2.027s [kcinimod@myguest dssp2-standard]$ ls -lh policy.* -rw-rw-r--. 1 kcinimod kcinimod 2.4M May 23 15:11 policy.31.noopt -rw-rw-r--. 1 kcinimod kcinimod 2.3M May 23 15:12 policy.31.opt Was unable to see the actual diff as sediff got oom-killed on me > > Since the performance penalty of this additional step is very small > (it adds about 1 s to the current running time of ~20-30 s [1]) and > it can have a big positive effect on the number of rules in policy > (it manages to remove ~40% AV rules from Fedora 29 policy), the > optimization is enabled by default and can be turned off using a > command-line option (--no-optimize) in secilc and semodule [2]. > > The optimization routine eliminates: > * all allow/neverallow/dontaudit/auditallow rules (including xperm > variants) that are covered by another more general rule, > * all conditional versions of the above rules that are covered by a > more general rule either in the unconditional table or in the same > branch of the same conditional. > > The optimization doesn't process other rules, since they currently > do not support attributes. There is some room left for more precise > optimization of conditional rules, but it would likely bring only > little additional benefit. > > When the policy is mostly or fully expanded, the optimization should > be turned off. If it isn't, the policy build time will increase a lot > for no benefit. However, the complexity of optimization will be only > linear w.r.t. the number of rules and so the impact should not be > catastrophic. (When testing with secilc on a subset of Fedora policy > with -X 100000 the build time was 1.7 s with optimization vs. 1 s > without it.) > > Tested live on my Fedora 29 devel machine under normal use. No unusual > AVCs were observed with optimized policy loaded. > > Travis build passed: https://travis-ci.org/WOnder93/selinux/builds/536157427 > > NOTE: The xperm rule support wasn't tested -- I would welcome some > peer review/testing of this part. > > [1] As measured on my machine (Fedora 29 policy, x86_64). > [2] I have no problem with switching it to opt-in if that is preferred. > > Ondrej Mosnacek (4): > libsepol: add a function to optimize kernel policy > secilc: optimize policy before writing > libsemanage: optimize policy on rebuild > semodule: add flag to disable policy optimization > > libsemanage/include/semanage/handle.h | 4 + > libsemanage/src/direct_api.c | 7 + > libsemanage/src/handle.c | 13 + > libsemanage/src/handle.h | 1 + > libsemanage/src/libsemanage.map | 5 + > libsepol/include/sepol/policydb.h | 5 + > libsepol/include/sepol/policydb/policydb.h | 2 + > libsepol/src/libsepol.map.in | 5 + > libsepol/src/optimize.c | 370 +++++++++++++++++++++ > libsepol/src/policydb_public.c | 5 + > policycoreutils/semodule/semodule.c | 12 +- > secilc/secilc.c | 16 +- > 12 files changed, 442 insertions(+), 3 deletions(-) > create mode 100644 libsepol/src/optimize.c > > -- > 2.20.1 > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
