Re: [meta-selinux][PATCHv2 0/8] Label file system in build.

[Joe MacDonald <Joe_MacDonald@mentor.com>]

[-- Attachment #1: Type: text/plain, Size: 6814 bytes --]

Hi Phil,

I'm sorry this has been in the merge queue for so long.  I've merged it
after taking the policy updates from Shrikant and a few other small
patches that had been hanging around too.  I didn't drop it on master
yet, though, since I wanted to give everyone else a little bit of time
to try it out (myself included, I'm finally able to come up for air on
some of the day job things :-)).  Instead it is currently living on the
fs_label branch, but I rebased the patches on the current master HEAD
commit.  That means, though, that if you get a chance I'd like to take a
look at the branch to ensure I didn't mangle your patch set too much.

-J.

[[meta-selinux][PATCHv2 0/8] Label file system in build.] On 15.06.17 (Wed 15:30) Philip Tricca wrote:

> This is the second version of a patch series that allows the file system
> of SELinux images to be labeled as part of the build process. This will
> allow SELinux images to boot read only file systems and remove the need to
> label the file system on first boot.
> 
> To do this we must label the file system in the build as well as add
> support for extended attributes to the mke2fs utility in the e2fsprogs
> package. The first version of this patch series is here:
> https://lists.yoctoproject.org/pipermail/yocto/2015-June/025141.html
> The approach described in this previous RFC remains the same.
> 
> Changes in v2:
> This second version has two significant changes: First I've done a bunch
> of cleanup. This includes work to make the descriptions in the patch
> headers / commit messages more exact as well as combining some commits
> with related functionality. Secondly I've reimplemented the xattr cache
> so that it actually works.
> 
> I've made the patch headers as descriptive as possible and kept the git
> commit messages minimal. If the preference is for more verbose commit
> messages I'm happy to oblige if advised.
> 
> The cache is just a single linked list that's searched for duplicates after
> the creation of each new xattr block. The previous implementation was similar
> but, aside from not working properly, it was overly complex in its attempt to
> keep the list sorted.
> 
> Tests:
> To test this new implementation I used the core-image-selinux-minimal image
> from the unmodified master branch as a control. This image has 2536 unique
> file system objects including the root fs directory. The ext4 file system
> produced by the build has 71492 blocks with 13621 free.
> 
> As an additional test I added the patches from this set WITHOUT the cache
> patches. This causes each file system object with an associated extended
> attribute to use up an additional block for the xattr. This should cause
> (hypothesis) the output file system to have 13621 - 2536 = 11085 free
> blocks. The build producing an ext4 file system with 71492 blocks and 11088
> free. That's an additional 2533 blocks used instead of the 2536 expected.
> These 3 missing xattr blocks can be accounted for in that there are 3
> unlabeled files in the file system.
> 
> Introducing the cache allows files with identical xattr blocks to share
> them to reduce the number of used blocks. Since we're only storing SELinux
> labels in the xattrs we can say that every file with the same SELinux label
> should share an xattr block. Counting the unique SELinux labels on file
> objects we know that there are 83 in total. The second hypothesis we have
> to test then is that using the cache will reduce the number of used blocks
> from 2533 down to 83.
> 
> Applying the patch that enables the cache produces a third and final ext4
> file system. This one again report 71492 total blocks but this time 13538
> free. This is 83 blocks fewer than the unlabled file system from the
> initial test as we expected. The code added by this patch set is also
> instrumented to count the objects in the cache when they're freed. With
> this debug output enabled it reports the same number of objects in the
> cache.
> 
> From the test results I'm pretty confident that the cache functions as
> expected. It's still a very basic implementation but given the small
> number of unique SELinux labels in the reference file systems it's
> likely sufficient for a first version. Feedback / comments on both the
> implementation and testing approach would be appreciated.
> 
> Regards,
> Philip
> ----
> 
> Philip Tricca (8):
>   policycoreutils: Patch setfiles to add FTS_NOCHDIR to fts_flags.
>   selinux-image: Add new image class to label the rootfs, use it for
>     selinux images.
>   e2fsprogs: Add bbappend and stub for xattr module.
>   e2fsprogs: Insert calls to xattr module into mke2fs and build xattr
>     code.
>   e2fsprogs: Add xattr security prefix data to
>     lib/ext2fs/ext2_ext_attr.h
>   e2fsprogs: Copy xattr block from source file.
>   e2fsprogs: Add stub functions for an xattr cache and struct to hold
>     the header and block data.
>   e2fsprogs: Implement xattr block cache with simple linked list.
> 
>  classes/selinux-image.bbclass                      |   8 +
>  ...ib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch |  20 ++
>  .../misc-xattr-add-xattr-module-stub.patch         |  57 ++++
>  .../misc-xattr-create-xattr-block-node.patch       | 175 +++++++++++
>  .../e2fsprogs/misc-xattr-create-xattr-block.patch  | 341 +++++++++++++++++++++
>  .../e2fsprogs/misc-xattr-create-xattr-cache.patch  | 181 +++++++++++
>  .../mke2fs.c-create_inode.c-copy-xattrs.patch      | 164 ++++++++++
>  .../e2fsprogs/e2fsprogs_1.42.9.bbappend            |  10 +
>  .../images/core-image-selinux-minimal.bb           |   2 +-
>  recipes-security/images/core-image-selinux.bb      |   2 +-
>  .../policycoreutils-fts_flags-FTS_NOCHDIR.patch    |  25 ++
>  recipes-security/selinux/policycoreutils_2.3.bb    |   1 +
>  12 files changed, 984 insertions(+), 2 deletions(-)
>  create mode 100644 classes/selinux-image.bbclass
>  create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch
>  create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-add-xattr-module-stub.patch
>  create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-create-xattr-block-node.patch
>  create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-create-xattr-block.patch
>  create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-create-xattr-cache.patch
>  create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs/mke2fs.c-create_inode.c-copy-xattrs.patch
>  create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bbappend
>  create mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-fts_flags-FTS_NOCHDIR.patch
> 
-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]