From: Dominick Grift <dac.override@gmail.com>
To: Ondrej Mosnacek <omosnace@redhat.com>
Cc: selinux@vger.kernel.org
Subject: Re: [PATCH userspace 0/4] Remove redundant rules when building policydb
Date: Thu, 23 May 2019 15:14:55 +0200 [thread overview]
Message-ID: <20190523131455.GA30512@brutus.lan> (raw)
In-Reply-To: <20190523102449.9621-1-omosnace@redhat.com>
[-- Attachment #1: Type: text/plain, Size: 4051 bytes --]
On Thu, May 23, 2019 at 12:24:45PM +0200, Ondrej Mosnacek wrote:
> This series implements an optional optimization step when building
> a policydb via semodule or secilc, which identifies and removes rules
> that are redundant -- i.e. they are already covered by a more general
> rule based on attribute inheritance.
Some stats with dssp2-standard:
[kcinimod@myguest dssp2-standard]$ time secilc -n `find . -name *.cil` -o policy.31.noopt
real 0m9.278s
user 0m7.036s
sys 0m2.017s
[kcinimod@myguest dssp2-standard]$ time secilc `find . -name *.cil` -o policy.31.opt
real 0m19.343s
user 0m16.939s
sys 0m2.027s
[kcinimod@myguest dssp2-standard]$ ls -lh policy.*
-rw-rw-r--. 1 kcinimod kcinimod 2.4M May 23 15:11 policy.31.noopt
-rw-rw-r--. 1 kcinimod kcinimod 2.3M May 23 15:12 policy.31.opt
Was unable to see the actual diff as sediff got oom-killed on me
>
> Since the performance penalty of this additional step is very small
> (it adds about 1 s to the current running time of ~20-30 s [1]) and
> it can have a big positive effect on the number of rules in policy
> (it manages to remove ~40% AV rules from Fedora 29 policy), the
> optimization is enabled by default and can be turned off using a
> command-line option (--no-optimize) in secilc and semodule [2].
>
> The optimization routine eliminates:
> * all allow/neverallow/dontaudit/auditallow rules (including xperm
> variants) that are covered by another more general rule,
> * all conditional versions of the above rules that are covered by a
> more general rule either in the unconditional table or in the same
> branch of the same conditional.
>
> The optimization doesn't process other rules, since they currently
> do not support attributes. There is some room left for more precise
> optimization of conditional rules, but it would likely bring only
> little additional benefit.
>
> When the policy is mostly or fully expanded, the optimization should
> be turned off. If it isn't, the policy build time will increase a lot
> for no benefit. However, the complexity of optimization will be only
> linear w.r.t. the number of rules and so the impact should not be
> catastrophic. (When testing with secilc on a subset of Fedora policy
> with -X 100000 the build time was 1.7 s with optimization vs. 1 s
> without it.)
>
> Tested live on my Fedora 29 devel machine under normal use. No unusual
> AVCs were observed with optimized policy loaded.
>
> Travis build passed: https://travis-ci.org/WOnder93/selinux/builds/536157427
>
> NOTE: The xperm rule support wasn't tested -- I would welcome some
> peer review/testing of this part.
>
> [1] As measured on my machine (Fedora 29 policy, x86_64).
> [2] I have no problem with switching it to opt-in if that is preferred.
>
> Ondrej Mosnacek (4):
> libsepol: add a function to optimize kernel policy
> secilc: optimize policy before writing
> libsemanage: optimize policy on rebuild
> semodule: add flag to disable policy optimization
>
> libsemanage/include/semanage/handle.h | 4 +
> libsemanage/src/direct_api.c | 7 +
> libsemanage/src/handle.c | 13 +
> libsemanage/src/handle.h | 1 +
> libsemanage/src/libsemanage.map | 5 +
> libsepol/include/sepol/policydb.h | 5 +
> libsepol/include/sepol/policydb/policydb.h | 2 +
> libsepol/src/libsepol.map.in | 5 +
> libsepol/src/optimize.c | 370 +++++++++++++++++++++
> libsepol/src/policydb_public.c | 5 +
> policycoreutils/semodule/semodule.c | 12 +-
> secilc/secilc.c | 16 +-
> 12 files changed, 442 insertions(+), 3 deletions(-)
> create mode 100644 libsepol/src/optimize.c
>
> --
> 2.20.1
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next prev parent reply other threads:[~2019-05-23 13:15 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-23 10:24 [PATCH userspace 0/4] Remove redundant rules when building policydb Ondrej Mosnacek
2019-05-23 10:24 ` [PATCH userspace 1/4] libsepol: add a function to optimize kernel policy Ondrej Mosnacek
2019-05-23 10:24 ` [PATCH userspace 2/4] secilc: optimize policy before writing Ondrej Mosnacek
2019-05-23 10:24 ` [PATCH userspace 3/4] libsemanage: optimize policy on rebuild Ondrej Mosnacek
2019-05-23 10:24 ` [PATCH userspace 4/4] semodule: add flag to disable policy optimization Ondrej Mosnacek
2019-05-23 13:14 ` Dominick Grift [this message]
2019-05-23 13:39 ` [PATCH userspace 0/4] Remove redundant rules when building policydb Dominick Grift
2019-05-23 14:08 ` Ondrej Mosnacek
2019-05-24 16:02 ` [Non-DoD Source] " jwcart2
2019-05-24 20:04 ` Ondrej Mosnacek
2019-05-23 20:39 ` [Non-DoD Source] " jwcart2
2019-05-24 8:54 ` Ondrej Mosnacek
2019-05-24 16:01 ` jwcart2
2019-05-24 20:00 ` Ondrej Mosnacek
2019-05-27 17:11 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190523131455.GA30512@brutus.lan \
--to=dac.override@gmail.com \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.