On 10/12/2016 09:24 AM, Roberts, William C wrote: > It’s been reported that labelling via restorecon_recursive > /sys/kernel/debug is taking 0.25s on a device. I wanted to verify a > thought: > > > > It looks like genfscon per file labeling is supported by selinux (like > procfs), on linux master branch, I see: > > > > selinux_set_mnt_opts(): > > <snip> > > 815 if (!strcmp(sb->s_type->name, "debugfs") || > > 816 !strcmp(sb->s_type->name, "sysfs") || > > 817 !strcmp(sb->s_type->name, "pstore")) > > 818 sbsec->flags |= SE_SBGENFS; > > <snip> > > > > Would using genfscon statements and removing the restorecon_recursive be > faster since it avoids the tree walk? Any caveats, issues one can think of?
First, I'd be interested in understanding why that is taking so long, and compare with time on restorecon_recursive /sys (performed directly by init). The SE for Android todo list does suggest investigating this for replacing the restorecon_recursive /sys, so it would make sense to investigate it for both. It does require that the device kernel include the necessary support. As noted in https://android-review.googlesource.com/#/c/151776/, you are also limited in that genfscon only supports pathname prefix matching, not regexes. _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
