Re: [PATCH 0/2] libsepol and checkpolicy: Add ability to expand some attributes in binary policy

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dominick Grift <dac.override@gmail.com>
To: selinux@tycho.nsa.gov
Subject: Re: [PATCH 0/2] libsepol and checkpolicy: Add ability to expand some attributes in binary policy
Date: Tue, 11 Apr 2017 22:29:45 +0200	[thread overview]
Message-ID: <20170411202945.GE2232@markus> (raw)
In-Reply-To: <CABXk95D0rxRZSsYO0inJLb3ZZeqLkxz9FOTR+iJBV=GQTQdPfg@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 4069 bytes --]

On Tue, Apr 11, 2017 at 08:06:07PM +0000, Jeffrey Vander Stoep wrote:
> Using this patchset with "-G" option - we no longer see preemption on
> slowpath policy lookups.

'Gen - Just removing auto-generated attributes: "-G"'

Forgive me if I am wrong but that then means that CIL will not optimize the policy to deal with the expansion of these -negation rules by using type attributes instead:

example:

allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;

Maybe android just has too many of these -negation rules. or maybe CIL can not deal with them optimally.

Anyhow: giving us the ability to tune these things seems like a good thing because not all policy is created equal (android has relatively few types but way more -negation and neverallow rules than refpolicy)

ie. fewer types but the the types have way more attributes associated with then (without using -G) due to all the -negation going on

However I am a little worried about the "new defaults" (I should test this patch with dssp2-standard)

> 
> On Tue, Apr 11, 2017 at 12:28 PM James Carter <jwcart2@tycho.nsa.gov> wrote:
> 
> On 04/11/2017 01:53 PM, James Carter wrote:
> > The number of type attributes included in the binary policy is becomming
> a performance issue in some cases.
> >
> > This patch set more aggressives removes attributes and gives the options
> to expand and remove all auto-generated attributes and all attributes with
> fewer than a given amount of attributes assigned.
> >
> > Comparison of the number of attributes remaining in the binary policy
> >      mls   normal  android
> > org  310     286     255
> > old  268     251     130
> > max  154      20      17
> > min  226     173     119
> > def  224     170      80
> > gen  221     170      46
> > u5   191     112      59
> >
> > Org - Number of attributes in the CIL policy
> > Old - Results without this patch set
> > Max - Remove the maximum number of attributes: "-G -X 9999"
> > Min - Remove the minimum number of attributes: "-X 0"
> > Def - The new defaults for CIL
> > Gen - Just removing auto-generated attributes: "-G"
> > U5  - Remove attributes with less than five members: "-X 5"
> >
> >
> 
> In case you are interested in sizes:
> 
>         mls  normal  android
> old   2.1M   2.0M     113K
> max  68.3M  63.4M    5041K
> min   2.1M   2.0M     122K
> def   2.1M   2.0M     115K
> gen   2.2M   2.0M     136K
> u5    2.2M   2.0M     116K
> 
> I would not recommend expanding all attributes.
> 
> Jim
> 
> > James Carter (2):
> >   libsepol/cil: Add ability to expand some attributes in binary policy
> >   secilc: Add options to control the expansion of attributes
> >
> >  libsepol/cil/include/cil/cil.h     |   2 +
> >  libsepol/cil/src/cil.c             |  12 ++
> >  libsepol/cil/src/cil_binary.c      | 253
> +++++++++++++++++++++++++++----------
> >  libsepol/cil/src/cil_internal.h    |   7 +-
> >  libsepol/cil/src/cil_post.c        |  32 +++--
> >  libsepol/cil/src/cil_resolve_ast.c |  25 ++--
> >  libsepol/src/libsepol.map.in       |   2 +
> >  secilc/secil2conf.c                |   2 +
> >  secilc/secilc.8.xml                |  10 ++
> >  secilc/secilc.c                    |  31 ++++-
> >  10 files changed, 275 insertions(+), 101 deletions(-)
> >
> 
> 
> --
> James Carter <jwcart2@tycho.nsa.gov>
> National Security Agency
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.

> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

next prev parent reply	other threads:[~2017-04-11 20:29 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-11 17:53 [PATCH 0/2] libsepol and checkpolicy: Add ability to expand some attributes in binary policy James Carter
2017-04-11 17:53 ` [PATCH 1/2] libsepol/cil: " James Carter
2017-04-11 18:37   ` Dominick Grift
2017-04-11 18:46     ` Dominick Grift
2017-04-11 19:17       ` James Carter
2017-04-11 19:33         ` Dominick Grift
2017-04-11 19:37           ` Dominick Grift
2017-04-11 19:13     ` James Carter
2017-04-12 17:27   ` Jeffrey Vander Stoep
2017-04-11 17:53 ` [PATCH 2/2] secilc: Add options to control the expansion of attributes James Carter
2017-04-11 20:31   ` Nicolas Iooss
2017-04-12 13:02     ` James Carter
2017-04-11 19:27 ` [PATCH 0/2] libsepol and checkpolicy: Add ability to expand some attributes in binary policy James Carter
2017-04-11 20:06   ` Jeffrey Vander Stoep
2017-04-11 20:29     ` Dominick Grift [this message]
2017-04-12  6:11 ` Dominick Grift
2017-04-12 13:26   ` James Carter
2017-04-12 13:35     ` James Carter
2017-04-12 14:07       ` Dominick Grift
2017-04-12 13:35     ` Dominick Grift
2017-04-12 18:20       ` James Carter
2017-04-12 19:12         ` Dominick Grift
2017-04-12 20:07           ` James Carter
2017-04-12 20:16             ` Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170411202945.GE2232@markus \
    --to=dac.override@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.