diff options
| author |   Ondrej Mosnacek <omosnace@redhat.com> | 2019-11-26 14:57:00 +0100 |
|---|---|---|
| committer |   Paul Moore <paul@paul-moore.com> | 2019-12-09 16:14:51 -0500 |
| commit | d97bd23c2d7d866e99eb3a927c742715c85a90ef (patch) | |
| tree | d5c29d661384fbc83a0244623b9daac7f3715d5a /security/selinux/Kconfig | |
| parent | selinux: sidtab reverse lookup hash table (diff) | |
| download | linux-dev-d97bd23c2d7d866e99eb3a927c742715c85a90ef.tar.xz linux-dev-d97bd23c2d7d866e99eb3a927c742715c85a90ef.zip | |
selinux: cache the SID -> context string translation
Translating a context struct to string can be quite slow, especially if
the context has a lot of category bits set. This can cause quite
noticeable performance impact in situations where the translation needs
to be done repeatedly. A common example is a UNIX datagram socket with
the SO_PASSSEC option enabled, which is used e.g. by systemd-journald
when receiving log messages via datagram socket. This scenario can be
reproduced with:
cat /dev/urandom | base64 | logger &
timeout 30s perf record -p $(pidof systemd-journald) -a -g
kill %1
perf report -g none --pretty raw | grep security_secid_to_secctx
Before the caching introduced by this patch, computing the context
string (security_secid_to_secctx() function) takes up ~65% of
systemd-journald's CPU time (assuming a context with 1024 categories
set and Fedora x86_64 release kernel configs). After this patch
(assuming near-perfect cache hit ratio) this overhead is reduced to just
~2%.
This patch addresses the issue by caching a certain number (compile-time
configurable) of recently used context strings to speed up repeated
translations of the same context, while using only a small amount of
memory.
The cache is integrated into the existing sidtab table by adding a field
to each entry, which when not NULL contains an RCU-protected pointer to
a cache entry containing the cached string. The cache entries are kept
in a linked list sorted according to how recently they were used. On a
cache miss when the cache is full, the least recently used entry is
removed to make space for the new entry.
The patch migrates security_sid_to_context_core() to use the cache (also
a few other functions where it was possible without too much fuss, but
these mostly use the translation for logging in case of error, which is
rare).
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1733259
Cc: Michal Sekletar <msekleta@redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Tested-by: Stephen Smalley <sds@tycho.nsa.gov>
Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
[PM: lots of merge fixups due to collisions with other sidtab patches]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/Kconfig')
| -rw-r--r-- | security/selinux/Kconfig | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index c9e576c430c2..996d35d950f7 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -97,3 +97,14 @@ config SECURITY_SELINUX_SIDTAB_HASH_BITS collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If chain lengths are high (e.g. > 20) then selecting a higher value here will ensure that lookups times are short and stable. + +config SECURITY_SELINUX_SID2STR_CACHE_SIZE + int "NSA SELinux SID to context string translation cache size" + depends on SECURITY_SELINUX + default 256 + help + This option defines the size of the internal SID -> context string + cache, which improves the performance of context to string + conversion. Setting this option to 0 disables the cache completely. + + If unsure, keep the default value. |