too many auto-generated attributes may slow down the context_struct_compute_av() in kernel
stesen opened this issue · 3 comments
I found that if using the checkpolicy tool to generate sepolicy with cil mode, a lot of "base_typeattr_xx" will be auto-generated. And each of them contain a lot of types. So the "ebitmap_for_each_positive_bit" loop in context_struct_compute_av() function will run 10x times more than policy directly generated from policy.conf file.
if I comment the libsepol's set_to_cil_attr() function and re-generate cil. Kernel runs fast and happy as the non-cil mode
So, why we need so many "base_typeattr_xx" ? Is it a safe way to remove those auto-generated attributes?
Thankyou for your reply :)
I am working on android. the latest code shows that android will using CIL in the next version.
It seems that base_typeattr_x can decrease the policy size, but use more cpu resource. So do you have some advices? Is that a good choice to set a limit number for one "base_typeattr_"?
Thank You :)