Since 30b3e9d2 (libselinux: Workaround for heap overhead of pcre,
2023-01-12), performance of PCRE2 matches has been affected due to
excesive recreation of the match_data in an attempt to reduce memory
utilization; instead of a workaround, it would be better to address
the problem and maybe even improve performance in the process.
The issue is that currently the structure that holds PCRE state has
both a pcre2_code (which is per pattern) and a pcre2_match_data (which
is per match), forcing us to add a mutex to prevent multiple matches to
step on each other.
Lets remove the match_data and the mutex and instead allocate one once
in a thread independent way that could be used and reused, by extending
our pthread interface to not only store TLS variables but also retrieve
them, and then use one of those.
Since we are not interested on the capture groups (if any) lets only
allocate 1 pair which is all that will be needed and change the logic
so that a return of 0 (which means the pattern matched but there were
not enough capture spots) is also considered a match.
This will ensure that the memory use would be bound to the number of
concurrent matches instead of the number of patterns and therefore
reduce the impact that recent changes on the way that the frames used
for matching are allocated might had brough since 10.41 was released.
For cases where threads are not available, just keep it working in slow
mode as done before the workaround was reverted.
Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
cherry picked from:
https://patchwork.kernel.org/project/selinux/patch/20230123014047.84911-3-carenas@gmail.com/
Bug: 262469329
Test: atest MicrodroidBenchmarkApp
Change-Id: I3207c6dd2a215f81699aa62e8fcdf65c745bae72
Do not remove the runtime directory /run/setrans/, which is the parent
for the security context translation socket .setrans-unix, when the
service is stopped, so the path can not be taken over by a foreign
program, which could lead to a compromise of the context translation of
libselinux.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Enables processes with :IsolatedComputeApp set to be selected by seapp contexts with isIsolatedComputeApp selector.
Bug: 265540209
Bug: 265746493
Test: m && atest --host libselinux_test with change on android_unittest.cpp
Change-Id: I44f33bdd17454586708cbff2631ecd6725e53087
This is to workaround a regression on peak memory usage, due to a
behavior change of pcre2. With this patch, peak memory usage decreases
for about 4 MB.
Also verified with microdroid benchmarks that the runtime impact is
negligible.
Before this patch:
testMicrodroidBootTime[protectedVm=false]:
avf_perf/microdroid/boot_time_average_ms: 1072.2437260666668
avf_perf/microdroid/boot_time_max_ms: 1153.957195
avf_perf/microdroid/boot_time_min_ms: 987.760254
avf_perf/microdroid/boot_time_stdev_ms: 43.715968392943445
testMicrodroidBootTime[protectedVm=true]:
avf_perf/microdroid/boot_time_average_ms: 1318.7790113333335
avf_perf/microdroid/boot_time_max_ms: 1367.490967
avf_perf/microdroid/boot_time_min_ms: 1239.080486
avf_perf/microdroid/boot_time_stdev_ms: 33.82832311810135
After this patch:
testMicrodroidBootTime[protectedVm=false]:
avf_perf/microdroid/boot_time_average_ms: 1074.9152321333336
avf_perf/microdroid/boot_time_max_ms: 1172.233481
avf_perf/microdroid/boot_time_min_ms: 971.020793
avf_perf/microdroid/boot_time_stdev_ms: 45.3782260524823
testMicrodroidBootTime[protectedVm=true]:
avf_perf/microdroid/boot_time_average_ms: 1286.4607849333333
avf_perf/microdroid/boot_time_max_ms: 1380.643678
avf_perf/microdroid/boot_time_min_ms: 1209.573649
avf_perf/microdroid/boot_time_stdev_ms: 44.44544241596637
Bug: 262469329
Test: atest MicrodroidBenchmarks
Test: run device boot time test
Change-Id: Ifc1be381255c263638ea262b995bc06fa3c7bdcc
pcre's behavior is changed so that pcre2_match always allocates heap for
match_data, rather than stack, regardless of size. The heap isn't freed
until explicitly calling pcre2_match_data_free. This new behavior may
result in heap overhead, which may increase the peak memory usage about
a few megabytes. It's because regex_match is first called for regex_data
objects, and then regex_data objects are freed at once.
