subject:"\[RFC\] mmap file_contexts and property

RE: [RFC] mmap file_contexts and property_contexts:

2016-09-20 Thread Roberts, William C



> > -Original Message-
> > From: Roberts, William C
> > Sent: Monday, September 19, 2016 2:45 PM
> > To: seli...@tycho.nsa.gov; seandroid-list@tycho.nsa.gov;
> > s...@tycho.nsa.gov; jda...@google.com
> > Cc: Roberts, William C <william.c.robe...@intel.com>
> > Subject: [RFC] mmap file_contexts and property_contexts:
> >
> > From: William Roberts <william.c.robe...@intel.com>
> >
> > THIS IS WIP...
> >
> > Rather than using stdio and making copies, just mmap the files and use
> > the pointers in place. The affect of this change, is that text file
> > load time is now faster than binary load time by 4.7% when testing
> > with a file_contexts file from the Android tree. Note that the Android 
> > doesn't
> use monstrous regexs.
> >
> > Times are the average of 3 runs.
> >
> > BEFORE:
> > Text file allocs: 114803
> > Text file load time: 0.266101
> > Bin file allocs: 93073
> > Bin file load time: 0.248757667
> >
> > AFTER:
> > Text file allocs: 103933
> > Text file load time: 0.236192667
> > Bin file allocs: 87645
> > Bin file load time: .247607333

Another potential issue, is that mmaping with textfiles also has the sideffect
of mapping in all the spaces or tabs, etc used, between fields, so on files with
heavy whitespace, it could be really memory intensive. 

I think Janis's patch that has -r option is a more useful way to go. Without 
precompiled
Regex's its essentially a textfile without the whitespace, and it automatically 
would
get pulled into the mmap interface.

I'm abandoning this, since we already get this functionality, without the 
negatives.
Janis, IIRC, you are re-configuring your patch so -r omits pre-compiled regex's 
(submitted
I believe on the list and awaiting other patches) and adding an arch string so 
we can
Detect when we need to recompile the regular expressions if they are supplied 
but
unusable.

I think we may want to investigate to have the "omit pre-compiled regex's" work 
on PCRE
library variants as well, but I doubt it would be used since Android is moving 
to PCRE2.




___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

RE: [RFC] mmap file_contexts and property_contexts:

2016-09-20 Thread Roberts, William C

> > On 09/19/2016 05:51 PM, Roberts, William C wrote:
> > > FYI I only tested this with checkfc...
> >
> > Evidently.  matchpathcon and sefcontext_compile both report calls to
> > free() on invalid pointers and abort.
> 
> That doesn’t surprise me, I only tested the checkfc usages. Hence #4 in todo's
> 

I looked at the sefcontext_compile bug, and its yet another conglomeration 
where internal
Interfaces into libselinux are presumed and duplicate code exists (for loading 
a file).
It implements its own routine for the freeing of Spec data. Why doesn't it use 
proper
libselinux interfaces, or libselinux expose the proper Interfaces for this type 
of work?
Is this just an example of something that should be fixed or is there some 
deeper
reasoning to its construction?

I could not get matchpatchcon to reproduce (built with ASAN):
./selinux/libselinux/utils/matchpathcon /etc -f file_contexts
/etcu:object_r:rootfs:s0

Bill

___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

RE: [RFC] mmap file_contexts and property_contexts:

2016-09-20 Thread Roberts, William C



> -Original Message-
> From: Stephen Smalley [mailto:s...@tycho.nsa.gov]
> Sent: Tuesday, September 20, 2016 6:18 AM
> To: Roberts, William C <william.c.robe...@intel.com>; seli...@tycho.nsa.gov;
> seandroid-list@tycho.nsa.gov; jda...@google.com
> Subject: Re: [RFC] mmap file_contexts and property_contexts:
> 
> On 09/19/2016 05:51 PM, Roberts, William C wrote:
> > FYI I only tested this with checkfc...
> 
> Evidently.  matchpathcon and sefcontext_compile both report calls to
> free() on invalid pointers and abort.

