From: siarhei.liakh@concurrent-rt.com
To: selinux@vger.kernel.org
Cc: colin.king@canonical.com, eparis@parisplace.org,
gregkh@linuxfoundation.org, jeffv@google.com,
omosnace@redhat.com, paul@paul-moore.com,
stephen.smalley.work@gmail.com, tglx@linutronix.de
Subject: [PATCH 7/9] SELinux: Expose filename_tr hash table sizing via Kconfig
Date: Wed, 8 Apr 2020 14:24:14 -0400 [thread overview]
Message-ID: <20200408182416.30995-8-siarhei.liakh@concurrent-rt.com> (raw)
In-Reply-To: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com>
From: Siarhei Liakh <siarhei.liakh@concurrent-rt.com>
This change exposes previously hardcoded filename_tr sizing via Kconfig,
which provides a more convenient tuning mechanism for downstream distributions.
Default sizing is not affected.
Signed-off-by: Siarhei Liakh <siarhei.liakh@concurrent-rt.com>
---
Please CC me directly in all replies.
security/selinux/Kconfig | 10 ++++++++++
security/selinux/ss/policydb.c | 3 ++-
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index b7ced53ffd76..23ec741b1ce6 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -123,6 +123,16 @@ config SECURITY_SELINUX_AVTAB_HASH_BITS
footprint at price of hash table lookup efficiency. One bucket
per 10 to 100 rules is reasonable.
+config SECURITY_SELINUX_PDB_FILE_TR_HASH_BITS
+ int "Number of slots (buckets) for File Transitions hash table, expressed as number of bits (i.e. 2^n)"
+ depends on SECURITY_SELINUX
+ range 1 32
+ default "11"
+ help
+ This is a power of 2 representing the number of slots (buckets)
+ used for File Transitions hash table. Smaller value reduces memory
+ footprint at price of hash table lookup efficiency.
+
config SECURITY_SELINUX_CHECKREQPROT_VALUE
int "NSA SELinux checkreqprot default value"
depends on SECURITY_SELINUX
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 0d03036ca20d..f2d809dffb25 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -496,7 +496,8 @@ static int policydb_init(struct policydb *p)
cond_policydb_init(p);
p->filename_trans = hashtab_create(filenametr_hash, filenametr_cmp,
- (1 << 11));
+ (1 << CONFIG_SECURITY_SELINUX_PDB_FILE_TR_HASH_BITS));
+
if (!p->filename_trans)
return -ENOMEM;
--
2.17.1
next prev parent reply other threads:[~2020-04-08 18:24 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-08 18:24 [PATCH 0/9] SELinux: Improve hash functions and sizing of hash tables siarhei.liakh
2020-04-08 18:24 ` [PATCH 1/9] SELinux: Introduce "Advanced Hashing" Kconfig option siarhei.liakh
2020-04-08 18:24 ` [PATCH 2/9] SELinux: Use Bob Jenkins' lookup3 hash in AVC siarhei.liakh
2020-04-08 18:24 ` [PATCH 3/9] SELinux: Expose AVC sizing tunables via Kconfig siarhei.liakh
2020-04-08 18:24 ` [PATCH 4/9] SELinux: Replace custom hash in avtab with generic lookup3 from the library siarhei.liakh
2020-04-14 10:58 ` Ondrej Mosnacek
2020-04-14 13:44 ` Siarhei Liakh
2020-04-08 18:24 ` [PATCH 5/9] SELinux: Expose AVTab sizing tunables via Kconfig siarhei.liakh
2020-04-08 18:24 ` [PATCH 6/9] SELinux: Replace custom hash with generic lookup3 in policydb siarhei.liakh
2020-04-08 18:24 ` siarhei.liakh [this message]
2020-04-14 10:54 ` [PATCH 7/9] SELinux: Expose filename_tr hash table sizing via Kconfig Ondrej Mosnacek
2020-04-14 13:39 ` Siarhei Liakh
2020-04-08 18:24 ` [PATCH 8/9] SELinux: Replace custom hash with generic lookup3 in symtab siarhei.liakh
2020-04-14 11:06 ` Ondrej Mosnacek
2020-04-14 14:03 ` Siarhei Liakh
2020-04-08 18:24 ` [PATCH 9/9] SELinux: Expose netport hash table sizing via Kconfig siarhei.liakh
2020-04-09 13:41 ` [PATCH 0/9] SELinux: Improve hash functions and sizing of hash tables Paul Moore
2020-04-13 20:43 ` Siarhei Liakh
2020-04-14 21:50 ` Paul Moore
2020-05-05 13:35 ` Siarhei Liakh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200408182416.30995-8-siarhei.liakh@concurrent-rt.com \
--to=siarhei.liakh@concurrent-rt.com \
--cc=colin.king@canonical.com \
--cc=eparis@parisplace.org \
--cc=gregkh@linuxfoundation.org \
--cc=jeffv@google.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.