To workaround it, free match_data as soon as we call regex_match. It's
fine because libselinux currently doesn't use match_data, but use only
the return value.
Signed-off-by: Inseob Kim <inseob@google.com>
Acked-by: Jason Zaman <jason@perfinion.com>
get_bools should return a list of booleans that can affect given type,
but it did not handle non trivial conditional statements properly
(returning the whole conditional statement instead of a list of booleans
in the statement).
e.g. for
allow httpd_t spamc_t:process transition; [ httpd_can_check_spam && httpd_can_sendmail ]:True
get_bools used to return [("httpd_can_check_spam && httpd_can_sendmail", False)] instead of
[("httpd_can_check_spam", False), ("httpd_can_sendmail", False)]
- rename "boolean" in sepolicy rule dictionary to "booleans" to suggest
it can contain multiple values and make sure it is populated correctly
- add "conditional" key to the rule dictionary to accommodate
get_conditionals, which requires the whole conditional statement
- extend get_bools search to dontaudit rules so that it covers booleans
like httpd_dontaudit_search_dirs
Note: get_bools uses security_get_boolean_active to get the boolean
value, but the value is later used to represent the default.
Not ideal, but I'm not aware of a way to get the actual defaults.
Fixes:
"sepolicy manpage" generates man pages that are missing booleans
which are included in non trivial conditional expressions
e.g. httpd_selinux(8) does not include httpd_can_check_spam,
httpd_tmp_exec, httpd_unified, or httpd_use_gpg
This fix, however, also adds some not strictly related booleans
to some man pages. e.g. use_nfs_home_dirs and
use_samba_home_dirs are added to httpd_selinux(8)
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: Jason Zaman <jason@perfinion.com>
Do not write class definitions for classes without any permission and
any inherited common class. The classes are already declared in
write_class_decl_rules_to_conf(). Skipping those empty definitions,
which are equal to the corresponding class declarations, will enable to
parse the generated policy conf file with checkpolicy, as checkpolicy
does not accept class declarations after initial sid declarations.
This will enable simple round-trip tests with checkpolicy.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
Found by codespell(1) and typos[1].
[1]: https://github.com/crate-ci/typos
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
The kernel does not support type attributes as source or target in type
av rules (type_transition, type_member, type_change)[1]. Such rules
should have been expanded[2].
[1]: abe3c63144/security/selinux/ss/services.c (L1843)
[2]: 0a8c177dac/libsepol/src/expand.c (L1981)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
In load_checks(), add return check for malloc() to avoid NULL reference.
Signed-off-by: Jie Lu <lujie54@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
When installing to a destdir with pip install --prefix= --root=, pip tries to
uninstall the existing root-owned package and fails
Fixes:
python3 -m pip install --prefix=/usr `test -n "/tmp/selinux-release//build-master" && echo --root /tmp/selinux-release//build-master` .
Processing /tmp/selinux-release/selinux-master/python/sepolicy
Preparing metadata (setup.py) ... done
Building wheels for collected packages: sepolicy
Building wheel for sepolicy (setup.py) ... done
Created wheel for sepolicy: filename=sepolicy-3.4-py3-none-any.whl size=1663564 sha256=229546db123e7d84613d190d49c192291b1a4f7f2a037657b39283b04ac391a4
Stored in directory: /tmp/pip-ephem-wheel-cache-50r2x4cn/wheels/b2/9e/63/6a6212a84d65a709923228719d065ed34e66a90c7fed01e8cf
Successfully built sepolicy
Installing collected packages: sepolicy
Attempting uninstall: sepolicy
Found existing installation: sepolicy 3.4
Uninstalling sepolicy-3.4:
ERROR: Could not install packages due to an OSError: [Errno 13] Permission denied: 'generate.py'
Consider using the `--user` option or check the permissions.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
When the python bindings are installed to a destdir with pip install
--prefix= --root=, pip tries to uninstall the existing root-owned
package and fails
Fixes:
running build_ext
python3 -m pip install --prefix=/usr `test -n "/tmp/selinux-release//build-master" && echo --root /tmp/selinux-release//build-master` .
