diff mbox series

[2/6] selinux: dump statistics for more hash tables

Message ID 20230818151220.166215-1-cgzones@googlemail.com (mailing list archive)
State Changes Requested
Delegated to: Paul Moore
Headers show
Series [1/6] selinux: print sum of chain lengths^2 for hash tables | expand

Commit Message

Christian Göttsche Aug. 18, 2023, 3:12 p.m. UTC 
Dump in the SELinux debug configuration the statistics for the
conditional rules avtab, the role transition, and class and common
permission hash tables.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 security/selinux/ss/conditional.c | 3 +++
 security/selinux/ss/policydb.c    | 6 ++++++
 2 files changed, 9 insertions(+)

Comments

Stephen Smalley Sept. 7, 2023, 5:42 p.m. UTC | #1 
On Fri, Aug 18, 2023 at 11:12 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Dump in the SELinux debug configuration the statistics for the
> conditional rules avtab, the role transition, and class and common
> permission hash tables.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> ---

> diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> index 84f02d4f8093..932e383bcad6 100644
> --- a/security/selinux/ss/policydb.c
> +++ b/security/selinux/ss/policydb.c
> @@ -1158,6 +1158,8 @@ static int common_read(struct policydb *p, struct symtab *s, void *fp)
>                         goto bad;
>         }
>
> +       hash_eval(&comdatum->permissions.table, "common_permissions");
> +
>         rc = symtab_insert(s, key, comdatum);
>         if (rc)
>                 goto bad;
> @@ -1339,6 +1341,8 @@ static int class_read(struct policydb *p, struct symtab *s, void *fp)
>                         goto bad;
>         }
>
> +       hash_eval(&cladatum->permissions.table, "class_permissions");
> +
>         rc = read_cons_helper(p, &cladatum->constraints, ncons, 0, fp);
>         if (rc)
>                 goto bad;

Do we want to embed the actual common and class keys in the output to
distinguish among the multiple common and class permissions tables?
Stephen Smalley Sept. 8, 2023, 6:03 p.m. UTC | #2 
On Fri, Aug 18, 2023 at 11:12 AM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Dump in the SELinux debug configuration the statistics for the
> conditional rules avtab, the role transition, and class and common
> permission hash tables.
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Aside from the question I asked, which I have no strong opinion about,
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Paul Moore Sept. 13, 2023, 4:11 p.m. UTC | #3 
On Thu, Sep 7, 2023 at 1:42 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
> On Fri, Aug 18, 2023 at 11:12 AM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > Dump in the SELinux debug configuration the statistics for the
> > conditional rules avtab, the role transition, and class and common
> > permission hash tables.
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> > ---
>
> > diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> > index 84f02d4f8093..932e383bcad6 100644
> > --- a/security/selinux/ss/policydb.c
> > +++ b/security/selinux/ss/policydb.c
> > @@ -1158,6 +1158,8 @@ static int common_read(struct policydb *p, struct symtab *s, void *fp)
> >                         goto bad;
> >         }
> >
> > +       hash_eval(&comdatum->permissions.table, "common_permissions");
> > +
> >         rc = symtab_insert(s, key, comdatum);
> >         if (rc)
> >                 goto bad;
> > @@ -1339,6 +1341,8 @@ static int class_read(struct policydb *p, struct symtab *s, void *fp)
> >                         goto bad;
> >         }
> >
> > +       hash_eval(&cladatum->permissions.table, "class_permissions");
> > +
> >         rc = read_cons_helper(p, &cladatum->constraints, ncons, 0, fp);
> >         if (rc)
> >                 goto bad;
>
> Do we want to embed the actual common and class keys in the output to
> distinguish among the multiple common and class permissions tables?

That seems reasonable, were you thinking of just adding it to the
hash_eval()'s hash name string, e.g. "common_permissions[XXX]"?
Stephen Smalley Sept. 13, 2023, 6:03 p.m. UTC | #4 
On Wed, Sep 13, 2023 at 12:12 PM Paul Moore <paul@paul-moore.com> wrote:
>
> On Thu, Sep 7, 2023 at 1:42 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> > On Fri, Aug 18, 2023 at 11:12 AM Christian Göttsche
> > <cgzones@googlemail.com> wrote:
> > >
> > > Dump in the SELinux debug configuration the statistics for the
> > > conditional rules avtab, the role transition, and class and common
> > > permission hash tables.
> > >
> > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> > > ---
> >
> > > diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> > > index 84f02d4f8093..932e383bcad6 100644
> > > --- a/security/selinux/ss/policydb.c
> > > +++ b/security/selinux/ss/policydb.c
> > > @@ -1158,6 +1158,8 @@ static int common_read(struct policydb *p, struct symtab *s, void *fp)
> > >                         goto bad;
> > >         }
> > >
> > > +       hash_eval(&comdatum->permissions.table, "common_permissions");
> > > +
> > >         rc = symtab_insert(s, key, comdatum);
> > >         if (rc)
> > >                 goto bad;
> > > @@ -1339,6 +1341,8 @@ static int class_read(struct policydb *p, struct symtab *s, void *fp)
> > >                         goto bad;
> > >         }
> > >
> > > +       hash_eval(&cladatum->permissions.table, "class_permissions");
> > > +
> > >         rc = read_cons_helper(p, &cladatum->constraints, ncons, 0, fp);
> > >         if (rc)
> > >                 goto bad;
> >
> > Do we want to embed the actual common and class keys in the output to
> > distinguish among the multiple common and class permissions tables?
>
> That seems reasonable, were you thinking of just adding it to the
> hash_eval()'s hash name string, e.g. "common_permissions[XXX]"?

