AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
c3a276111e
kernel_optimize_test/security/selinux/ss
History
Ondrej Mosnacek c3a276111e selinux: optimize storage of filename transitions 
In these rules, each rule with the same (target type, target class,
filename) values is (in practice) always mapped to the same result type.
Therefore, it is much more efficient to group the rules by (ttype,
tclass, filename).

Thus, this patch drops the stype field from the key and changes the
datum to be a linked list of one or more structures that contain a
result type and an ebitmap of source types that map the given target to
the given result type under the given filename. The size of the hash
table is also incremented to 2048 to be more optimal for Fedora policy
(which currently has ~2500 unique (ttype, tclass, filename) tuples,
regardless of whether the 'unconfined' module is enabled).

Not only does this dramtically reduce memory usage when the policy
contains a lot of unconfined domains (ergo a lot of filename based
transitions), but it also slightly reduces memory usage of strongly
confined policies (modeled on Fedora policy with 'unconfined' module
disabled) and significantly reduces lookup times of these rules on
Fedora (roughly matches the performance of the rhashtable conversion
patch [1] posted recently to selinux@vger.kernel.org).

An obvious next step is to change binary policy format to match this
layout, so that disk space is also saved. However, since that requires
more work (including matching userspace changes) and this patch is
already beneficial on its own, I'm posting it separately.

Performance/memory usage comparison:

Kernel           | Policy load | Policy load   | Mem usage | Mem usage     | openbench
                 |             | (-unconfined) |           | (-unconfined) | (createfiles)
-----------------|-------------|---------------|-----------|---------------|--------------
reference        |       1,30s |         0,91s |      90MB |          77MB | 55 us/file
rhashtable patch |       0.98s |         0,85s |      85MB |          75MB | 38 us/file
this patch       |       0,95s |         0,87s |      75MB |          75MB | 40 us/file

(Memory usage is measured after boot. With SELinux disabled the memory
usage was ~60MB on the same system.)

[1] https://lore.kernel.org/selinux/20200116213937.77795-1-dev@lynxeye.de/T/

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2020-02-22 11:22:32 -05:00
..
avtab.c selinux: convert to kvmalloc 2019-03-12 10:04:02 -07:00
avtab.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 372 2019-06-05 17:37:10 +02:00
conditional.c selinux: generalize evaluate_cond_node() 2020-02-11 21:50:26 -05:00
conditional.h selinux: generalize evaluate_cond_node() 2020-02-11 21:50:26 -05:00
constraint.h
context.h selinux: sidtab reverse lookup hash table 2019-12-09 16:14:51 -05:00
ebitmap.c selinux: default_range glblub implementation 2019-10-07 19:01:35 -04:00
ebitmap.h selinux: default_range glblub implementation 2019-10-07 19:01:35 -04:00
hashtab.c
hashtab.h
mls_types.h
mls.c selinux: default_range glblub implementation 2019-10-07 19:01:35 -04:00
mls.h
policydb.c selinux: optimize storage of filename transitions 2020-02-22 11:22:32 -05:00
policydb.h selinux: optimize storage of filename transitions 2020-02-22 11:22:32 -05:00
services.c selinux: optimize storage of filename transitions 2020-02-22 11:22:32 -05:00
services.h selinux: move status variables out of selinux_ss 2020-02-10 10:49:01 -05:00
sidtab.c selinux: cache the SID -> context string translation 2019-12-09 16:14:51 -05:00
sidtab.h selinux: cache the SID -> context string translation 2019-12-09 16:14:51 -05:00
symtab.c
symtab.h