On Wed, May 31, 2023 at 7:32 AM Juraj Marcin <juraj@xxxxxxxxxxxxxxx> wrote: > > Currently, filename transitions are stored separately from other type > enforcement rules and only support exact name matching. However, in > practice, the names contain variable parts. This leads to many > duplicated rules in the policy that differ only in the part of the name, > or it is even impossible to cover all possible combinations. > > First, this series of patches moves the filename transitions to be part > of the avtab structures. This not only makes the implementation of > prefix/suffix matching and future enhancements easier, but also reduces > the technical debt regarding the filename transitions. Next, the last > patch implements the support for prefix/suffix name matching itself by > extending the structures added in previous patches in this series. > > Even though, moving everything to avtab increases the memory usage and > the size of the binary policy itself and thus the loading time, the > ability to match the prefix or suffix of the name will reduce the > overall number of rules in the policy which should mitigate this issue. > > This implementation has been successfully tested using the existing and > also new tests in the SELinux Testsuite. > > Juraj Marcin (5): > selinux: move transition to separate structure in avtab_datum > selinux: move filename transitions to avtab > selinux: implement new binary format for filename transitions in avtab > selinux: filename transitions move tests > selinux: add prefix/suffix matching support to filename type > transitions Just a quick comment as I haven't had a chance to properly review this series yet; you show some memory usage and performance measurements in some of the intermediate patches, that's good, but I don't see the same measurements taken when the full patchset is applied. Please provide the same memory usage and performance comparisons with the full patchset applied. -- paul-moore.com
