Hey Joe, On 08/08/2015 02:00 PM, Joe MacDonald wrote: > I'm sorry this has been in the merge queue for so long.
Better late than never :) > I've merged it > after taking the policy updates from Shrikant and a few other small > patches that had been hanging around too. I didn't drop it on master > yet, though, since I wanted to give everyone else a little bit of time > to try it out (myself included, I'm finally able to come up for air on > some of the day job things :-)). Instead it is currently living on the > fs_label branch, but I rebased the patches on the current master HEAD > commit. That means, though, that if you get a chance I'd like to take a > look at the branch to ensure I didn't mangle your patch set too much. Will do. Philip > [[meta-selinux][PATCHv2 0/8] Label file system in build.] On 15.06.17 (Wed > 15:30) Philip Tricca wrote: > >> This is the second version of a patch series that allows the file system >> of SELinux images to be labeled as part of the build process. This will >> allow SELinux images to boot read only file systems and remove the need to >> label the file system on first boot. >> >> To do this we must label the file system in the build as well as add >> support for extended attributes to the mke2fs utility in the e2fsprogs >> package. The first version of this patch series is here: >> https://lists.yoctoproject.org/pipermail/yocto/2015-June/025141.html >> The approach described in this previous RFC remains the same. >> >> Changes in v2: >> This second version has two significant changes: First I've done a bunch >> of cleanup. This includes work to make the descriptions in the patch >> headers / commit messages more exact as well as combining some commits >> with related functionality. Secondly I've reimplemented the xattr cache >> so that it actually works. >> >> I've made the patch headers as descriptive as possible and kept the git >> commit messages minimal. If the preference is for more verbose commit >> messages I'm happy to oblige if advised. >> >> The cache is just a single linked list that's searched for duplicates after >> the creation of each new xattr block. The previous implementation was similar >> but, aside from not working properly, it was overly complex in its attempt to >> keep the list sorted. >> >> Tests: >> To test this new implementation I used the core-image-selinux-minimal image >> from the unmodified master branch as a control. This image has 2536 unique >> file system objects including the root fs directory. The ext4 file system >> produced by the build has 71492 blocks with 13621 free. >> >> As an additional test I added the patches from this set WITHOUT the cache >> patches. This causes each file system object with an associated extended >> attribute to use up an additional block for the xattr. This should cause >> (hypothesis) the output file system to have 13621 - 2536 = 11085 free >> blocks. The build producing an ext4 file system with 71492 blocks and 11088 >> free. That's an additional 2533 blocks used instead of the 2536 expected. >> These 3 missing xattr blocks can be accounted for in that there are 3 >> unlabeled files in the file system. >> >> Introducing the cache allows files with identical xattr blocks to share >> them to reduce the number of used blocks. Since we're only storing SELinux >> labels in the xattrs we can say that every file with the same SELinux label >> should share an xattr block. Counting the unique SELinux labels on file >> objects we know that there are 83 in total. The second hypothesis we have >> to test then is that using the cache will reduce the number of used blocks >> from 2533 down to 83. >> >> Applying the patch that enables the cache produces a third and final ext4 >> file system. This one again report 71492 total blocks but this time 13538 >> free. This is 83 blocks fewer than the unlabled file system from the >> initial test as we expected. The code added by this patch set is also >> instrumented to count the objects in the cache when they're freed. With >> this debug output enabled it reports the same number of objects in the >> cache. >> >> From the test results I'm pretty confident that the cache functions as >> expected. It's still a very basic implementation but given the small >> number of unique SELinux labels in the reference file systems it's >> likely sufficient for a first version. Feedback / comments on both the >> implementation and testing approach would be appreciated. >> >> Regards, >> Philip >> ---- >> >> Philip Tricca (8): >> policycoreutils: Patch setfiles to add FTS_NOCHDIR to fts_flags. >> selinux-image: Add new image class to label the rootfs, use it for >> selinux images. >> e2fsprogs: Add bbappend and stub for xattr module. >> e2fsprogs: Insert calls to xattr module into mke2fs and build xattr >> code. >> e2fsprogs: Add xattr security prefix data to >> lib/ext2fs/ext2_ext_attr.h >> e2fsprogs: Copy xattr block from source file. >> e2fsprogs: Add stub functions for an xattr cache and struct to hold >> the header and block data. >> e2fsprogs: Implement xattr block cache with simple linked list. >> >> classes/selinux-image.bbclass | 8 + >> ...ib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch | 20 ++ >> .../misc-xattr-add-xattr-module-stub.patch | 57 ++++ >> .../misc-xattr-create-xattr-block-node.patch | 175 +++++++++++ >> .../e2fsprogs/misc-xattr-create-xattr-block.patch | 341 >> +++++++++++++++++++++ >> .../e2fsprogs/misc-xattr-create-xattr-cache.patch | 181 +++++++++++ >> .../mke2fs.c-create_inode.c-copy-xattrs.patch | 164 ++++++++++ >> .../e2fsprogs/e2fsprogs_1.42.9.bbappend | 10 + >> .../images/core-image-selinux-minimal.bb | 2 +- >> recipes-security/images/core-image-selinux.bb | 2 +- >> .../policycoreutils-fts_flags-FTS_NOCHDIR.patch | 25 ++ >> recipes-security/selinux/policycoreutils_2.3.bb | 1 + >> 12 files changed, 984 insertions(+), 2 deletions(-) >> create mode 100644 classes/selinux-image.bbclass >> create mode 100644 >> recipes-devtools/e2fsprogs/e2fsprogs/lib-ext2fs-ext2_ext_attr.h-add-xattr-index.patch >> create mode 100644 >> recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-add-xattr-module-stub.patch >> create mode 100644 >> recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-create-xattr-block-node.patch >> create mode 100644 >> recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-create-xattr-block.patch >> create mode 100644 >> recipes-devtools/e2fsprogs/e2fsprogs/misc-xattr-create-xattr-cache.patch >> create mode 100644 >> recipes-devtools/e2fsprogs/e2fsprogs/mke2fs.c-create_inode.c-copy-xattrs.patch >> create mode 100644 recipes-devtools/e2fsprogs/e2fsprogs_1.42.9.bbappend >> create mode 100644 >> recipes-security/selinux/policycoreutils/policycoreutils-fts_flags-FTS_NOCHDIR.patch >> -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
