From: Luca Boccassi Date: Fri, 10 Nov 2023 00:22:21 +0000 (+0000) Subject: executor: lazily load SELinux X-Git-Tag: v255-rc2~39^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=894288340f561865b6585935c9446abe7dd3af03;p=thirdparty%2Fsystemd.git executor: lazily load SELinux Loading the SELinux DB on every invocation can be slow and takes 2ms-10ms, so do not initialize it unconditionally, but wait for the first use. On a mkosi Fedora rawhide image, this cuts the number of loads in half. --- diff --git a/src/core/executor.c b/src/core/executor.c index 86fbaef3470..e07a6890743 100644 --- a/src/core/executor.c +++ b/src/core/executor.c @@ -199,10 +199,6 @@ int main(int argc, char *argv[]) { log_set_prohibit_ipc(true); log_setup(); - r = mac_init(); - if (r < 0) - return log_error_errno(r, "Failed to initialize MAC layer: %m"); - r = fdset_new_fill(/* filter_cloexec= */ 0, &fdset); if (r < 0) return log_error_errno(r, "Failed to create fd set: %m"); @@ -217,6 +213,13 @@ int main(int argc, char *argv[]) { log_open(); } + /* Initialize lazily. SMACK is just a few operations, but the SELinux is very slow as it requires + * loading the entire database in memory, so we will do it lazily only if it is actually needed, to + * avoid wasting 2ms-10ms for each sd-executor that gets spawned. */ + r = mac_init_lazy(); + if (r < 0) + return log_error_errno(r, "Failed to initialize MAC layer: %m"); + r = fdset_remove(fdset, fileno(arg_serialization)); if (r < 0) return log_error_errno(r, "Failed to remove serialization fd from fd set: %m");