From: Joshua Brindle <method@manicmethod.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: KaiGai Kohei <kaigai@ak.jp.nec.com>,
ynakam@hitachisoft.jp, busybox@kaigai.gr.jp,
"Christopher J. PeBenito" <cpebenito@tresys.com>,
selinux@tycho.nsa.gov,
Karl MacMillan <kmacmillan@mentalrootkit.com>,
Chad Sellers <csellers@tresys.com>
Subject: Re: [busybox:00575] Re: Separating libselinux/libsepol (Was: Re: BusyBox: load_policy applet)
Date: Wed, 28 Mar 2007 08:34:25 -0400 [thread overview]
Message-ID: <460A60D1.5030502@manicmethod.com> (raw)
In-Reply-To: <1175083457.3864.443.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Wed, 2007-03-28 at 18:12 +0900, KaiGai Kohei wrote:
>> Yuichi Nakamura wrote:
>>> On Wed, 28 Mar 2007 10:57:25 +0900
>>> KaiGai Kohei wrote:
>>>> Currently, I don't have actual measurement of the minimum binary size of
>>>> libsepol needed to handle preserving boolean variables and so on.
>>>> Who can estimate it?
>>> It seems that "sepol_genbools_array" libsepol function
>>> is necessary to preserve boolean.
>>>
>>> And sepol_genbools_array uses following:
>>> -From policydb.o
>>> policydb_init
>>> policydb_destroy
>>> - From policydb_convert.o
>>> policydb_from_image
>>> - From policydb_public.o
>>> policydb_write
>>> -From conditional.o
>>> evaluate_conds
>>> -From hashtab.o
>>> hashtab_search
>>>
>>> Then:
>>> $ ls -l policydb.o hashtab.o conditional.o policydb_convert.o policydb_public.o
>>> -rw-rw-r-- 1 ynakam ynakam 6856 Mar 27 05:10 conditional.o
>>> -rw-rw-r-- 1 ynakam ynakam 2540 Mar 27 05:10 hashtab.o
>>> -rw-rw-r-- 1 ynakam ynakam 29284 Mar 27 05:10 policydb.o
>>> -rw-rw-r-- 1 ynakam ynakam 2576 Mar 27 05:10 policydb_convert.o
>>> -rw-rw-r-- 1 ynakam ynakam 2396 Mar 27 05:10 policydb_public.o
>>> Above are compiled with -Os option.
>>>
>>> So, to preserve bool at least 43.6 k is necessary.
>> Nakamura, Isn't it a bit rough-grained measurement?
>>
>> For example, policydb_init() calls the following functions internally:
>> - symtab_init() defined at symtab.c
>> - avrule_block_create() defined at avrule_block.c
>> - avrule_decl_create() defined at avrule_block.c
>> - avtab_init() defined at avtab.c
>> - roles_init() defined at policydb.c
>> - cond_policydb_init() defined at conditional.c
>> - avtab_destroy() defined at avtab.c
>> - hashtab_destroy() defined at hashtab.c
>> - avrule_block_list_destroy() defined at avrule_block.c
>>
>> So, we also have to include symtab.c, avrule_block.c, avtab.c, conditional.c,
>> hashtab.c and avrule_block.c additionally for only policydb_init().
>
> You don't actually need any of the code for the policy module format
> (which is presently interwoven with the rest, since the policydb
> structure supports both module and kernel formats). A lot of that will
> boil away from the new policy representation.
>
Presumably all of the policy management will operate on the new
representation rather than the kernel format so bringing in any
management at all brings in all of the module format code.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-03-28 12:34 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-23 6:15 BusyBox: load_policy applet Yuichi Nakamura
2007-03-23 12:49 ` Stephen Smalley
2007-03-26 1:28 ` Yuichi Nakamura
2007-03-26 14:08 ` Separating libselinux/libsepol (Was: Re: BusyBox: load_policy applet) Stephen Smalley
2007-03-26 16:12 ` Christopher J. PeBenito
2007-03-26 16:35 ` Stephen Smalley
2007-03-27 0:59 ` Yuichi Nakamura
2007-03-27 12:15 ` Stephen Smalley
2007-03-28 1:57 ` KaiGai Kohei
2007-03-28 8:40 ` Yuichi Nakamura
2007-03-28 9:12 ` [busybox:00575] " KaiGai Kohei
2007-03-28 12:04 ` Stephen Smalley
2007-03-28 12:34 ` Joshua Brindle [this message]
2007-03-28 12:00 ` Stephen Smalley
2007-03-28 2:19 ` Yuichi Nakamura
2007-03-27 2:58 ` Ryan Bradetich
2007-03-27 12:32 ` Christopher J. PeBenito
2007-03-26 16:37 ` Karl MacMillan
2007-03-26 20:13 ` Christopher J. PeBenito
2007-03-27 12:45 ` Stephen Smalley
2007-03-27 15:42 ` Christopher J. PeBenito
2007-03-27 15:48 ` Stephen Smalley
2007-03-27 16:02 ` Karl MacMillan
2007-03-27 18:43 ` Christopher J. PeBenito
2007-03-27 18:47 ` Stephen Smalley
2007-03-27 19:09 ` Karl MacMillan
2007-03-27 19:32 ` Christopher J. PeBenito
2007-03-27 20:31 ` Ryan Bradetich
2007-03-28 10:26 ` Russell Coker
2007-03-28 12:06 ` Stephen Smalley
2007-03-28 14:11 ` Russell Coker
2007-03-28 12:17 ` Christopher J. PeBenito
2007-03-27 20:14 ` Ryan Bradetich
2007-03-27 20:35 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=460A60D1.5030502@manicmethod.com \
--to=method@manicmethod.com \
--cc=busybox@kaigai.gr.jp \
--cc=cpebenito@tresys.com \
--cc=csellers@tresys.com \
--cc=kaigai@ak.jp.nec.com \
--cc=kmacmillan@mentalrootkit.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=ynakam@hitachisoft.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.