Re: [PATCH] libselinux: update max node depth

Christian Göttsche <cgzones@xxxxxxxxxxxxxx> · Tue, 7 Jan 2025 16:07:41 +0100

On Tue, 7 Jan 2025 at 15:46, James Carter <jwcart2@xxxxxxxxx> wrote:
>
> On Mon, Dec 30, 2024 at 8:51 AM Christian Göttsche
> <cgoettsche@xxxxxxxxxxxxx> wrote:
> >
> > From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> >
> > Bump the maximum specification node depth from 3 to 4 based on updated
> > benchmark on Fedora 41:
> >
>
> I am not sure I understand these numbers.
>
> >     Benchmark 1: /tmp/destdir3/sbin/restorecon -vRn /
> >       Time (mean ± σ):      1.397 s ±  0.018 s    [User: 0.755 s, System: 0.641 s]
> >       Range (min … max):    1.353 s …  1.419 s    20 runs
> >
> Is this for depth 3?

Yes, I should have made this more clear.

> >     Benchmark 1: /tmp/destdir4/sbin/restorecon -vRn /
> >       Time (mean ± σ):      1.376 s ±  0.021 s    [User: 0.737 s, System: 0.637 s]
> >       Range (min … max):    1.348 s …  1.414 s    20 runs
> >
> Depth 4?
>
> >     Benchmark 1: /tmp/destdir5/sbin/restorecon -vRn /
> >       Time (mean ± σ):      1.389 s ±  0.021 s    [User: 0.748 s, System: 0.640 s]
> >       Range (min … max):    1.351 s …  1.420 s    20 runs
> Depth 5?
>
> I see the comment below talks about more memory, how much more memory
> is required for a depth of 4?

The maximum memory usage for `selabel_lookup -b file -k /usr/bin/bash`
for all three depths is in the range 3800-4000kB, with depth 5
occasionally being at 4060kB.

>
> Thanks,
> Jim
>
> > ---
> >  libselinux/src/label_file.h | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
> > index 597b756e..41b2a939 100644
> > --- a/libselinux/src/label_file.h
> > +++ b/libselinux/src/label_file.h
> > @@ -105,10 +105,10 @@ struct literal_spec {
> >   * Max depth of specification nodes
> >   *
> >   * Measure before changing:
> > - *   - 2  leads to slower lookup
> > - *   - >4 require more memory (and allocations) for no performance gain
> > + *   <  leads to slower lookup
> > + *   >  require more memory (and allocations) for no performance gain
> >   */
> > -#define SPEC_NODE_MAX_DEPTH 3
> > +#define SPEC_NODE_MAX_DEPTH 4
> >
> >  /* A specification node */
> >  struct spec_node {
> > --
> > 2.45.2
> >
> >