Re: [PATCH v2 1/2] selinux: hash context structure directly

[Ondrej Mosnacek <omosnace@redhat.com>]

On Thu, Apr 16, 2020 at 4:22 PM Jeffrey Vander Stoep <jeffv@google.com> wrote:
> Thanks for fixing this!
>
> On Thu, Apr 16, 2020 at 2:41 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >
> > Always hashing the string representation is inefficient. Just hash the
> > contents of the structure directly (using jhash). If the context is
> > invalid (str & len are set), then hash the string as before, otherwise
> > hash the structured data. Any context that is valid under the given
> > policy should always be structured, and also any context that is invalid
> > should be never structured, so the hashes should always match for the
> > same context. The fact that context_cmp() also follows this logic
> > further reinforces this assumption.
> >
> > Since the context hashing function is now faster (about 10 times), this
> > patch decreases the overhead of security_transition_sid(), which is
> > called from many hooks.
> >
> > The jhash function seemed as a good choice, since it is used as the
> > default hashing algorithm in rhashtable.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > ---
> >  security/selinux/Makefile      |  2 +-
> >  security/selinux/ss/context.c  | 24 +++++++++++++++++++++++
> >  security/selinux/ss/context.h  |  6 ++++--
> >  security/selinux/ss/ebitmap.c  | 14 ++++++++++++++
> >  security/selinux/ss/ebitmap.h  |  1 +
> >  security/selinux/ss/mls.h      | 11 +++++++++++
> >  security/selinux/ss/policydb.c |  7 ++-----
> >  security/selinux/ss/services.c | 35 ++++------------------------------
> >  security/selinux/ss/services.h |  3 ---
> >  9 files changed, 61 insertions(+), 42 deletions(-)
> >  create mode 100644 security/selinux/ss/context.c
> >
> > diff --git a/security/selinux/Makefile b/security/selinux/Makefile
> > index 0c77ede1cc11..4d8e0e8adf0b 100644
> > --- a/security/selinux/Makefile
> > +++ b/security/selinux/Makefile
> > @@ -8,7 +8,7 @@ obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
> >  selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \
> >              netnode.o netport.o status.o \
> >              ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \
> > -            ss/policydb.o ss/services.o ss/conditional.o ss/mls.o
> > +            ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/context.o
> >
> >  selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
> >
> > diff --git a/security/selinux/ss/context.c b/security/selinux/ss/context.c
> > new file mode 100644
> > index 000000000000..cc0895dc7b0f
> > --- /dev/null
> > +++ b/security/selinux/ss/context.c
> > @@ -0,0 +1,24 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +/*
> > + * Implementations of the security context functions.
> > + *
> > + * Author: Ondrej Mosnacek <omosnacek@gmail.com>
> > + * Copyright (C) 2018 Red Hat, Inc.
> > + */
> > +
> > +#include <linux/jhash.h>
> > +
> > +#include "context.h"
> > +#include "mls.h"
> > +
> > +u32 context_compute_hash(const struct context *c)
> > +{
> > +       u32 hash = 0;
> > +
>
> You describe why this is safe in the commit message.
> Could that same explanation be a comment here?
> Otherwise it's not clear when reading the code why
> this is safe.

I assume you mean the fact that valid and invalid contexts are hashed
differently? In that case, yes I agree it deserves a comment.

> > +       if (c->len)
> > +               return full_name_hash(NULL, c->str, c->len);
> > +
> > +       hash = jhash_3words(c->user, c->role, c->type, hash);
> > +       hash = mls_range_hash(&c->range, hash);
> > +       return hash;
> > +}

--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.