On 03/31/2015 03:58 PM, Stephen Smalley wrote: > On 03/30/2015 07:57 PM, Nick Kralevich wrote: >> Just spent some time debugging a problem that I thought I'd share with >> the wider SEAndroid community. Hopefully someone won't experience the >> same problem in the future. >> >> Problem: Device boots slowly. The bulk of the boot time is in >> ueventd's function fixup_sys_perms, which calls restorecon_recursive >> on nodes in /sys. Code which performed this operation was added in >> https://android-review.googlesource.com/100249 . >> >> Device contains the following entry in /file_contexts: >> >> /sys/devices/.*asdf.*(/.*)? u:object_r:sysfs_asdf:s0 >> >> While doing the directory tree walk, restorecon_recursive() is >> optimized to avoid recursing down paths which will never match a >> regular expression in /file_contexts. This is an important >> optimization which keeps boot times down. >> >> However, the file_contexts entry above defeats the optimization. It >> tries looking for any file/directory named "asdf" in any subdirectory >> of /sys/devices, which requires recursing into every directory of >> /sys/devices >> >> Changing the regex to: >> >> /sys/devices/[^/]+asdf[^/]+(/.*)? u:object_r:sysfs_asdf:s0 >> >> substantially improved boot times, as it allowed the >> restorecon_recursive optimizations to be effective and avoids visiting >> unnecessary directories. > > Hmm...wonder if we could/should test for such problematic regexes in the > label_file backend and at least warn on them. Then when checkfc is run > as part of the policy build, they would get the warning (or error, if we > make it fatal). We'd only really need to impose it on /sys entries > though; hard to generalize it.
The other option would be to revert that change (i.e. only restorecon files listed in uevent*.rc) and require adding entries to uevent*.rc for any files that need specific sysfs contexts at the same time they are added to file_contexts. Then we only use restorecon_recursive for the initial /sys restorecon, not on every fixup_sys_perms, although even there it would be better to avoid these kinds of regexes. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
