On 06/27/2014 01:35 AM, Jaejyn Shin wrote:
> Thank you very much for your help, Mr Stephen Smalley and Mr Paul Moore
>
> I modified my source code like it to make fast the booting time.
>
> ------------------------------------------------------------------------------------------
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -75,6 +75,8 @@ static char policy_opened;
> /* global data for policy capabilities */
> static struct dentry *policycap_dir;
>
> +static int booting = 1;
> +
> /* Check whether a task is allowed to use a security operation. */
> static int task_has_security(struct task_struct *tsk,
> u32 perms)
> @@ -177,8 +178,12 @@ static ssize_t sel_write_enforce(struct file *file,
> const char __user *buf,
> from_kuid(&init_user_ns, audit_get_loginuid(current)),
> audit_get_sessionid(current));
> selinux_enforcing = new_value;
> - if (selinux_enforcing)
> - avc_ss_reset(0);
> + if (selinux_enforcing){
> + if(!booting){
> + avc_ss_reset(0);
> + }
> + booting = 0;
> + }
> selnl_notify_setenforce(selinux_enforcing);
> selinux_status_update_setenforce(selinux_enforcing);
> }
> diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
> index 18caa16..055157f 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -1870,7 +1870,7 @@ int security_load_policy(void *data, size_t len)
> ss_initialized = 1;
> seqno = ++latest_granting;
> selinux_complete_init();
> - avc_ss_reset(seqno);
> + //avc_ss_reset(seqno);
> selnl_notify_policyload(seqno);
> selinux_status_update_policyload(seqno);
> selinux_netlbl_cache_invalidate();
This means you won't reset the AVC at all during boot, which could leave
stale entries in it at least until they get reclaimed via LRU. Probably
harmless in practice but I wouldn't recommend it.
> ------------------------------------------------------------------------------------------
>
> But I think your code is better than mine, because I am a novice on selinux.
> After applying the code you shared me, the selinux initializing time is
> decrease (0.5ms -> 0.15ms)
> I will try more tests to find out the other effects of the code.
As a further optimization, you could likely skip the synchronize_net()
call entirely at least on initial policy load since policy is always
loaded before network interface configuration in Android. I'm not sure
the synchronize_net() call is even required on subsequent policy reloads
unless you need a guarantee that after the policy load completes, all
subsequent network permission checks will be based on the
netif/node/port contexts defined by the updated policy. And it is a bit
moot with the current Android policy as it does not define any specific
netif/node/port contexts, although that could always change.
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
