[prev in list] [next in list] [prev in thread] [next in thread]
List: seandroid-list
Subject: Re: solved: ueventd fixup_sys_perms restorecon_recursive taking a long time
From: Nick Kralevich <nnk () google ! com>
Date: 2015-03-31 21:11:16
Message-ID: CAFJ0LnE-7SE4hrPzbXyGbPDzacRTXDpmEUPWtjPsP-HgOU-xMQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Reverting it feels like we'd be going the wrong direction. ueventd*rc
controls normal permissions, whereas /file_contexts controls file labeling.
It's non-intuitive to require editing both for the changes to take effect,
especially since init already does a restorecon_recursive("/sys") on boot
to get everything labeled correctly.
I'd love to see a warning, but like you, I can't figure out a generic way
to write it.
We don't need to take any action here. I just sent my e-mail for education
and because I thought it was an interesting bug.
-- Nick
On Tue, Mar 31, 2015 at 1:11 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >> substantially improved boot times, as it allowed the
> >> restorecon_recursive optimizations to be effective and avoids visiting
> >> unnecessary directories.
> >
> > Hmm...wonder if we could/should test for such problematic regexes in the
> > label_file backend and at least warn on them. Then when checkfc is run
> > as part of the policy build, they would get the warning (or error, if we
> > make it fatal). We'd only really need to impose it on /sys entries
> > though; hard to generalize it.
>
> The other option would be to revert that change (i.e. only restorecon
> files listed in uevent*.rc) and require adding entries to uevent*.rc for
> any files that need specific sysfs contexts at the same time they are
> added to file_contexts. Then we only use restorecon_recursive for the
> initial /sys restorecon, not on every fixup_sys_perms, although even
> there it would be better to avoid these kinds of regexes.
>
>
>
>
--
Nick Kralevich | Android Security | nnk@google.com | 650.214.4037
[Attachment #5 (text/html)]
<div dir="ltr">Reverting it feels like we'd be going the wrong direction. \
ueventd*rc controls normal permissions, whereas /file_contexts controls file \
labeling. It's non-intuitive to require editing both for the changes to take \
effect, especially since init already does a restorecon_recursive("/sys") \
on boot to get everything labeled correctly. <div><br></div><div>I'd love to see \
a warning, but like you, I can't figure out a generic way to write \
it.</div><div><br></div><div>We don't need to take any action here. I just sent \
my e-mail for education and because I thought it was an interesting \
bug.</div><div><br></div><div>-- Nick<br><div class="gmail_extra"><br><div \
class="gmail_quote">On Tue, Mar 31, 2015 at 1:11 PM, Stephen Smalley <span \
dir="ltr"><<a href="mailto:sds@tycho.nsa.gov" \
target="_blank">sds@tycho.nsa.gov</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">>> substantially \
improved boot times, as it allowed the<br> >> restorecon_recursive \
optimizations to be effective and avoids visiting<br> >> unnecessary \
directories.<br> ><br>
> Hmm...wonder if we could/should test for such problematic regexes in the<br>
> label_file backend and at least warn on them. Then when checkfc is run<br>
> as part of the policy build, they would get the warning (or error, if we<br>
> make it fatal). We'd only really need to impose it on /sys entries<br>
> though; hard to generalize it.<br>
<br>
</div></div>The other option would be to revert that change (i.e. only restorecon<br>
files listed in uevent*.rc) and require adding entries to uevent*.rc for<br>
any files that need specific sysfs contexts at the same time they are<br>
added to file_contexts. Then we only use restorecon_recursive for the<br>
initial /sys restorecon, not on every fixup_sys_perms, although even<br>
there it would be better to avoid these kinds of regexes.<br>
<br>
<br>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div \
class="gmail_signature"><div>Nick Kralevich | Android Security | <a \
href="mailto:nnk@google.com" target="_blank">nnk@google.com</a> | \
650.214.4037</div></div> </div></div></div>
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to Seandroid-list-leave@tycho.nsa.gov.
To get help, send an email containing "help" to Seandroid-list-request@tycho.nsa.gov.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic