On Wed, Jul 24, 2019 at 5:39 PM Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> wrote: > > On Tue, 2019-07-23 at 22:06 +0200, Nicolas Iooss wrote: > > On Wed, Jun 19, 2019 at 4:45 PM Stephen Smalley <sds@xxxxxxxxxxxxx> > > wrote: > > > On 3/11/19 6:24 PM, xunchang wrote: > > > > We used to hash the file_context and skip the restorecon on the > > > > top > > > > level directory if the hash doesn't change. But the file_context > > > > might > > > > change after an update; and some users experienced long > > > > restorecon > > > > time as they have lots of files under directories like > > > > /data/media. > > > > Therefore, we try to skip unnecessary restores if the file > > > > context > > > > relates to the given directory doesn't change. > > > > > > > > This CL is the first step that factors out a lookup helper > > > > function > > > > and returns an array of matched pointers instead of a single one. > > > > The old loopup_common function is then modified to take the first > > > > element in the array. > > > > > > > > This change has already been submitted in android selinux branch. > > > > And > > > > porting it upstream will make these two branches more consistent > > > > and > > > > save some work for the future merges. > > > > > > There were some changes to this patch before it landed in AOSP, so > > > they > > > aren't quite consistent. Do you want to submit the final patch? > > > > Hello, > > > > What are the states of this patch and the one which has been posted > > in > > April ( > > https://lore.kernel.org/selinux/20190417180955.136942-1-xunchang@xxxxxxxxxx/ > > )? > > I do not follow what happens in Android but if the patches have been > > modified there, it seems a good idea to post the modified patches to > > selinux@xxxxxxxxxxxxxxx. > > > > Thanks, > > Nicolas > > Once upon a time Android changed the way restorecon(8) works by > replacing the per-mountpoint security.restorecon_last attribute with a > per-directory security.sehash attribute computed from only those file > contexts entries that partially match the directory. > > To achieve this Android produced the first three patches that are > mentioned in Tianjie Xu reply to this thread (One specific to Android > (for their version of restorecon), and two that are common to upstream > SELinux if implementing per-directory attributes). > > The V4 patches I've sent [1], will implement the upstream version of > restorecon(3) supporting per-directory attributes. Plus it also > resolves "the requirement for caller to have CAP_SYS_ADMIN to call > setxattr" problem mentioned by Tianjie Xu. > > However, to implement my patches [1], you need first to install the two > common patches [2] and [3] that Android have already installed and sent > to selinux@xxxxxxxxxxxxxxx (read my cover letter patch for details). > > I think what Stephen is eluding to in his initial email, is that one of > the patches submitted to Android and the corresponding patch to this > list [2] are slightly different, and that the Android team should > resolve this before any merging can take place. The differences I've > detected are listed at the end of this email. > > Hope this clarifies the situation. > > Richard > > [1] > https://lore.kernel.org/selinux/20190706152115.8490-1-richard_c_haines@xxxxxxxxxxxxxx/T/#u > [2] > https://lore.kernel.org/selinux/20190311222442.49824-1-xunchang@xxxxxxxxxx/ > [3] > https://lore.kernel.org/selinux/20190417180955.136942-1-xunchang@xxxxxxxxxx/ Thanks for your explanation. This indeed clarified the understanding I have of these patches and I agree with merging the 2 patches you used as a base of your 2 patches. I have created a Pull Request for this, https://github.com/SELinuxProject/selinux/pull/172 , and will merge it tomorrow if nobody disagrees. Thanks, Nicolas
