From: siarhei.liakh@concurrent-rt.com
To: selinux@vger.kernel.org
Cc: colin.king@canonical.com, eparis@parisplace.org,
gregkh@linuxfoundation.org, jeffv@google.com,
omosnace@redhat.com, paul@paul-moore.com,
stephen.smalley.work@gmail.com, tglx@linutronix.de
Subject: [PATCH 0/9] SELinux: Improve hash functions and sizing of hash tables
Date: Wed, 8 Apr 2020 14:24:07 -0400 [thread overview]
Message-ID: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> (raw)
From: Siarhei Liakh <siarhei.liakh@concurrent-rt.com>
This patch set is the result of an actual customer support case where a client
of ours observed unacceptable variability of timings while sending UDP packets
via sendto() with SELinux enabled. The initial investigation centered around
kernel 3.10.108 in CentOS 6.5 environment. Combination of these patches with
some substantial tuning of newly added Kconfig options was able to reduce
*maximum* sendto() latency to about 160us, down from well over 2ms. Worst
latency was typically observed when a new SSH login was initiated concurrently
with the test program running a sendto() loop, thus causing an AVC miss with a
subsequent call to security_compute_av(), which would spend most of its time
iterating through policydb within context_struct_compute_av().
The original patch set was developed for linux kernel 3.10.108 and later ported
to newer versions. The patch set presented here is based off Linus' tree as of
April 7, 2020 and contains only a subset of the changes which are still relevant
to 5.6+ as many of the issues had already been addressed in different ways.
The patch set consists of 9 patches total and is meant to achieve two goals:
1. Replace most local copies of custom hash functions with generic hash
functions already available in inlude/linux/*.h.
2. Replace hard-coded hash table sizing parameters with Kconfig tunables.
"Advanced Hashing" Kconfig option is the only dependency between the patches,
but other than that and any combination of them can be used.
Please CC me directly in all replies.
Siarhei Liakh (9):
SELinux: Introduce "Advanced Hashing" Kconfig option
SELinux: Use Bob Jenkins' lookup3 hash in AVC
SELinux: Expose AVC sizing tunables via Kconfig
SELinux: Replace custom hash in avtab with generic lookup3 from the
library
SELinux: Expose AVTab sizing tunables via Kconfig
SELinux: Replace custom hash with generic lookup3 in policydb
SELinux: Expose filename_tr hash table sizing via Kconfig
SELinux: Replace custom hash with generic lookup3 in symtab
SELinux: Expose netport hash table sizing via Kconfig
security/selinux/Kconfig | 83 ++++++++++++++++++++++++++++++++++
security/selinux/avc.c | 23 ++++++++--
security/selinux/netport.c | 4 +-
security/selinux/ss/avtab.c | 39 ++--------------
security/selinux/ss/avtab.h | 2 +-
security/selinux/ss/policydb.c | 46 +++++++++++++++----
security/selinux/ss/symtab.c | 12 +++++
7 files changed, 159 insertions(+), 50 deletions(-)
--
2.17.1
next reply other threads:[~2020-04-08 18:24 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-08 18:24 siarhei.liakh [this message]
2020-04-08 18:24 ` [PATCH 1/9] SELinux: Introduce "Advanced Hashing" Kconfig option siarhei.liakh
2020-04-08 18:24 ` [PATCH 2/9] SELinux: Use Bob Jenkins' lookup3 hash in AVC siarhei.liakh
2020-04-08 18:24 ` [PATCH 3/9] SELinux: Expose AVC sizing tunables via Kconfig siarhei.liakh
2020-04-08 18:24 ` [PATCH 4/9] SELinux: Replace custom hash in avtab with generic lookup3 from the library siarhei.liakh
2020-04-14 10:58 ` Ondrej Mosnacek
2020-04-14 13:44 ` Siarhei Liakh
2020-04-08 18:24 ` [PATCH 5/9] SELinux: Expose AVTab sizing tunables via Kconfig siarhei.liakh
2020-04-08 18:24 ` [PATCH 6/9] SELinux: Replace custom hash with generic lookup3 in policydb siarhei.liakh
2020-04-08 18:24 ` [PATCH 7/9] SELinux: Expose filename_tr hash table sizing via Kconfig siarhei.liakh
2020-04-14 10:54 ` Ondrej Mosnacek
2020-04-14 13:39 ` Siarhei Liakh
2020-04-08 18:24 ` [PATCH 8/9] SELinux: Replace custom hash with generic lookup3 in symtab siarhei.liakh
2020-04-14 11:06 ` Ondrej Mosnacek
2020-04-14 14:03 ` Siarhei Liakh
2020-04-08 18:24 ` [PATCH 9/9] SELinux: Expose netport hash table sizing via Kconfig siarhei.liakh
2020-04-09 13:41 ` [PATCH 0/9] SELinux: Improve hash functions and sizing of hash tables Paul Moore
2020-04-13 20:43 ` Siarhei Liakh
2020-04-14 21:50 ` Paul Moore
2020-05-05 13:35 ` Siarhei Liakh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200408182416.30995-1-siarhei.liakh@concurrent-rt.com \
--to=siarhei.liakh@concurrent-rt.com \
--cc=colin.king@canonical.com \
--cc=eparis@parisplace.org \
--cc=gregkh@linuxfoundation.org \
--cc=jeffv@google.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).