forked from MarcoBuster/Magisk
cd6eca1dc2
For match-all-type rules (e.g. "allow magisk * * *" used in Magisk), we used to iterate and apply rules on all existing types. However, this is actually unnecessary as all selinux types should have at least 1 attributes assigned to it (process types "domain", file context types "file_type" etc.). This means in order to create rules that applies to all types, we actually only need to create rules for all attributes. This optimization SIGNIFICANTLY reduces the patched sepolicy that is loaded into the kernel when running Magisk. For example on Pixel 4 XL running Android R DP4, the sepolicy sizes are patched (before) : 3455948 patched (after) : 843176 stock : 630229 The active sepolicy size actually impacts the performance of every single operation in the operating system, because the larger the policies gets, the longer it takes for the kernel to lookup and match rules. |
||
|---|---|---|
| .. | ||
| magiskpolicy.cpp | ||
| policydb.cpp | ||
| rules.cpp | ||
| sepolicy.cpp | ||
| sepolicy.hpp | ||
| statement.cpp | ||