That doesn’t surprise me, I only tested the checkfc usages. Hence #4 in todo's

> 
> >
> >> -Original Message-
> >> From: Roberts, William C
> >> Sent: Monday, September 19, 2016 2:45 PM
> >> To: seli...@tycho.nsa.gov; seandroid-list@tycho.nsa.gov;
> >> s...@tycho.nsa.gov; jda...@google.com
> >> Cc: Roberts, William C <william.c.robe...@intel.com>
> >> Subject: [RFC] mmap file_contexts and property_contexts:
> >>
> >> From: William Roberts <william.c.robe...@intel.com>
> >>
> >> THIS IS WIP...
> >>
> >> Rather than using stdio and making copies, just mmap the files and
> >> use the pointers in place. The affect of this change, is that text
> >> file load time is now faster than binary load time by 4.7% when
> >> testing with a file_contexts file from the Android tree. Note that the 
> >> Android
> doesn't use monstrous regexs.
> >>
> >> Times are the average of 3 runs.
> >>
> >> BEFORE:
> >> Text file allocs: 114803
> >> Text file load time: 0.266101
> >> Bin file allocs: 93073
> >> Bin file load time: 0.248757667
> >>
> >> AFTER:
> >> Text file allocs: 103933
> >> Text file load time: 0.236192667
> >> Bin file allocs: 87645
> >> Bin file load time: .247607333
> >>
> >> THINGS TO DO:
> >> 1. What's arm performance like?
> >> 2. What interfaces to backends are busted by this (if any)?
> >> 3. Test Android Properties
> >> 4. Im pretty sure this breaks sefcontext_compile, fix.
> >> 5. Test with PCRE2 enabled.
> >> 6. Spell check this message!
> >> 7. Run checkpatch
> >>
> >> Signed-off-by: William Roberts <william.c.robe...@intel.com>
> >> ---
> >>  libselinux/src/label.c  |   2 -
> >>  libselinux/src/label_android_property.c |  22 ++---
> >>  libselinux/src/label_file.c | 140 
> >> +++-
> >>  libselinux/src/label_file.h |  66 +--
> >>  libselinux/src/label_internal.h |   3 +-
> >>  libselinux/src/label_support.c  |  79 --
> >>  6 files changed, 172 insertions(+), 140 deletions(-)
> >>
> >> diff --git a/libselinux/src/label.c b/libselinux/src/label.c index
> >> 963bfcb..d767b49
> >> 100644
> >> --- a/libselinux/src/label.c
> >> +++ b/libselinux/src/label.c
> >> @@ -15,8 +15,6 @@
> >>  #include "callbacks.h"
> >>  #include "label_internal.h"
> >>
> >> -#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
> >> -
> >>  typedef int (*selabel_initfunc)(struct selabel_handle *rec,
> >>const struct selinux_opt *opts,
> >>unsigned nopts);
> >> diff --git a/libselinux/src/label_android_property.c
> >> b/libselinux/src/label_android_property.c
> >> index 290b438..2aac394 100644
> >> --- a/libselinux/src/label_android_property.c
> >> +++ b/libselinux/src/label_android_property.c
> >> @@ -85,13 +85,19 @@ static int process_line(struct selabel_handle *rec,
> >>int pass, unsigned lineno)
> >>  {
> >>int items;
> >> -  char *prop = NULL, *context = NULL;
> >> +  union {
> >> +  struct {
> >> +  char *prop;
> >> +  char *context;
> >> +  };
> >> +  char *array[2];
> >> +  } found = { .array = { 0 } };
> >>struct saved_data *data = (struct saved_data *)rec->data;
> >>spec_t *spec_arr = data->spec_arr;
> >>unsigned int nspec = data->nspec;
> >>const char *errbuf = NULL;
> >>
> >> -  items = read_spec_entries(line_buf, , 2, , );
> >> +  items = read_spec_entries(line_buf, ,
> >> +ARRAY_SIZE(found.array), found.array);
> &

Re: [RFC] mmap file_contexts and property_contexts:

2016-09-20 Thread Stephen Smalley

On 09/20/2016 02:27 AM, William Roberts wrote:
> On Sep 19, 2016 22:25, "Jason Zaman"  wrote:
>>
>> On 20 Sep 2016 12:50 pm, "William Roberts" 
> wrote:
>>>
>>> On Sep 19, 2016 21:16, "Jason Zaman"  wrote:

 On 20 Sep 2016 5:47 am,  wrote:
>
> From: William Roberts 
>
> THIS IS WIP...
>
> Rather than using stdio and making copies, just mmap the files
> and use the pointers in place. The affect of this change, is that
> text file load time is now faster than binary load time by 4.7%
> when testing with a file_contexts file from the Android tree. Note
> that the Android doesn't use monstrous regexs.
>
> Times are the average of 3 runs.
>
> BEFORE:
> Text file allocs: 114803
> Text file load time: 0.266101
> Bin file allocs: 93073
> Bin file load time: 0.248757667
>
> AFTER:
> Text file allocs: 103933
> Text file load time: 0.236192667
> Bin file allocs: 87645
> Bin file load time: .247607333

