> -----Original Message----- > From: Stephen Smalley [mailto:s...@tycho.nsa.gov] > Sent: Wednesday, October 12, 2016 9:37 AM > To: Roberts, William C <william.c.robe...@intel.com>; 'seandroid- > l...@tycho.nsa.gov' <seandroid-list@tycho.nsa.gov> > Cc: Yang, Bin Y <bin.y.y...@intel.com> > Subject: Re: labelling /sys/kernel/debug aka debugfs > > On 10/12/2016 09:24 AM, Roberts, William C wrote: > > It’s been reported that labelling via restorecon_recursive > > /sys/kernel/debug is taking 0.25s on a device. I wanted to verify a > > thought: > > > > > > > > It looks like genfscon per file labeling is supported by selinux (like > > procfs), on linux master branch, I see: > > > > > > > > selinux_set_mnt_opts(): > > > > <snip> > > > > 815 if (!strcmp(sb->s_type->name, "debugfs") || > > > > 816 !strcmp(sb->s_type->name, "sysfs") || > > > > 817 !strcmp(sb->s_type->name, "pstore")) > > > > 818 sbsec->flags |= SE_SBGENFS; > > > > <snip> > > > > > > > > Would using genfscon statements and removing the restorecon_recursive > > be faster since it avoids the tree walk? Any caveats, issues one can think > > of? > > First, I'd be interested in understanding why that is taking so long, and > compare > with time on restorecon_recursive /sys (performed directly by init). > > The SE for Android todo list does suggest investigating this for replacing the > restorecon_recursive /sys, so it would make sense to investigate it for both. > It > does require that the device kernel include the necessary support. As noted in > https://android-review.googlesource.com/#/c/151776/, you are also limited in > that genfscon only supports pathname prefix matching, not regexes.
I don't see any uses where the lack of regex support would be a problem. I'll see if Bin, the reporter, can collect more stats for us, Yang could you collect those? _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
