From: Paul Moore <paul@paul-moore.com>
To: omosnace@redhat.com
Cc: selinux@vger.kernel.org, Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [RFC PATCH v4 2/2] selinux: overhaul sidtab to fix bug and improve performance
Date: Thu, 6 Dec 2018 18:29:43 -0500 [thread overview]
Message-ID: <CAHC9VhR03G=ebYtDcTDmiUi+j7VY0K6h9vUGybVesUQeCV4B_Q@mail.gmail.com> (raw)
In-Reply-To: <CAFqZXNvhYR1WbRv+Q8J+ufBazSxPZ2HS3FRQHOpAgZncjWwd9g@mail.gmail.com>
On Thu, Dec 6, 2018 at 4:36 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> On Wed, Dec 5, 2018 at 11:53 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Fri, Nov 30, 2018 at 10:24 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > > Before this patch, during a policy reload the sidtab would become frozen
> > > and trying to map a new context to SID would be unable to add a new
> > > entry to sidtab and fail with -ENOMEM.
> > >
> > > Such failures are usually propagated into userspace, which has no way of
> > > distignuishing them from actual allocation failures and thus doesn't
> > > handle them gracefully. Such situation can be triggered e.g. by the
> > > following reproducer:
> > >
> > > while true; do load_policy; echo -n .; sleep 0.1; done &
> > > for (( i = 0; i < 1024; i++ )); do
> > > runcon -l s0:c$i echo -n x || break
> > > # or:
> > > # chcon -l s0:c$i <some_file> || break
> > > done
> > >
> > > This patch overhauls the sidtab so it doesn't need to be frozen during
> > > policy reload, thus solving the above problem.
> > >
> > > The new SID table leverages the fact that SIDs are allocated
> > > sequentially and are never invalidated and stores them in linear buckets
> > > indexed by a tree structure. This brings several advantages:
> > > 1. Fast SID -> context lookup - this lookup can now be done in
> > > logarithmic time complexity (usually in less than 4 array lookups)
> > > and can still be done safely without locking.
> > > 2. No need to re-search the whole table on reverse lookup miss - after
> > > acquiring the spinlock only the newly added entries need to be
> > > searched, which means that reverse lookups that end up inserting a
> > > new entry are now about twice as fast.
> > > 3. No need to freeze sidtab during policy reload - it is now possible
> > > to handle insertion of new entries even during sidtab conversion.
> > >
> > > The tree structure of the new sidtab is able to grow automatically to up
> > > to about 2^31 entries (at which point it should not have more than about
> > > 4 tree levels). The old sidtab had a theoretical capacity of almost 2^32
> > > entries, but half of that is still more than enough since by that point
> > > the reverse table lookups would become unusably slow anyway...
> > >
> > > The number of entries per tree node is selected automatically so that
> > > each node fits into a single page, which should be the easiest size for
> > > kmalloc() to handle.
> > >
> > > Note that the cache for reverse lookup is preserved with equivalent
> > > logic. The only difference is that instead of storing pointers to the
> > > hash table nodes it stores just the indices of the cached entries.
> > >
> > > The new cache ensures that the indices are loaded/stored atomically, but
> > > it still has the drawback that concurrent cache updates may mess up the
> > > contents of the cache. Such situation however only reduces its
> > > effectivity, not the correctness of lookups.
> > >
> > > Tested by selinux-testsuite and thoroughly tortured by this simple
> > > stress test:
> > > ```
> > > function rand_cat() {
> > > echo $(( $RANDOM % 1024 ))
> > > }
> > >
> > > function do_work() {
> > > while true; do
> > > echo -n "system_u:system_r:kernel_t:s0:c$(rand_cat),c$(rand_cat)" \
> > > >/sys/fs/selinux/context 2>/dev/null || true
> > > done
> > > }
> > >
> > > do_work >/dev/null &
> > > do_work >/dev/null &
> > > do_work >/dev/null &
> > >
> > > while load_policy; do echo -n .; sleep 0.1; done
> > >
> > > kill %1
> > > kill %2
> > > kill %3
> > > ```
> > >
> > > Reported-by: Orion Poplawski <orion@nwra.com>
> > > Reported-by: Li Kun <hw.likun@huawei.com>
> > > Link: https://github.com/SELinuxProject/selinux-kernel/issues/38
> > > Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
> > > ---
> > > security/selinux/ss/mls.c | 23 +-
> > > security/selinux/ss/mls.h | 3 +-
> > > security/selinux/ss/services.c | 120 +++----
> > > security/selinux/ss/sidtab.c | 556 ++++++++++++++++++++-------------
> > > security/selinux/ss/sidtab.h | 80 +++--
> > > 5 files changed, 459 insertions(+), 323 deletions(-)
> >
> > This also looks okay on quick inspection, and once again I know you
> > and Stephen have gone over this a lot, so I've merged it into
> > selinux/next. However, I had to basically merge all of sidtab.c by
> > hand so please double check it still looks correct to you; I've gone
> > over it a few times and it looks like it matches, but it's easy to
> > miss something small.
>
> Thank you, I ran a diff with meld between the fixed and original
> versions and I can confirm there are only whitespace/comment
> differences.
Great, thanks for checking.
> Just one small nit though: I think you used a "bad" format fro the
> multiline comment in sidtab_convert(). Or at least Linus seems to hate
> it [1] :) OTOH, Documentation/process/coding-style.rst [2] still lists
> it as the preferred format for networking code... Not that it would
> bother me, but that e-mail has stuck in my mind and now I almost
> always notice the comment styles.
Part of this comes from my own personal preference, part comes from
starting working on Linux in the networking stack. While I do care a
lot about line lengths, I don't care too much about multi-line comment
styles :)
--
paul moore
www.paul-moore.com
prev parent reply other threads:[~2018-12-06 23:29 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-30 15:24 [RFC PATCH v4 0/2] Fix ENOMEM errors during policy reload Ondrej Mosnacek
2018-11-30 15:24 ` [RFC PATCH v4 1/2] selinux: use separate table for initial SID lookup Ondrej Mosnacek
2018-12-03 17:17 ` Stephen Smalley
2018-12-05 20:59 ` Paul Moore
2018-12-06 9:33 ` Ondrej Mosnacek
2018-12-06 23:26 ` Paul Moore
2018-11-30 15:24 ` [RFC PATCH v4 2/2] selinux: overhaul sidtab to fix bug and improve performance Ondrej Mosnacek
2018-12-03 17:17 ` Stephen Smalley
2018-12-05 22:52 ` Paul Moore
2018-12-06 9:36 ` Ondrej Mosnacek
2018-12-06 23:29 ` Paul Moore [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhR03G=ebYtDcTDmiUi+j7VY0K6h9vUGybVesUQeCV4B_Q@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=omosnace@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).