 Do you have the scripts that generated these stats so I can play with
> it too? These stats are from android right? Do you also have a comparison
> for refpolicy too?
>>>
>>> For generating these I used checkfc.c from the Android tree. I used
> valgrind to measure allocations and clock to measure the time in
> selabel_open().
>>
>> Okay cool I'll fetch that and give it a whirl when I get time.
>>

 I haven't looked that closely yet but just realised, will this need
> new perms because of the mmap? If it does, can you send a patch to
> refpolicy?
>>>
>>> I'm confused, mmap is not a permission, even if it was the binary path
> already was doing an mmap, so the permission would have been there. We're
> just making it so it always mmaps.
>>
>> Yeah but mmap needs execute perms sometimes (always?). I am out so just
> wanted to send an email before I forgot. If it was mmaping already then
> there is nothing to worry about :).
> 
> Mmap would only need execute if you attempted to set the prot bits to
> execute it use mprotect to change the mapping. Then things like execmod
> might come I to play if the mapping was ever writable.

The only case where mmap without PROT_EXEC would require execute would
be if the process has READ_IMPLIES_EXEC set in its personality.
Typically only for programs with the executable stack flag set.

Anyway, it is already mmap'ing file_contexts.bin so there shouldn't be
an issue here.



___
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.

Re: [RFC] mmap file_contexts and property_contexts:

2016-09-20 Thread William Roberts

On Sep 19, 2016 22:25, "Jason Zaman"  wrote:
>
> On 20 Sep 2016 12:50 pm, "William Roberts" 
wrote:
> >
> > On Sep 19, 2016 21:16, "Jason Zaman"  wrote:
> > >
> > > On 20 Sep 2016 5:47 am,  wrote:
> > > >
> > > > From: William Roberts 
> > > >
> > > > THIS IS WIP...
> > > >
> > > > Rather than using stdio and making copies, just mmap the files
> > > > and use the pointers in place. The affect of this change, is that
> > > > text file load time is now faster than binary load time by 4.7%
> > > > when testing with a file_contexts file from the Android tree. Note
> > > > that the Android doesn't use monstrous regexs.
> > > >
> > > > Times are the average of 3 runs.
> > > >
> > > > BEFORE:
> > > > Text file allocs: 114803
> > > > Text file load time: 0.266101
> > > > Bin file allocs: 93073
> > > > Bin file load time: 0.248757667
> > > >
> > > > AFTER:
> > > > Text file allocs: 103933
> > > > Text file load time: 0.236192667
> > > > Bin file allocs: 87645
> > > > Bin file load time: .247607333
> > >
> > > Do you have the scripts that generated these stats so I can play with
it too? These stats are from android right? Do you also have a comparison
for refpolicy too?
> >
> > For generating these I used checkfc.c from the Android tree. I used
valgrind to measure allocations and clock to measure the time in
selabel_open().
>
> Okay cool I'll fetch that and give it a whirl when I get time.
>
> > >
> > > I haven't looked that closely yet but just realised, will this need
new perms because of the mmap? If it does, can you send a patch to
refpolicy?
> >
> > I'm confused, mmap is not a permission, even if it was the binary path
already was doing an mmap, so the permission would have been there. We're
just making it so it always mmaps.
>
> Yeah but mmap needs execute perms sometimes (always?). I am out so just
wanted to send an email before I forgot. If it was mmaping already then
there is nothing to worry about :).

Mmap would only need execute if you attempted to set the prot bits to
execute it use mprotect to change the mapping. Then things like execmod
might come I to play if the mapping was ever writable.

