From 4cae28d43c32d66a343d7efe5677495855970a90 Mon Sep 17 00:00:00 2001 From: Nick Kralevich <nnk@google.com> Date: Sat, 11 Feb 2017 22:01:58 -0800 Subject: [PATCH] tracefs: avoid overly generic regexes On boot, Android runs restorecon on a number of virtual directories, such as /sys and /sys/kernel/debug, to ensure that the SELinux labels are correct. To avoid causing excessive boot time delays, the restorecon code aggressively prunes directories, to avoid recursing down directory trees which will never have a matching SELinux label. See: * https://android-review.googlesource.com/93401 * https://android-review.googlesource.com/109103 The key to this optimization is avoiding unnecessarily broad regular expressions in file_contexts. If an overly broad regex exists, the tree pruning code is ineffective, and the restorecon ends up visiting lots of unnecessary directories. The directory /sys/kernel/debug/tracing contains approximately 4500 files normally, and on debuggable builds, this number can jump to over 9000 files when the processing from wifi-events.rc occurs. For comparison, the entire /sys/kernel/debug tree (excluding /sys/kernel/debug/tracing) only contains approximately 8000 files. The regular expression "/sys/kernel(/debug)?/tracing/(.*)?" ends up matching a significant number of files, which impacts boot performance. Instead of using an overly broad regex, refine the regex so only the files needed have an entry in file_contexts. This list of files is essentially a duplicate of the entries in frameworks/native/cmds/atrace/atrace.rc . This change reduces the restorecon_recursive call for /sys/kernel/debug from approximately 260ms to 40ms, a boot time reduction of approximately 220ms. Bug: 35248779 Test: device boots, no SELinux denials, faster boot. Change-Id: I70f8af102762ec0180546b05fcf014c097135f3e --- private/file_contexts | 39 +++++++++++++++++++++++++++++++++------ private/shell.te | 3 ++- public/file.te | 1 + public/init.te | 2 +- 4 files changed, 37 insertions(+), 8 deletions(-) diff --git a/private/file_contexts b/private/file_contexts index 71f1586f6..812ae5a10 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -445,12 +445,39 @@ # debugfs files # /sys/kernel/debug/mmc0(/.*)? u:object_r:debugfs_mmc:s0 -/sys/kernel(/debug)?/tracing/(.*)? u:object_r:debugfs_tracing:s0 -/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0 -/sys/kernel(/debug)?/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0 -/sys/kernel(/debug)?/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0 -/sys/kernel(/debug)?/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0 -/sys/kernel(/debug)?/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0 + +############################# +# tracefs files +# +/sys/kernel(/debug)?/tracing/buffer_size_kb u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/binder/binder_locked/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/binder/binder_lock/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/binder/binder_transaction/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/binder/binder_transaction_received/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/binder/binder_unlock/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/cpufreq_interactive/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/power/clock_set_rate/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/power/cpu_frequency/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/power/cpu_frequency_limits/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/power/cpu_idle/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/sched/sched_blocked_reason/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/sched/sched_cpu_hotplug/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/sched/sched_switch/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/sched/sched_wakeup/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_direct_reclaim_end/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_sleep/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/events/vmscan/mm_vmscan_kswapd_wake/enable u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/instances(/.*)? u:object_r:debugfs_tracing_instances:s0 +/sys/kernel(/debug)?/tracing/instances/wifi/free_buffer u:object_r:debugfs_wifi_tracing:s0 +/sys/kernel(/debug)?/tracing/instances/wifi/trace u:object_r:debugfs_wifi_tracing:s0 +/sys/kernel(/debug)?/tracing/instances/wifi/tracing_on u:object_r:debugfs_wifi_tracing:s0 +/sys/kernel(/debug)?/tracing/options/overwrite u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/options/print-tgid u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/trace u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/trace_clock u:object_r:tracing_shell_writable:s0 +/sys/kernel(/debug)?/tracing/trace_marker u:object_r:debugfs_trace_marker:s0 +/sys/kernel(/debug)?/tracing/tracing_on u:object_r:tracing_shell_writable:s0 ############################# # asec containers diff --git a/private/shell.te b/private/shell.te index 333265f8b..1e779645a 100644 --- a/private/shell.te +++ b/private/shell.te @@ -1,6 +1,7 @@ # systrace support - allow atrace to run allow shell debugfs_tracing:dir r_dir_perms; -allow shell debugfs_tracing:file rw_file_perms; +allow shell debugfs_tracing:file r_file_perms; +allow shell tracing_shell_writable:file rw_file_perms; allow shell debugfs_trace_marker:file getattr; allow shell atrace_exec:file rx_file_perms; diff --git a/public/file.te b/public/file.te index d279748bf..cd646f51f 100644 --- a/public/file.te +++ b/public/file.te @@ -65,6 +65,7 @@ type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject; type debugfs_tracing, fs_type, debugfs_type; type debugfs_tracing_instances, fs_type, debugfs_type; type debugfs_wifi_tracing, fs_type, debugfs_type; +type tracing_shell_writable, fs_type, debugfs_type; type pstorefs, fs_type; type functionfs, fs_type, mlstrustedobject; type oemfs, fs_type, contextmount_type; diff --git a/public/init.te b/public/init.te index fe7289439..a65bf2cbc 100644 --- a/public/init.te +++ b/public/init.te @@ -184,7 +184,7 @@ allow init dev_type:dir create_dir_perms; allow init dev_type:lnk_file create; # Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on -allow init debugfs_tracing:file w_file_perms; +allow init tracing_shell_writable:file w_file_perms; userdebug_or_eng(` # Setup and control wifi event tracing (see wifi-events.rc) -- GitLab