From: "Ravi Kumar Siddojigari" <rsiddoji@codeaurora.org>
To: <selinux@vger.kernel.org>
Cc: "'Paul Moore'" <paul@paul-moore.com>,
"'Stephen Smalley'" <sds@tycho.nsa.gov>
Subject: [PATCH] selinux: move ibpkeys code under CONFIG_SECURITY_INFINIBAND.
Date: Wed, 18 Dec 2019 11:30:48 +0530 [thread overview]
Message-ID: <002301d5b568$8149c7a0$83dd56e0$@codeaurora.org> (raw)
Updated the subject to reflect the change .
-----Original Message-----
From: selinux-owner@vger.kernel.org <selinux-owner@vger.kernel.org> On Behalf Of Ravi Kumar Siddojigari
Sent: Tuesday, December 17, 2019 8:42 PM
To: 'Paul Moore' <paul@paul-moore.com>
Cc: selinux@vger.kernel.org
Subject: RE: [PATCH] selinux: move pkey sid cache based retrieval under defconfig
Yes Paul, it should be under CONFIG_SECURITY_INFINIBAND thanks for correcting this .
Hope we can taken it fwd as all the targets with disabled InfiniBand can be gained .
Please find the updated path for review .
From 6a8c60eacd0b6e5189722bb1823864b6728c2e34 Mon Sep 17 00:00:00 2001
From: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
Date: Wed, 11 Dec 2019 19:57:24 +0530
Subject: [PATCH] selinux: move ibpkeys code under CONFIG_SECURITY_INFINIBAND.
Move cache based pkey sid retrieval code which was added with Commit 409dcf31. under CONFIG_SECURITY_INFINIBAND.
As its going to alloc a new cache which may impact low ram devices which was enabled by default.
Change-Id: I80a13fb7bce8723c8c880cb77cbaee42db413a7a
Signed-off-by: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
---
security/selinux/Makefile | 4 +++-
security/selinux/hooks.c | 6 ++++++
security/selinux/include/objsec.h | 2 ++
3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/security/selinux/Makefile b/security/selinux/Makefile index c7161f8..bf67fc8 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -6,12 +6,14 @@
obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \
- netnode.o netport.o ibpkey.o exports.o \
+ netnode.o netport.o exports.o \
ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \
ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/status.o
selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
+selinux-$(CONFIG_SECURITY_INFINIBAND) += ibpkey.o
+
selinux-$(CONFIG_NETLABEL) += netlabel.o
ccflags-y := -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index b1a9ac9..157faaf 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -94,7 +94,11 @@
#include "netif.h"
#include "netnode.h"
#include "netport.h"
+
+#ifdef CONFIG_SECURITY_INFINIBAND
#include "ibpkey.h"
+#endif
+
#include "xfrm.h"
#include "netlabel.h"
#include "audit.h"
@@ -198,7 +202,9 @@ static int selinux_netcache_avc_callback(u32 event) static int selinux_lsm_notifier_avc_callback(u32 event) {
if (event == AVC_CALLBACK_RESET) {
+#ifdef CONFIG_SECURITY_INFINIBAND
sel_ib_pkey_flush();
+#endif
call_lsm_notifier(LSM_POLICY_CHANGE, NULL);
}
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 4b0da5f..94e6322 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -149,11 +149,13 @@ struct ib_security_struct {
u32 sid; /* SID of the queue pair or MAD agent */
};
+#ifdef CONFIG_SECURITY_INFINIBAND
struct pkey_security_struct {
u64 subnet_prefix; /* Port subnet prefix */
u16 pkey; /* PKey number */
u32 sid; /* SID of pkey */
};
+#endif
struct bpf_security_struct {
u32 sid; /*SID of bpf obj creater*/
--
1.9.1
Regards,
Ravi
-----Original Message-----
From: selinux-owner@vger.kernel.org <selinux-owner@vger.kernel.org> On Behalf Of Paul Moore
Sent: Monday, December 16, 2019 7:56 PM
To: Ravi Kumar Siddojigari <rsiddoji@codeaurora.org>
Cc: selinux@vger.kernel.org
Subject: Re: [PATCH] selinux: move pkey sid cache based retrieval under defconfig
On Mon, Dec 16, 2019 at 5:13 AM Ravi Kumar Siddojigari <rsiddoji@codeaurora.org> wrote:
> Hi Team,
> We see an increase in the memory consumption from 4.9 ->4.19 kernel
> which is impacting the low_ram device .
> So thought of enabling only that are really needed for the such
> device where performance might not be of priority list .
> One such patch is on the pkey sid cache which was added with commit :"
> 409dcf31"
> which can be moved under defconfig where enabled by default and only
> disabled for low_ram targets.
> Which is going to save ram/reduce slub usage .
Why not just reuse CONFIG_SECURITY_INFINIBAND? I'm guessing these systems are using the SELinux/IB controls at all, so why not remove them completely?
--
paul moore
www.paul-moore.com
next reply other threads:[~2019-12-18 6:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-18 6:00 Ravi Kumar Siddojigari [this message]
2019-12-19 2:08 ` [PATCH] selinux: move ibpkeys code under CONFIG_SECURITY_INFINIBAND Paul Moore
2019-12-19 14:18 ` Ravi Kumar Siddojigari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='002301d5b568$8149c7a0$83dd56e0$@codeaurora.org' \
--to=rsiddoji@codeaurora.org \
--cc=paul@paul-moore.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.