>
> -- Jason
> > >
> > > > THINGS TO DO:
> > > > 1. What's arm performance like?
> > > > 2. What interfaces to backends are busted by this (if any)?
> > > > 3. Test Android Properties
> > > > 4. Im pretty sure this breaks sefcontext_compile, fix.
> > > > 5. Test with PCRE2 enabled.
> > > > 6. Spell check this message!
> > > > 7. Run checkpatch
> > > >
> > > > Signed-off-by: William Roberts 
> > > > ---
> > > >  libselinux/src/label.c  |   2 -
> > > >  libselinux/src/label_android_property.c |  22 ++---
> > > >  libselinux/src/label_file.c | 140
+++-
> > > >  libselinux/src/label_file.h |  66 +--
> > > >  libselinux/src/label_internal.h |   3 +-
> > > >  libselinux/src/label_support.c  |  79 --
> > > >  6 files changed, 172 insertions(+), 140 deletions(-)
> > > >
> > > > diff --git a/libselinux/src/label.c b/libselinux/src/label.c
> > > > index 963bfcb..d767b49 100644
> > > > --- a/libselinux/src/label.c
> > > > +++ b/libselinux/src/label.c
> > > > @@ -15,8 +15,6 @@
> > > >  #include "callbacks.h"
> > > >  #include "label_internal.h"
> > > >
> > > > -#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
> > > > -
> > > >  typedef int (*selabel_initfunc)(struct selabel_handle *rec,
> > > > const struct selinux_opt *opts,
> > > > unsigned nopts);
> > > > diff --git a/libselinux/src/label_android_property.c
b/libselinux/src/label_android_property.c
> > > > index 290b438..2aac394 100644
> > > > --- a/libselinux/src/label_android_property.c
> > > > +++ b/libselinux/src/label_android_property.c
> > > > @@ -85,13 +85,19 @@ static int process_line(struct selabel_handle
*rec,
> > > > int pass, unsigned lineno)
> > > >  {
> > > > int items;
> > > > -   char *prop = NULL, *context = NULL;
> > > > +   union {
> > > > +   struct {
> > > > +   char *prop;
> > > > +   char *context;
> > > > +   };
> > > > +   char *array[2];
> > > > +   } found = { .array = { 0 } };
> > > > struct saved_data *data = (struct saved_data *)rec->data;
> > > > spec_t *spec_arr = data->spec_arr;
> > > > unsigned int nspec = data->nspec;
> > > > const char *errbuf = NULL;
> > > >
> > > > -   items = read_spec_entries(line_buf, , 2, ,
);
> > > > +   items = read_spec_entries(line_buf, ,
ARRAY_SIZE(found.array), found.array);
> > > > if (items < 0) {
> > > > items = errno;
> > > > selinux_log(SELINUX_ERROR,
> > > > @@ -108,18 +114,14 @@

Re: [RFC] mmap file_contexts and property_contexts:

2016-09-20 Thread Jason Zaman

On 20 Sep 2016 12:50 pm, "William Roberts"  wrote:
>
> On Sep 19, 2016 21:16, "Jason Zaman"  wrote:
> >
> > On 20 Sep 2016 5:47 am,  wrote:
> > >
> > > From: William Roberts 
> > >
> > > THIS IS WIP...
> > >
> > > Rather than using stdio and making copies, just mmap the files
> > > and use the pointers in place. The affect of this change, is that
> > > text file load time is now faster than binary load time by 4.7%
> > > when testing with a file_contexts file from the Android tree. Note
> > > that the Android doesn't use monstrous regexs.
> > >
> > > Times are the average of 3 runs.
> > >
> > > BEFORE:
> > > Text file allocs: 114803
> > > Text file load time: 0.266101
> > > Bin file allocs: 93073
> > > Bin file load time: 0.248757667
> > >
> > > AFTER:
> > > Text file allocs: 103933
> > > Text file load time: 0.236192667
> > > Bin file allocs: 87645
> > > Bin file load time: .247607333
> >
> > Do you have the scripts that generated these stats so I can play with
it too? These stats are from android right? Do you also have a comparison
for refpolicy too?
>
> For generating these I used checkfc.c from the Android tree. I used
valgrind to measure allocations and clock to measure the time in
selabel_open().

Okay cool I'll fetch that and give it a whirl when I get time.

> >
> > I haven't looked that closely yet but just realised, will this need new
perms because of the mmap? If it does, can you send a patch to refpolicy?
>
> I'm confused, mmap is not a permission, even if it was the binary path
already was doing an mmap, so the permission would have been there. We're
just making it so it always mmaps.

Yeah but mmap needs execute perms sometimes (always?). I am out so just
wanted to send an email before I forgot. If it was mmaping already then
there is nothing to worry about :).

