On Fri, May 24, 2019 at 6:02 PM jwcart2 <jwcart2@xxxxxxxxxxxxx> wrote: > On 5/23/19 10:08 AM, Ondrej Mosnacek wrote: > > On Thu, May 23, 2019 at 3:40 PM Dominick Grift <dac.override@xxxxxxxxx> wrote: > >> On Thu, May 23, 2019 at 03:14:55PM +0200, Dominick Grift wrote: > >>> On Thu, May 23, 2019 at 12:24:45PM +0200, Ondrej Mosnacek wrote: > >>>> This series implements an optional optimization step when building > >>>> a policydb via semodule or secilc, which identifies and removes rules > >>>> that are redundant -- i.e. they are already covered by a more general > >>>> rule based on attribute inheritance. > >>> > >>> Some stats with dssp2-standard: > >>> > >>> [kcinimod@myguest dssp2-standard]$ time secilc -n `find . -name *.cil` -o policy.31.noopt > >>> > >>> real 0m9.278s > >>> user 0m7.036s > >>> sys 0m2.017s > >>> [kcinimod@myguest dssp2-standard]$ time secilc `find . -name *.cil` -o policy.31.opt > >>> > >>> real 0m19.343s > >>> user 0m16.939s > >>> sys 0m2.027s > >>> [kcinimod@myguest dssp2-standard]$ ls -lh policy.* > >>> -rw-rw-r--. 1 kcinimod kcinimod 2.4M May 23 15:11 policy.31.noopt > >>> -rw-rw-r--. 1 kcinimod kcinimod 2.3M May 23 15:12 policy.31.opt > >>> > >>> Was unable to see the actual diff as sediff got oom-killed on me > >> > >> According to percentage calculator thats roughly a 4 percent gain size-wise at a 47 percent performance penalty. > >> Looks like dssp2-standard is pretty efficient as it is. > > > > Hmm, yeah, looks like I'll have to make it opt-in after all... or add > > some heuristic to decide if running the optimization is really worth > > it. > > > > Opt-in makes sense. How about just using 'O' for the option? Sure, I already have patches to convert to opt-in ready in my devel branch [1]. Expect them to be incorporated in v2 respin. [1] https://github.com/WOnder93/selinux/compare/master...optimize-policy-v2 > > Jim > > >> > >>> > >>>> > >>>> Since the performance penalty of this additional step is very small > >>>> (it adds about 1 s to the current running time of ~20-30 s [1]) and > >>>> it can have a big positive effect on the number of rules in policy > >>>> (it manages to remove ~40% AV rules from Fedora 29 policy), the > >>>> optimization is enabled by default and can be turned off using a > >>>> command-line option (--no-optimize) in secilc and semodule [2]. > >>>> > >>>> The optimization routine eliminates: > >>>> * all allow/neverallow/dontaudit/auditallow rules (including xperm > >>>> variants) that are covered by another more general rule, > >>>> * all conditional versions of the above rules that are covered by a > >>>> more general rule either in the unconditional table or in the same > >>>> branch of the same conditional. > >>>> > >>>> The optimization doesn't process other rules, since they currently > >>>> do not support attributes. There is some room left for more precise > >>>> optimization of conditional rules, but it would likely bring only > >>>> little additional benefit. > >>>> > >>>> When the policy is mostly or fully expanded, the optimization should > >>>> be turned off. If it isn't, the policy build time will increase a lot > >>>> for no benefit. However, the complexity of optimization will be only > >>>> linear w.r.t. the number of rules and so the impact should not be > >>>> catastrophic. (When testing with secilc on a subset of Fedora policy > >>>> with -X 100000 the build time was 1.7 s with optimization vs. 1 s > >>>> without it.) > >>>> > >>>> Tested live on my Fedora 29 devel machine under normal use. No unusual > >>>> AVCs were observed with optimized policy loaded. > >>>> > >>>> Travis build passed: https://travis-ci.org/WOnder93/selinux/builds/536157427 > >>>> > >>>> NOTE: The xperm rule support wasn't tested -- I would welcome some > >>>> peer review/testing of this part. > >>>> > >>>> [1] As measured on my machine (Fedora 29 policy, x86_64). > >>>> [2] I have no problem with switching it to opt-in if that is preferred. > >>>> > >>>> Ondrej Mosnacek (4): > >>>> libsepol: add a function to optimize kernel policy > >>>> secilc: optimize policy before writing > >>>> libsemanage: optimize policy on rebuild > >>>> semodule: add flag to disable policy optimization > >>>> > >>>> libsemanage/include/semanage/handle.h | 4 + > >>>> libsemanage/src/direct_api.c | 7 + > >>>> libsemanage/src/handle.c | 13 + > >>>> libsemanage/src/handle.h | 1 + > >>>> libsemanage/src/libsemanage.map | 5 + > >>>> libsepol/include/sepol/policydb.h | 5 + > >>>> libsepol/include/sepol/policydb/policydb.h | 2 + > >>>> libsepol/src/libsepol.map.in | 5 + > >>>> libsepol/src/optimize.c | 370 +++++++++++++++++++++ > >>>> libsepol/src/policydb_public.c | 5 + > >>>> policycoreutils/semodule/semodule.c | 12 +- > >>>> secilc/secilc.c | 16 +- > >>>> 12 files changed, 442 insertions(+), 3 deletions(-) > >>>> create mode 100644 libsepol/src/optimize.c > >>>> > >>>> -- > >>>> 2.20.1 > >>>> > >>> > >>> -- > >>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > >>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > >>> Dominick Grift > >> > >> > >> > >> -- > >> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > >> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > >> Dominick Grift > > > > > > > > > -- > James Carter <jwcart2@xxxxxxxxxxxxx> > National Security Agency -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
