On 10/12/2016 09:36 AM, Stephen Smalley wrote: > On 10/12/2016 09:24 AM, Roberts, William C wrote: >> It’s been reported that labelling via restorecon_recursive >> /sys/kernel/debug is taking 0.25s on a device. I wanted to verify a >> thought: >> >> >> >> It looks like genfscon per file labeling is supported by selinux (like >> procfs), on linux master branch, I see: >> >> >> >> selinux_set_mnt_opts(): >> >> <snip> >> >> 815 if (!strcmp(sb->s_type->name, "debugfs") || >> >> 816 !strcmp(sb->s_type->name, "sysfs") || >> >> 817 !strcmp(sb->s_type->name, "pstore")) >> >> 818 sbsec->flags |= SE_SBGENFS; >> >> <snip> >> >> >> >> Would using genfscon statements and removing the restorecon_recursive be >> faster since it avoids the tree walk? Any caveats, issues one can think of? > > First, I'd be interested in understanding why that is taking so long, > and compare with time on restorecon_recursive /sys (performed directly > by init). > > The SE for Android todo list does suggest investigating this for > replacing the restorecon_recursive /sys, so it would make sense to > investigate it for both. It does require that the device kernel include > the necessary support. As noted in > https://android-review.googlesource.com/#/c/151776/, you are also > limited in that genfscon only supports pathname prefix matching, not > regexes.
The corresponding change for debugfs was: https://android-review.googlesource.com/#/q/I6460fbed6bb6bd36eb8554ac8c4fdd574edf3b07 _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
