On Thu, Apr 16, 2020 at 3:27 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Thu, Apr 16, 2020 at 5:53 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > On Thu, Apr 16, 2020 at 4:23 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > > On Fri, Mar 27, 2020 at 11:19 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > > > > > > > Implement a new, more space-efficient way of storing filename > > > > transitions in the binary policy. The internal structures have already > > > > been converted to this new representation; this patch just implements > > > > reading/writing an equivalent represntation from/to the binary policy. > > > > > > > > This new format reduces the size of Fedora policy from 7.6 MB to only > > > > 3.3 MB (with policy optimization enabled in both cases). With the > > > > unconfined module disabled, the size is reduced from 3.3 MB to 2.4 MB. > > > > > > > > The time to load policy into kernel is also shorter with the new format. > > > > On Fedora Rawhide x86_64 it dropped from 157 ms to 106 ms; without the > > > > unconfined module from 115 ms to 105 ms. > > > > > > > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > > > > --- > > > > security/selinux/include/security.h | 3 +- > > > > security/selinux/ss/policydb.c | 212 ++++++++++++++++++++++++---- > > > > 2 files changed, 189 insertions(+), 26 deletions(-) > > > > > > ... > > > > > > > diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h > > > > index d6036c018cf2..b0e02cfe3ce1 100644 > > > > --- a/security/selinux/include/security.h > > > > +++ b/security/selinux/include/security.h > > > > @@ -41,10 +41,11 @@ > > > > #define POLICYDB_VERSION_XPERMS_IOCTL 30 > > > > #define POLICYDB_VERSION_INFINIBAND 31 > > > > #define POLICYDB_VERSION_GLBLUB 32 > > > > +#define POLICYDB_VERSION_COMP_FTRANS 33 /* compressed filename transitions */ > > > > > > > > /* Range of policy versions we understand*/ > > > > #define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE > > > > -#define POLICYDB_VERSION_MAX POLICYDB_VERSION_GLBLUB > > > > +#define POLICYDB_VERSION_MAX POcould still help in case of coredump analysisLICYDB_VERSION_COMP_FTRANS > > Errant middle mouse clicks are always fun :) Hehe :) Weird coincidence that it occurred to me just yesterday how easily I could accidentally paste something embarrassing in a reply with this lousy touchpad I'm using now... I'm surprised that what ended up there was actually somewhat insightful :) (I wanted to say that the filename transition count could be useful if you were analysing a core dump and looking at the struct values, but later I changed my mind and removed it.) -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
