@@ -111,6 +111,18 @@ config SECURITY_SELINUX_AVC_RECLAIM_COUNT
cycles to bring AVC size under the threshold. Large values may
cause excessive latency of reclamation events.
+config SECURITY_SELINUX_AVTAB_HASH_BITS
+ int "Number of slots (buckets) for AVTab hash table, expressed as number of bits (i.e. 2^n)"
+ depends on SECURITY_SELINUX
+ range 1 32
+ default "16"
+ help
+ This is a power of 2 representing the number of slots (buckets)
+ used for AVTab hash table. AVTab is the core SELinux database
+ holding all of the applicable rules. Smaller value reduces memory
+ footprint at price of hash table lookup efficiency. One bucket
+ per 10 to 100 rules is reasonable.
+
config SECURITY_SELINUX_CHECKREQPROT_VALUE
int "NSA SELinux checkreqprot default value"
depends on SECURITY_SELINUX
@@ -110,7 +110,7 @@ struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_key *key);
struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified);
-#define MAX_AVTAB_HASH_BITS 16
+#define MAX_AVTAB_HASH_BITS CONFIG_SECURITY_SELINUX_AVTAB_HASH_BITS
#define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS)
#endif /* _SS_AVTAB_H_ */