-- Jason
> >
> > > THINGS TO DO:
> > > 1. What's arm performance like?
> > > 2. What interfaces to backends are busted by this (if any)?
> > > 3. Test Android Properties
> > > 4. Im pretty sure this breaks sefcontext_compile, fix.
> > > 5. Test with PCRE2 enabled.
> > > 6. Spell check this message!
> > > 7. Run checkpatch
> > >
> > > Signed-off-by: William Roberts 
> > > ---
> > >  libselinux/src/label.c  |   2 -
> > >  libselinux/src/label_android_property.c |  22 ++---
> > >  libselinux/src/label_file.c | 140
+++-
> > >  libselinux/src/label_file.h |  66 +--
> > >  libselinux/src/label_internal.h |   3 +-
> > >  libselinux/src/label_support.c  |  79 --
> > >  6 files changed, 172 insertions(+), 140 deletions(-)
> > >
> > > diff --git a/libselinux/src/label.c b/libselinux/src/label.c
> > > index 963bfcb..d767b49 100644
> > > --- a/libselinux/src/label.c
> > > +++ b/libselinux/src/label.c
> > > @@ -15,8 +15,6 @@
> > >  #include "callbacks.h"
> > >  #include "label_internal.h"
> > >
> > > -#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
> > > -
> > >  typedef int (*selabel_initfunc)(struct selabel_handle *rec,
> > > const struct selinux_opt *opts,
> > > unsigned nopts);
> > > diff --git a/libselinux/src/label_android_property.c
b/libselinux/src/label_android_property.c
> > > index 290b438..2aac394 100644
> > > --- a/libselinux/src/label_android_property.c
> > > +++ b/libselinux/src/label_android_property.c
> > > @@ -85,13 +85,19 @@ static int process_line(struct selabel_handle
*rec,
> > > int pass, unsigned lineno)
> > >  {
> > > int items;
> > > -   char *prop = NULL, *context = NULL;
> > > +   union {
> > > +   struct {
> > > +   char *prop;
> > > +   char *context;
> > > +   };
> > > +   char *array[2];
> > > +   } found = { .array = { 0 } };
> > > struct saved_data *data = (struct saved_data *)rec->data;
> > > spec_t *spec_arr = data->spec_arr;
> > > unsigned int nspec = data->nspec;
> > > const char *errbuf = NULL;
> > >
> > > -   items = read_spec_entries(line_buf, , 2, ,
);
> > > +   items = read_spec_entries(line_buf, ,
ARRAY_SIZE(found.array), found.array);
> > > if (items < 0) {
> > > items = errno;
> > > selinux_log(SELINUX_ERROR,
> > > @@ -108,18 +114,14 @@ static int process_line(struct selabel_handle
*rec,
> > > selinux_log(SELINUX_ERROR,
> > > "%s:  line %u is missing fields\n", path,
> > > lineno);
> > > -   free(prop);
> > > errno = EINVAL;
> > > return -1;
> > > }
> > >
> > > -   if (pass == 0) {
> > > -   free(prop);
> > > -   free(context);
> > > -   } else

Re: [RFC] mmap file_contexts and property_contexts:

2016-09-20 Thread William Roberts

On Sep 19, 2016 21:16, "Jason Zaman"  wrote:
>
> On 20 Sep 2016 5:47 am,  wrote:
> >
> > From: William Roberts 
> >
> > THIS IS WIP...
> >
> > Rather than using stdio and making copies, just mmap the files
> > and use the pointers in place. The affect of this change, is that
> > text file load time is now faster than binary load time by 4.7%
> > when testing with a file_contexts file from the Android tree. Note
> > that the Android doesn't use monstrous regexs.
> >
> > Times are the average of 3 runs.
> >
> > BEFORE:
> > Text file allocs: 114803
> > Text file load time: 0.266101
> > Bin file allocs: 93073
> > Bin file load time: 0.248757667
> >
> > AFTER:
> > Text file allocs: 103933
> > Text file load time: 0.236192667
> > Bin file allocs: 87645
> > Bin file load time: .247607333
>
> Do you have the scripts that generated these stats so I can play with it
too? These stats are from android right? Do you also have a comparison for
refpolicy too?

For generating these I used checkfc.c from the Android tree. I used
valgrind to measure allocations and clock to measure the time in
selabel_open().

>
> I haven't looked that closely yet but just realised, will this need new
perms because of the mmap? If it does, can you send a patch to refpolicy?

I'm confused, mmap is not a permission, even if it was the binary path
already was doing an mmap, so the permission would have been there. We're
just making it so it always mmaps.

