too many auto-generated attributes may slow down the context_struct_compute_av() in kernel

Question

too many auto-generated attributes may slow down the context_struct_compute_av() in kernel

stesen opened this issue 8 years ago · 3 comments

I found that if using the checkpolicy tool to generate sepolicy with cil mode, a lot of "base_typeattr_xx" will be auto-generated. And each of them contain a lot of types. So the "ebitmap_for_each_positive_bit" loop in context_struct_compute_av() function will run 10x times more than policy directly generated from policy.conf file.

if I comment the libsepol's set_to_cil_attr() function and re-generate cil. Kernel runs fast and happy as the non-cil mode

So, why we need so many "base_typeattr_xx" ? Is it a safe way to remove those auto-generated attributes?

Answer 1 · 2017-03-21T14:24:42.000Z

On 03/20/2017 10:56 PM, stesen wrote: I found that if using the checkpolicy tool to generate sepolicy with cil mode, a lot of "base_typeattr_xx" will be auto-generated. And each of them contain a lot of types. So the "ebitmap_for_each_positive_bit" loop in context_struct_compute_av() function will run 10x times more than policy directly generated from policy.conf file. if I comment the libsepol's set_to_cil_attr() function and re-generate cil. Kernel runs fast and happy as the non-cil mode So, why we need so many "base_typeattr_xx" ? Is it a safe way to remove those auto-generated attributes?

CIL does not allow type set expressions in av rules (allow, neverallow, etc), so an attribute needs to be created anywhere a type set expression occurs. Most of the type sets occur in neverallow rules, so this often does not cause a problem. It is true that too many attributes can slow things down. Originally, all attributes were expanded when the policy was created, but at some point the policy size started becoming too large and the kernel was modified to allow attributes to be preserved. What policy did you observe this for? Fedora's, Refpolicy, or something else?

…

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#9>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ALOd-vOrFPgUzY65FjbrqSub7Y9-zVxaks5rnzxFgaJpZM4MjRUS>.

-- James Carter <jwcart2@tycho.nsa.gov> National Security Agency

Answer 2 · 2017-03-22T07:55:43.000Z

Thankyou for your reply :)

I am working on android. the latest code shows that android will using CIL in the next version.

It seems that base_typeattr_x can decrease the policy size, but use more cpu resource. So do you have some advices? Is that a good choice to set a limit number for one "base_typeattr_"?

Answer 3 · 2018-09-03T08:34:06.000Z

Thank You :)