Re: [RFC PATCH userspace 0/6] Parallel setfiles/restorecon

From: Ondrej Mosnacek <omosnace@redhat.com>
To: peter enderborg <peter.enderborg@sony.com>
Cc: SElinux list <selinux@vger.kernel.org>
Subject: Re: [RFC PATCH userspace 0/6] Parallel setfiles/restorecon
Date: Wed, 24 Mar 2021 12:04:23 +0100	[thread overview]
Message-ID: <CAFqZXNvvDypzgzzbsBp9zQ1wOV=P9XmEPidmH_-8Zn2hGp-A5Q@mail.gmail.com> (raw)
In-Reply-To: <cd8c8721-0194-e2d3-b7a5-2f00834b5f60@sony.com>

On Wed, Mar 24, 2021 at 10:59 AM peter enderborg
<peter.enderborg@sony.com> wrote:
> On 3/23/21 6:08 PM, Ondrej Mosnacek wrote:
> > This series adds basic support for parallel relabeling to the libselinux
> > API and the setfiles/restorecon CLI tools. It turns out that doing the
> > relabeling in parallel can significantly reduce the time even with a
> > relatively simple approach.
> Nice! Have you any figures? Is it valid for both solid state and mechanical storage?

They are in the last patch :) The VM setup I measured that on probably
had the storage backed up by an SSD (or something with similar
characteristics). I haven't tried it on an HDD yet.

> > The first patch is a small cleanup that was found along the way and can
> > be applied independently. Patches 2-4 are small incremental changes that
> > make the internal selinux_restorecon functions more thread-safe (I kept
> > them separate for ease of of review, but maybe they should be rather
> > folded into the netx patch...). Patch 5 then completes the parallel
> > relabeling implementation at libselinux level and adds a new function
> > to the API that allows to make use of it. Finally, patch 6 adds parallel
> > relabeling support to he setfiles/restorecon tools.
> >
> > The relevant man pages are also updated to reflect the new
> > functionality.
> >
> > The patch descriptions contain more details, namely the last patch has
> > also some benchmark numbers.
> >
> > Please test and review. I'm still not fully confident I got everything
> > right (esp. regarding error handling), but I wanted to put this forward
> > as an RFC to get some early feedback.
> >
> > Ondrej Mosnacek (6):
> >   selinux_restorecon: simplify fl_head allocation by using calloc()
> >   selinux_restorecon: protect file_spec list with a mutex
> >   selinux_restorecon: introduce selinux_log_sync()
> >   selinux_restorecon: add a global mutex to synchronize progress output
> >   selinux_restorecon: introduce selinux_restorecon_parallel(3)
> >   setfiles/restorecon: support parallel relabeling
> >
> >  libselinux/include/selinux/restorecon.h       |  14 +
> >  libselinux/man/man3/selinux_restorecon.3      |  29 +
> >  .../man/man3/selinux_restorecon_parallel.3    |   1 +
> >  libselinux/src/libselinux.map                 |   5 +
> >  libselinux/src/selinux_internal.h             |  14 +
> >  libselinux/src/selinux_restorecon.c           | 498 ++++++++++++------
> >  policycoreutils/setfiles/Makefile             |   2 +-
> >  policycoreutils/setfiles/restore.c            |   7 +-
> >  policycoreutils/setfiles/restore.h            |   2 +-
> >  policycoreutils/setfiles/restorecon.8         |   9 +
> >  policycoreutils/setfiles/setfiles.8           |   9 +
> >  policycoreutils/setfiles/setfiles.c           |  28 +-
> >  12 files changed, 436 insertions(+), 182 deletions(-)
> >  create mode 100644 libselinux/man/man3/selinux_restorecon_parallel.3
> >
>

--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.