Processing /tmp/selinux-release/selinux-master/libselinux/src
Preparing metadata (setup.py) ... done
Building wheels for collected packages: selinux
Building wheel for selinux (setup.py) ... done
Created wheel for selinux: filename=selinux-3.4-cp310-cp310-linux_x86_64.whl size=725511 sha256=b35e9cdb2a6efce389eeece45446826b4ac6b41f81fdc128893f947036f27e8e
Stored in directory: /tmp/pip-ephem-wheel-cache-kemjh99e/wheels/ca/2d/1e/d1ab52426d9add92931471cfa0d2558bcbeed89084af2388c9
Successfully built selinux
Installing collected packages: selinux
Attempting uninstall: selinux
Found existing installation: selinux 3.4
Uninstalling selinux-3.4:
ERROR: Could not install packages due to an OSError: [Errno 13] Permission denied: '__init__.cpython-310.pyc'
Consider using the `--user` option or check the permissions.
Signed-off-by: Jason Zaman <jason@perfinion.com>
Acked-by: Petr Lautrbach <lautrbach@redhat.com>
Fixes:
/usr/lib/python3.11/site-packages/setuptools/command/install.py:34: SetuptoolsDeprecationWarning: setup.py install is deprecated. Use build and pip and other standards-based tools.
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Since commit 7494bb1298 ("sepolicy: generate man pages in parallel")
man pages are generated in parallel and there's a race between
os.path.exists() and os.makedirs().
The check os.path.exists() is not necessary when os.makedirs() is called
with exist_ok=True.
Fixes:
/usr/bin/sepolicy manpage -a -p /__w/usr/share/man/man8/ -w -r /__w/
FileExistsError: [Errno 17] File exists: '/__w/usr/share/man/man8/'
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Commit c08cf24f39 ("python: Remove dependency on the Python module
distutils") replace usage of distutils.sysconfig by sysconfig but it was
forgotten on the fact that the later provide a different api.
Fixes:
self.code_path = sysconfig.get_python_lib(plat_specific=False) + "/sepolicy/"
^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'sysconfig' has no attribute 'get_python_lib'
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Add return check for regex_data_create() to avoid NULL reference of regex_data
(gdb) bt
#0 0x00007fbde5caec14 in pthread_mutex_init () from /usr/lib64/libc.so.6
#1 0x00007fbde5e3a489 in regex_data_create () at regex.c:260
#2 0x00007fbde5e3a4af in regex_prepare_data (regex=regex@entry=0x7fbde4613770, pattern_string=pattern_string@entry=0x563c6799a820 "^/home$", errordata=errordata@entry=0x7ffeb83fa950) at regex.c:76
#3 0x00007fbde5e32fe6 in compile_regex (errbuf=0x0, spec=0x7fbde4613748) at label_file.h:407
#4 lookup_all (key=0x563c679974e5 "/var/log/kadmind.log", type=<optimized out>, partial=partial@entry=false, match_count=match_count@entry=0x0, rec=<optimized out>, rec=<optimized out>)
at label_file.c:949
#5 0x00007fbde5e33350 in lookup (rec=<optimized out>, key=<optimized out>, type=<optimized out>) at label_file.c:1092
#6 0x00007fbde5e31878 in selabel_lookup_common (rec=0x563c67998cc0, translating=1, key=<optimized out>, type=<optimized out>) at label.c:167
Signed-off-by: Jie Lu <lujie54@huawei.com>
Acked-by: James Carter <jwcart2@gmail.com>