>
> -- Jason
>
> > THINGS TO DO:
> > 1. What's arm performance like?
> > 2. What interfaces to backends are busted by this (if any)?
> > 3. Test Android Properties
> > 4. Im pretty sure this breaks sefcontext_compile, fix.
> > 5. Test with PCRE2 enabled.
> > 6. Spell check this message!
> > 7. Run checkpatch
> >
> > Signed-off-by: William Roberts 
> > ---
> >  libselinux/src/label.c  |   2 -
> >  libselinux/src/label_android_property.c |  22 ++---
> >  libselinux/src/label_file.c | 140
+++-
> >  libselinux/src/label_file.h |  66 +--
> >  libselinux/src/label_internal.h |   3 +-
> >  libselinux/src/label_support.c  |  79 --
> >  6 files changed, 172 insertions(+), 140 deletions(-)
> >
> > diff --git a/libselinux/src/label.c b/libselinux/src/label.c
> > index 963bfcb..d767b49 100644
> > --- a/libselinux/src/label.c
> > +++ b/libselinux/src/label.c
> > @@ -15,8 +15,6 @@
> >  #include "callbacks.h"
> >  #include "label_internal.h"
> >
> > -#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
> > -
> >  typedef int (*selabel_initfunc)(struct selabel_handle *rec,
> > const struct selinux_opt *opts,
> > unsigned nopts);
> > diff --git a/libselinux/src/label_android_property.c
b/libselinux/src/label_android_property.c
> > index 290b438..2aac394 100644
> > --- a/libselinux/src/label_android_property.c
> > +++ b/libselinux/src/label_android_property.c
> > @@ -85,13 +85,19 @@ static int process_line(struct selabel_handle *rec,
> > int pass, unsigned lineno)
> >  {
> > int items;
> > -   char *prop = NULL, *context = NULL;
> > +   union {
> > +   struct {
> > +   char *prop;
> > +   char *context;
> > +   };
> > +   char *array[2];
> > +   } found = { .array = { 0 } };
> > struct saved_data *data = (struct saved_data *)rec->data;
> > spec_t *spec_arr = data->spec_arr;
> > unsigned int nspec = data->nspec;
> > const char *errbuf = NULL;
> >
> > -   items = read_spec_entries(line_buf, , 2, ,
);
> > +   items = read_spec_entries(line_buf, ,
ARRAY_SIZE(found.array), found.array);
> > if (items < 0) {
> > items = errno;
> > selinux_log(SELINUX_ERROR,
> > @@ -108,18 +114,14 @@ static int process_line(struct selabel_handle
*rec,
> > selinux_log(SELINUX_ERROR,
> > "%s:  line %u is missing fields\n", path,
> > lineno);
> > -   free(prop);
> > errno = EINVAL;
> > return -1;
> > }
> >
> > -   if (pass == 0) {
> > -   free(prop);
> > -   free(context);
> > -   } else if (pass == 1) {
> > +   if (pass == 1) {
> > /* On the second pass, process and store the
specification in spec. */
> > -   spec_arr[nspec].property_key = prop;
> > -   spec_arr[nspec].lr.ctx_raw = context;
> > +   spec_arr[nspec].property_key = found.prop;
> > +   spec_arr[nspec].lr.ctx_raw = found.context;
> >
> > if (rec->validating) {
> > if (selabel_validate(rec, _arr[nspec].lr)
< 0) {
> > @@ -234,7 +236,7 @@

Re: [RFC] mmap file_contexts and property_contexts:

2016-09-20 Thread Jason Zaman

On 20 Sep 2016 5:47 am,  wrote:
>
> From: William Roberts 
>
> THIS IS WIP...
>
> Rather than using stdio and making copies, just mmap the files
> and use the pointers in place. The affect of this change, is that
> text file load time is now faster than binary load time by 4.7%
> when testing with a file_contexts file from the Android tree. Note
> that the Android doesn't use monstrous regexs.
>
> Times are the average of 3 runs.
>
> BEFORE:
> Text file allocs: 114803
> Text file load time: 0.266101
> Bin file allocs: 93073
> Bin file load time: 0.248757667
>
> AFTER:
> Text file allocs: 103933
> Text file load time: 0.236192667
> Bin file allocs: 87645
> Bin file load time: .247607333

Do you have the scripts that generated these stats so I can play with it
too? These stats are from android right? Do you also have a comparison for
refpolicy too?

I haven't looked that closely yet but just realised, will this need new
perms because of the mmap? If it does, can you send a patch to refpolicy?