Yes, otherwise you get a bunch of common_permissions and
class_permissions lines with no way to correlate.
Paul Moore Sept. 13, 2023, 6:07 p.m. UTC | #5 
On Wed, Sep 13, 2023 at 2:03 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
> On Wed, Sep 13, 2023 at 12:12 PM Paul Moore <paul@paul-moore.com> wrote:
> > On Thu, Sep 7, 2023 at 1:42 PM Stephen Smalley
> > <stephen.smalley.work@gmail.com> wrote:
> > > On Fri, Aug 18, 2023 at 11:12 AM Christian Göttsche
> > > <cgzones@googlemail.com> wrote:
> > > >
> > > > Dump in the SELinux debug configuration the statistics for the
> > > > conditional rules avtab, the role transition, and class and common
> > > > permission hash tables.
> > > >
> > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
> > > > ---
> > >
> > > > diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> > > > index 84f02d4f8093..932e383bcad6 100644
> > > > --- a/security/selinux/ss/policydb.c
> > > > +++ b/security/selinux/ss/policydb.c
> > > > @@ -1158,6 +1158,8 @@ static int common_read(struct policydb *p, struct symtab *s, void *fp)
> > > >                         goto bad;
> > > >         }
> > > >
> > > > +       hash_eval(&comdatum->permissions.table, "common_permissions");
> > > > +
> > > >         rc = symtab_insert(s, key, comdatum);
> > > >         if (rc)
> > > >                 goto bad;
> > > > @@ -1339,6 +1341,8 @@ static int class_read(struct policydb *p, struct symtab *s, void *fp)
> > > >                         goto bad;
> > > >         }
> > > >
> > > > +       hash_eval(&cladatum->permissions.table, "class_permissions");
> > > > +
> > > >         rc = read_cons_helper(p, &cladatum->constraints, ncons, 0, fp);
> > > >         if (rc)
> > > >                 goto bad;
> > >
> > > Do we want to embed the actual common and class keys in the output to
> > > distinguish among the multiple common and class permissions tables?
> >
> > That seems reasonable, were you thinking of just adding it to the
> > hash_eval()'s hash name string, e.g. "common_permissions[XXX]"?
>
> Yes, otherwise you get a bunch of common_permissions and
> class_permissions lines with no way to correlate.

Agreed, I was asking more to determine how you envisioned the keys in
the output.

Christian, instead of creating the combined string in the caller I
would suggest adding a third parameter to the hash_eval() function and
having hash_eval() add the extra info (if present, NULL should be
acceptable) to the output.  This should ensure no extra work is done
when debug is disabled.
diff mbox series

Patch

diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
index 81ff676f209a..0dd17fe76286 100644
--- a/security/selinux/ss/conditional.c
+++ b/security/selinux/ss/conditional.c
@@ -171,6 +171,9 @@  int cond_init_bool_indexes(struct policydb *p)
 					      GFP_KERNEL);
 	if (!p->bool_val_to_struct)
 		return -ENOMEM;
+
+	avtab_hash_eval(&p->te_cond_avtab, "conditional_rules");
+
 	return 0;
 }
 
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 84f02d4f8093..932e383bcad6 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -1158,6 +1158,8 @@  static int common_read(struct policydb *p, struct symtab *s, void *fp)
 			goto bad;
 	}
 
+	hash_eval(&comdatum->permissions.table, "common_permissions");
+
 	rc = symtab_insert(s, key, comdatum);
 	if (rc)
 		goto bad;
@@ -1339,6 +1341,8 @@  static int class_read(struct policydb *p, struct symtab *s, void *fp)
 			goto bad;
 	}
 
+	hash_eval(&cladatum->permissions.table, "class_permissions");
+
 	rc = read_cons_helper(p, &cladatum->constraints, ncons, 0, fp);
 	if (rc)
 		goto bad;
@@ -2616,6 +2620,8 @@  int policydb_read(struct policydb *p, void *fp)
 		rtd = NULL;
 	}
 
+	hash_eval(&p->role_tr, "roletr");
+
 	rc = next_entry(buf, fp, sizeof(u32));
 	if (rc)
 		goto bad;