From: siarhei.liakh@concurrent-rt.com
To: selinux@vger.kernel.org
Cc: colin.king@canonical.com, eparis@parisplace.org,
gregkh@linuxfoundation.org, jeffv@google.com,
omosnace@redhat.com, paul@paul-moore.com,
stephen.smalley.work@gmail.com, tglx@linutronix.de
Subject: [PATCH 3/9] SELinux: Expose AVC sizing tunables via Kconfig
Date: Wed, 8 Apr 2020 14:24:10 -0400 [thread overview]
Message-ID: <20200408182416.30995-4-siarhei.liakh@concurrent-rt.com> (raw)
In-Reply-To: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com>
From: Siarhei Liakh <siarhei.liakh@concurrent-rt.com>
This change exposes previously hardcoded AVC sizing tunables via Kconfig,
which provides a more convenient tuning mechanism for downstream distributions.
Default sizing is not affected.
Signed-off-by: Siarhei Liakh <siarhei.liakh@concurrent-rt.com>
---
Please CC me directly in all replies.
security/selinux/Kconfig | 32 ++++++++++++++++++++++++++++++++
security/selinux/avc.c | 6 +++---
2 files changed, 35 insertions(+), 3 deletions(-)
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 4b5c9fa510a1..3a736a1c6806 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -79,6 +79,38 @@ config SECURITY_SELINUX_AVC_STATS
/sys/fs/selinux/avc/cache_stats, which may be monitored via
tools such as avcstat.
+config SECURITY_SELINUX_AVC_DEF_THRESHOLD
+ int "Default value for AVC reclamation threshold"
+ depends on SECURITY_SELINUX
+ range 64 1048576
+ default "512"
+ help
+ Reclamation threshold effectively sets a limit on AVC size.
+ Increasing this number could improve performance of busy
+ systems with lots of complex policies. Threshold value can
+ also be changed at run-time via selinuxfs.
+
+config SECURITY_SELINUX_AVC_HASH_BITS
+ int "Number of slots (buckets) for AVC hash table, expressed as number of bits (i.e. 2^n)"
+ depends on SECURITY_SELINUX
+ range 1 32
+ default "9"
+ help
+ This is a power of 2 representing the number of slots (buckets)
+ used for AVC hash table. Smaller value reduces memory footprint
+ at price of hash table lookup efficiency.
+
+config SECURITY_SELINUX_AVC_RECLAIM_COUNT
+ int "Number of AVC entries to reclaim in a single cycle"
+ depends on SECURITY_SELINUX
+ range 1 SECURITY_SELINUX_AVC_DEF_THRESHOLD
+ default "16"
+ help
+ A single reclamation cycle will evict this many AVC entries
+ from the cache. Small values may require multiple reclamation
+ cycles to bring AVC size under the threshold. Large values may
+ cause excessive latency of reclamation events.
+
config SECURITY_SELINUX_CHECKREQPROT_VALUE
int "NSA SELinux checkreqprot default value"
depends on SECURITY_SELINUX
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index b5893621290b..80af3d1f31fd 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -31,9 +31,9 @@
#include "avc_ss.h"
#include "classmap.h"
-#define AVC_CACHE_SLOTS 512
-#define AVC_DEF_CACHE_THRESHOLD 512
-#define AVC_CACHE_RECLAIM 16
+#define AVC_CACHE_SLOTS (1 << CONFIG_SECURITY_SELINUX_AVC_HASH_BITS)
+#define AVC_DEF_CACHE_THRESHOLD CONFIG_SECURITY_SELINUX_AVC_DEF_THRESHOLD
+#define AVC_CACHE_RECLAIM CONFIG_SECURITY_SELINUX_AVC_RECLAIM_COUNT
#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
#define avc_cache_stats_incr(field) this_cpu_inc(avc_cache_stats.field)
--
2.17.1
next prev parent reply other threads:[~2020-04-08 18:24 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-08 18:24 [PATCH 0/9] SELinux: Improve hash functions and sizing of hash tables siarhei.liakh
2020-04-08 18:24 ` [PATCH 1/9] SELinux: Introduce "Advanced Hashing" Kconfig option siarhei.liakh
2020-04-08 18:24 ` [PATCH 2/9] SELinux: Use Bob Jenkins' lookup3 hash in AVC siarhei.liakh
2020-04-08 18:24 ` siarhei.liakh [this message]
2020-04-08 18:24 ` [PATCH 4/9] SELinux: Replace custom hash in avtab with generic lookup3 from the library siarhei.liakh
2020-04-14 10:58 ` Ondrej Mosnacek
2020-04-14 13:44 ` Siarhei Liakh
2020-04-08 18:24 ` [PATCH 5/9] SELinux: Expose AVTab sizing tunables via Kconfig siarhei.liakh
2020-04-08 18:24 ` [PATCH 6/9] SELinux: Replace custom hash with generic lookup3 in policydb siarhei.liakh
2020-04-08 18:24 ` [PATCH 7/9] SELinux: Expose filename_tr hash table sizing via Kconfig siarhei.liakh
2020-04-14 10:54 ` Ondrej Mosnacek
2020-04-14 13:39 ` Siarhei Liakh
2020-04-08 18:24 ` [PATCH 8/9] SELinux: Replace custom hash with generic lookup3 in symtab siarhei.liakh
2020-04-14 11:06 ` Ondrej Mosnacek
2020-04-14 14:03 ` Siarhei Liakh
2020-04-08 18:24 ` [PATCH 9/9] SELinux: Expose netport hash table sizing via Kconfig siarhei.liakh
2020-04-09 13:41 ` [PATCH 0/9] SELinux: Improve hash functions and sizing of hash tables Paul Moore
2020-04-13 20:43 ` Siarhei Liakh
2020-04-14 21:50 ` Paul Moore
2020-05-05 13:35 ` Siarhei Liakh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200408182416.30995-4-siarhei.liakh@concurrent-rt.com \
--to=siarhei.liakh@concurrent-rt.com \
--cc=colin.king@canonical.com \
--cc=eparis@parisplace.org \
--cc=gregkh@linuxfoundation.org \
--cc=jeffv@google.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.