-- Jason

> THINGS TO DO:
> 1. What's arm performance like?
> 2. What interfaces to backends are busted by this (if any)?
> 3. Test Android Properties
> 4. Im pretty sure this breaks sefcontext_compile, fix.
> 5. Test with PCRE2 enabled.
> 6. Spell check this message!
> 7. Run checkpatch
>
> Signed-off-by: William Roberts 
> ---
>  libselinux/src/label.c  |   2 -
>  libselinux/src/label_android_property.c |  22 ++---
>  libselinux/src/label_file.c | 140
+++-
>  libselinux/src/label_file.h |  66 +--
>  libselinux/src/label_internal.h |   3 +-
>  libselinux/src/label_support.c  |  79 --
>  6 files changed, 172 insertions(+), 140 deletions(-)
>
> diff --git a/libselinux/src/label.c b/libselinux/src/label.c
> index 963bfcb..d767b49 100644
> --- a/libselinux/src/label.c
> +++ b/libselinux/src/label.c
> @@ -15,8 +15,6 @@
>  #include "callbacks.h"
>  #include "label_internal.h"
>
> -#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
> -
>  typedef int (*selabel_initfunc)(struct selabel_handle *rec,
> const struct selinux_opt *opts,
> unsigned nopts);
> diff --git a/libselinux/src/label_android_property.c
b/libselinux/src/label_android_property.c
> index 290b438..2aac394 100644
> --- a/libselinux/src/label_android_property.c
> +++ b/libselinux/src/label_android_property.c
> @@ -85,13 +85,19 @@ static int process_line(struct selabel_handle *rec,
> int pass, unsigned lineno)
>  {
> int items;
> -   char *prop = NULL, *context = NULL;
> +   union {
> +   struct {
> +   char *prop;
> +   char *context;
> +   };
> +   char *array[2];
> +   } found = { .array = { 0 } };
> struct saved_data *data = (struct saved_data *)rec->data;
> spec_t *spec_arr = data->spec_arr;
> unsigned int nspec = data->nspec;
> const char *errbuf = NULL;
>
> -   items = read_spec_entries(line_buf, , 2, , );
> +   items = read_spec_entries(line_buf, ,
ARRAY_SIZE(found.array), found.array);
> if (items < 0) {
> items = errno;
> selinux_log(SELINUX_ERROR,
> @@ -108,18 +114,14 @@ static int process_line(struct selabel_handle *rec,
> selinux_log(SELINUX_ERROR,
> "%s:  line %u is missing fields\n", path,
> lineno);
> -   free(prop);
> errno = EINVAL;
> return -1;
> }
>
> -   if (pass == 0) {
> -   free(prop);
> -   free(context);
> -   } else if (pass == 1) {
> +   if (pass == 1) {
> /* On the second pass, process and store the
specification in spec. */
> -   spec_arr[nspec].property_key = prop;
> -   spec_arr[nspec].lr.ctx_raw = context;
> +   spec_arr[nspec].property_key = found.prop;
> +   spec_arr[nspec].lr.ctx_raw = found.context;
>
> if (rec->validating) {
> if (selabel_validate(rec, _arr[nspec].lr) <
0) {
> @@ -234,7 +236,7 @@ static void closef(struct selabel_handle *rec)
> for (i = 0; i < data->nspec; i++) {
> spec = >spec_arr[i];
> free(spec->property_key);
> -   free(spec->lr.ctx_raw);
> +   //free(spec->lr.ctx_raw);
> free(spec->lr.ctx_trans);
> }
>
> diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
> index 7156825..4dc440e 100644
> --- a/libselinux/src/label_file.c
> +++ b/libselinux/src/label_file.c
> @@ -96,43 +96,64 @@ static int nodups_specs(struct saved_data *data,
const char *path)
> return rc;
>  }
>
> -static int

[RFC] mmap file_contexts and property_contexts:

2016-09-19 Thread william . c . roberts

From: William Roberts 

THIS IS WIP...

Rather than using stdio and making copies, just mmap the files
and use the pointers in place. The affect of this change, is that
text file load time is now faster than binary load time by 4.7%
when testing with a file_contexts file from the Android tree. Note
that the Android doesn't use monstrous regexs.

Times are the average of 3 runs.

