Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / selinux / 0be23c3f15fdbef35a57d8586aeeae9b1f7606cc
commit0be23c3f15fdbef35a57d8586aeeae9b1f7606cc[log] [tgz]
authorJames Carter <jwcart2@tycho.nsa.gov>Wed Apr 12 13:45:32 2017 -0400
committerJames Carter <jwcart2@tycho.nsa.gov>Wed Apr 12 14:33:49 2017 -0400
tree995ac77e2fe77fe62f21a653d1b248faba467961
parent473753f21a44496107e491dc265cf2236599766c [diff]
libsepol/cil: Add ability to expand some attributes in binary policy

Originally, all type attributes were expanded when building a binary
policy. As the policy grew, binary policy sizes became too large, so
changes were made to keep attributes in the binary policy to minimize
policy size.

Keeping attributes works well as long as each type does not have too
many attributes. If an access check fails for types t1 and t2, then
additional checks must be made for every attribute that t1 is a member
of against t2 and all the attributes that t2 is a member of. This is
O(n*m) behavior and there are cases now where this is becoming a
performance issue.

Attributes are more aggressively removed than before. An attribute
will now be removed if it only appears in rules where attributes are
always expanded (typetransition, typechange, typemember, roletransition,
rangetransition, roletype, and AV Rules with self).

Attributes that are used in constraints are always kept because the
attribute name is stored for debugging purposes in the binary policy.

Attributes that are used in neverallow rules, but not in other AV rules,
will be kept unless the attribute is auto-generated.

Attributes that are only used in AV rules other than neverallow rules
are kept unless the number of types assigned to them is less than the
value of attrs_expand_size in the CIL db. The default is 1, which means
that any attribute that has no types assigned to it will be expanded (and
the rule removed from the policy), which is CIL's current behavior. The
value can be set using the function cil_set_attrs_expand_size().

Auto-generated attributes that are used only in neverallow rules are
always expanded. The rest are kept by default, but if the value of
attrs_expand_generated in the CIL db is set to true, they will be
expanded. The function cil_set_attrs_expand_generated() can be used
to set the value.

When creating the binary policy, CIL will expand all attributes that
are being removed and it will expand all attributes with less members
than the value specified by attrs_expand_size. So even if an attribute
is used in a constraint or neverallow and the attribute itself will be
included in the binary policy, it will be expanded when writing AV
rules if it has less members than attrs_expand_size.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
7 files changed
tree: 995ac77e2fe77fe62f21a653d1b248faba467961
  1. checkpolicy/
  2. dbus/
  3. gui/
  4. libselinux/
  5. libsemanage/
  6. libsepol/
  7. mcstrans/
  8. policycoreutils/
  9. python/
  10. restorecond/
  11. sandbox/
  12. scripts/
  13. secilc/
  14. semodule-utils/
  15. .gitignore
  16. .travis.yml
  17. CleanSpec.mk
  18. Makefile
  19. README