On 06/25/2014 04:36 AM, Jaejyn Shin wrote: > > Dear SEAndroid and SELinux developer > First of all, I always appreciate that I get lots of information in this > e-mailing list. > > After applying kernel 3.10, the booting time of my device has been > increased > Especially, the selinux initializing time is increased (about 0.5s). > > I analized the reason, and I found that the synchronize_net function has > 0.1s delay. > > before) > selinux_initialize > -> selinux_android_load_policy > -> selinux_android_reload_policy > -> security_load_policy > -> avc_ss_reset > -> sel_netport_avc_callback -> synchronize_net > -> sel_netnode_avc_callback -> synchronize_net > -> sel_netif_avc_callback -> synchronize_net > -> security_setenforce > -> sel_write_enforce > -> avc_ss_reset > -> sel_netport_avc_callback -> synchronize_net > -> sel_netnode_avc_callback -> synchronize_net > -> sel_netif_avc_callback -> synchronize_net > To make fast the booting time, can I don't call the avc_ss_reset > function only during initializing selinux ?: > > after) > selinux_initialize > -> selinux_android_load_policy > -> selinux_android_reload_policy > -> security_load_policy > X-> avc_ss_reset > -> security_setenforce > -> sel_write_enforce > X-> avc_ss_reset > > Is it possible?
I took discussion of this issue over to selinux list since it is a general selinux kernel issue, see: http://marc.info/?t=140372402600004&r=1&w=2 That thread is to consider what we can do in the general case, and will likely coalesce the multiple synchronize_net() calls from the individual callback functions into a single call. I think we can further optimize for Android since we know that initial policy load always precedes network interface configuration and since we know that we will always be performing a setenforce 1 immediately after initial policy load. So in that case, we could skip the first avc_ss_reset() call altogether and only trigger it from the sel_write_enforce() code path. I'd rather keep it there so that subsequent setenforce 0; setenforce 1; sequences will correctly flush the cache of any permissions granted while in permissive mode. Attached is an untested patch you could try to see if it resolves the issue.
>From 2d9b36eb108192c76a6216d5d7f516630ad8d9cc Mon Sep 17 00:00:00 2001 From: Stephen Smalley <[email protected]> Date: Thu, 26 Jun 2014 10:29:54 -0400 Subject: [PATCH] Reduce boot time overhead by optimizing initial policy load. Jaejyn Shin reports a boot time increase of 0.5s in kernel 3.10 during the SELinux initial policy load primarily due to multiple synchronize_net calls from the avc callbacks invoked by avc_ss_reset. Optimize this code path by only calling synchronize_net once during avc_ss_reset after all callbacks have run. Further optimize it by removing the avc_ss_reset call from the initial policy load, relying on the fact that it will still be called upon the subsequent setenforce 1 by init. Signed-off-by: Stephen Smalley <[email protected]> --- security/selinux/avc.c | 2 ++ security/selinux/netif.c | 1 - security/selinux/netnode.c | 1 - security/selinux/netport.c | 1 - security/selinux/ss/services.c | 5 ----- 5 files changed, 2 insertions(+), 8 deletions(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index c223a32..a4c3028 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -21,6 +21,7 @@ #include <linux/dcache.h> #include <linux/init.h> #include <linux/skbuff.h> +#include <linux/netdevice.h> #include <linux/percpu.h> #include <net/sock.h> #include <linux/un.h> @@ -656,6 +657,7 @@ int avc_ss_reset(u32 seqno) } } + synchronize_net(); avc_latest_notif_update(seqno, 0); return rc; } diff --git a/security/selinux/netif.c b/security/selinux/netif.c index 47a49d1..4f2f311 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c @@ -256,7 +256,6 @@ static int sel_netif_avc_callback(u32 event) { if (event == AVC_CALLBACK_RESET) { sel_netif_flush(); - synchronize_net(); } return 0; } diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index c5454c0..51fee6f 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c @@ -302,7 +302,6 @@ static int sel_netnode_avc_callback(u32 event) { if (event == AVC_CALLBACK_RESET) { sel_netnode_flush(); - synchronize_net(); } return 0; } diff --git a/security/selinux/netport.c b/security/selinux/netport.c index d353797..c30870d 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c @@ -238,7 +238,6 @@ static int sel_netport_avc_callback(u32 event) { if (event == AVC_CALLBACK_RESET) { sel_netport_flush(); - synchronize_net(); } return 0; } diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 18caa16..5a2ebd8 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1870,11 +1870,6 @@ int security_load_policy(void *data, size_t len) ss_initialized = 1; seqno = ++latest_granting; selinux_complete_init(); - avc_ss_reset(seqno); - selnl_notify_policyload(seqno); - selinux_status_update_policyload(seqno); - selinux_netlbl_cache_invalidate(); - selinux_xfrm_notify_policyload(); return 0; } -- 1.8.3.1
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