BEFORE:
Text file allocs: 114803
Text file load time: 0.266101
Bin file allocs: 93073
Bin file load time: 0.248757667

AFTER:
Text file allocs: 103933
Text file load time: 0.236192667
Bin file allocs: 87645
Bin file load time: .247607333

THINGS TO DO:
1. What's arm performance like?
2. What interfaces to backends are busted by this (if any)?
3. Test Android Properties
4. Im pretty sure this breaks sefcontext_compile, fix.
5. Test with PCRE2 enabled.
6. Spell check this message!
7. Run checkpatch

Signed-off-by: William Roberts 
---
 libselinux/src/label.c  |   2 -
 libselinux/src/label_android_property.c |  22 ++---
 libselinux/src/label_file.c | 140 +++-
 libselinux/src/label_file.h |  66 +--
 libselinux/src/label_internal.h |   3 +-
 libselinux/src/label_support.c  |  79 --
 6 files changed, 172 insertions(+), 140 deletions(-)

diff --git a/libselinux/src/label.c b/libselinux/src/label.c
index 963bfcb..d767b49 100644
--- a/libselinux/src/label.c
+++ b/libselinux/src/label.c
@@ -15,8 +15,6 @@
 #include "callbacks.h"
 #include "label_internal.h"
 
-#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
-
 typedef int (*selabel_initfunc)(struct selabel_handle *rec,
const struct selinux_opt *opts,
unsigned nopts);
diff --git a/libselinux/src/label_android_property.c 
b/libselinux/src/label_android_property.c
index 290b438..2aac394 100644
--- a/libselinux/src/label_android_property.c
+++ b/libselinux/src/label_android_property.c
@@ -85,13 +85,19 @@ static int process_line(struct selabel_handle *rec,
int pass, unsigned lineno)
 {
int items;
-   char *prop = NULL, *context = NULL;
+   union {
+   struct {
+   char *prop;
+   char *context;
+   };
+   char *array[2];
+   } found = { .array = { 0 } };
struct saved_data *data = (struct saved_data *)rec->data;
spec_t *spec_arr = data->spec_arr;
unsigned int nspec = data->nspec;
const char *errbuf = NULL;
 
-   items = read_spec_entries(line_buf, , 2, , );
+   items = read_spec_entries(line_buf, , ARRAY_SIZE(found.array), 
found.array);
if (items < 0) {
items = errno;
selinux_log(SELINUX_ERROR,
@@ -108,18 +114,14 @@ static int process_line(struct selabel_handle *rec,
selinux_log(SELINUX_ERROR,
"%s:  line %u is missing fields\n", path,
lineno);
-   free(prop);
errno = EINVAL;
return -1;
}
 
-   if (pass == 0) {
-   free(prop);
-   free(context);
-   } else if (pass == 1) {
+   if (pass == 1) {
/* On the second pass, process and store the specification in 
spec. */
-   spec_arr[nspec].property_key = prop;
-   spec_arr[nspec].lr.ctx_raw = context;
+   spec_arr[nspec].property_key = found.prop;
+   spec_arr[nspec].lr.ctx_raw = found.context;
 
if (rec->validating) {
if (selabel_validate(rec, _arr[nspec].lr) < 0) {
@@ -234,7 +236,7 @@ static void closef(struct selabel_handle *rec)
for (i = 0; i < data->nspec; i++) {
spec = >spec_arr[i];
free(spec->property_key);
-   free(spec->lr.ctx_raw);
+   //free(spec->lr.ctx_raw);
free(spec->lr.ctx_trans);
}
 
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 7156825..4dc440e 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -96,43 +96,64 @@ static int nodups_specs(struct saved_data *data, const char 
*path)
return rc;
 }
 
-static int process_text_file(FILE *fp, const char *prefix,
-struct selabel_handle *rec, const char *path)
+static inline struct saved_data *rec_to_data(struct selabel_handle *rec)
+{
+   return (struct saved_data *)rec->data;
+}
+
+static char *mmap_area_get_line(struct mmap_area *area)
+{
+   size_t len = area->next_len;
+   if (!len)
+   return NULL;
+
+   char *start = area->next_addr;
+   char *end = memchr(start, '\n', len);
+
+   /* the file may not end with a newline */
+   if (!end)
+   end = (char *)area->next_addr +

RE: [RFC] mmap file_contexts and property_contexts:

RE: [RFC] mmap file_contexts and property_contexts:

RE: [RFC] mmap file_contexts and property_contexts:

Re: [RFC] mmap file_contexts and property_contexts:

Re: [RFC] mmap file_contexts and property_contexts:

Re: [RFC] mmap file_contexts and property_contexts:

Re: [RFC] mmap file_contexts and property_contexts:

Re: [RFC] mmap file_contexts and property_contexts:

[RFC] mmap file_contexts and property_contexts:

9 matches

Site Navigation

Mail list logo

Footer information