Re: [PATCH userspace 0/4] Remove redundant rules when building policydb

From: Dominick Grift <dac.override@gmail.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: selinux@vger.kernel.org
Subject: Re: [PATCH userspace 0/4] Remove redundant rules when building policydb
Date: Thu, 23 May 2019 15:14:55 +0200	[thread overview]
Message-ID: <20190523131455.GA30512@brutus.lan> (raw)
In-Reply-To: <20190523102449.9621-1-omosnace@redhat.com>

[-- Attachment #1: Type: text/plain, Size: 4051 bytes --]

On Thu, May 23, 2019 at 12:24:45PM +0200, Ondrej Mosnacek wrote:
> This series implements an optional optimization step when building
> a policydb via semodule or secilc, which identifies and removes rules
> that are redundant -- i.e. they are already covered by a more general
> rule based on attribute inheritance.

Some stats with dssp2-standard:

[kcinimod@myguest dssp2-standard]$ time secilc -n `find . -name *.cil` -o policy.31.noopt

real    0m9.278s
user    0m7.036s
sys     0m2.017s
[kcinimod@myguest dssp2-standard]$ time secilc `find . -name *.cil` -o policy.31.opt

real    0m19.343s
user    0m16.939s
sys     0m2.027s
[kcinimod@myguest dssp2-standard]$ ls -lh policy.*
-rw-rw-r--. 1 kcinimod kcinimod 2.4M May 23 15:11 policy.31.noopt
-rw-rw-r--. 1 kcinimod kcinimod 2.3M May 23 15:12 policy.31.opt

Was unable to see the actual diff as sediff got oom-killed on me

> 
> Since the performance penalty of this additional step is very small
> (it adds about 1 s to the current running time of ~20-30 s [1]) and
> it can have a big positive effect on the number of rules in policy
> (it manages to remove ~40% AV rules from Fedora 29 policy), the
> optimization is enabled by default and can be turned off using a
> command-line option (--no-optimize) in secilc and semodule [2].
> 
> The optimization routine eliminates:
>  * all allow/neverallow/dontaudit/auditallow rules (including xperm
>    variants) that are covered by another more general rule,
>  * all conditional versions of the above rules that are covered by a
>    more general rule either in the unconditional table or in the same
>    branch of the same conditional.
> 
> The optimization doesn't process other rules, since they currently
> do not support attributes. There is some room left for more precise
> optimization of conditional rules, but it would likely bring only
> little additional benefit.
> 
> When the policy is mostly or fully expanded, the optimization should
> be turned off. If it isn't, the policy build time will increase a lot
> for no benefit. However, the complexity of optimization will be only
> linear w.r.t. the number of rules and so the impact should not be
> catastrophic. (When testing with secilc on a subset of Fedora policy
> with -X 100000 the build time was 1.7 s with optimization vs. 1 s
> without it.)
> 
> Tested live on my Fedora 29 devel machine under normal use. No unusual
> AVCs were observed with optimized policy loaded.
> 
> Travis build passed: https://travis-ci.org/WOnder93/selinux/builds/536157427
> 
> NOTE: The xperm rule support wasn't tested -- I would welcome some
>       peer review/testing of this part.
> 
> [1] As measured on my machine (Fedora 29 policy, x86_64).
> [2] I have no problem with switching it to opt-in if that is preferred.
> 
> Ondrej Mosnacek (4):
>   libsepol: add a function to optimize kernel policy
>   secilc: optimize policy before writing
>   libsemanage: optimize policy on rebuild
>   semodule: add flag to disable policy optimization
> 
>  libsemanage/include/semanage/handle.h      |   4 +
>  libsemanage/src/direct_api.c               |   7 +
>  libsemanage/src/handle.c                   |  13 +
>  libsemanage/src/handle.h                   |   1 +
>  libsemanage/src/libsemanage.map            |   5 +
>  libsepol/include/sepol/policydb.h          |   5 +
>  libsepol/include/sepol/policydb/policydb.h |   2 +
>  libsepol/src/libsepol.map.in               |   5 +
>  libsepol/src/optimize.c                    | 370 +++++++++++++++++++++
>  libsepol/src/policydb_public.c             |   5 +
>  policycoreutils/semodule/semodule.c        |  12 +-
>  secilc/secilc.c                            |  16 +-
>  12 files changed, 442 insertions(+), 3 deletions(-)
>  create mode 100644 libsepol/src/optimize.c
> 
> -- 
> 2.20.1
> 

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]