| Message ID | 20200812003943.3036-1-casey@schaufler-ca.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Smack: Use the netlbl incoming cache | expand |
On Tue, Aug 11, 2020 at 8:39 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > > Update the Smack security module to use the Netlabel cache > mechanism to speed the processing of incoming labeled packets. > There is some refactoring of the existing code that makes it > simpler, and reduces duplication. The outbound packet labeling > is also optimized to track the labeling state of the socket. > Prior to this the socket label was redundantly set on each > packet send. > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> > --- > security/smack/smack.h | 19 ++-- > security/smack/smack_access.c | 55 ++++++---- > security/smack/smack_lsm.c | 245 ++++++++++++++++++++++++------------------ > security/smack/smackfs.c | 23 ++-- > 4 files changed, 193 insertions(+), 149 deletions(-) FWIW, I gave this a cursory look just now and the NetLabel usage seemed reasonable. Out of curiosity, have you done any before/after performance tests? It was quite significant when we adopted it in SELinux, but that was some time ago, it would be nice to know that it is still working well and hasn't been invalidated by some other, unrelated change.
On 8/11/2020 7:10 PM, Paul Moore wrote: > On Tue, Aug 11, 2020 at 8:39 PM Casey Schaufler <casey@schaufler-ca.com> wrote: >> Update the Smack security module to use the Netlabel cache >> mechanism to speed the processing of incoming labeled packets. >> There is some refactoring of the existing code that makes it >> simpler, and reduces duplication. The outbound packet labeling >> is also optimized to track the labeling state of the socket. >> Prior to this the socket label was redundantly set on each >> packet send. >> >> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> >> --- >> security/smack/smack.h | 19 ++-- >> security/smack/smack_access.c | 55 ++++++---- >> security/smack/smack_lsm.c | 245 ++++++++++++++++++++++++------------------ >> security/smack/smackfs.c | 23 ++-- >> 4 files changed, 193 insertions(+), 149 deletions(-) > FWIW, I gave this a cursory look just now and the NetLabel usage > seemed reasonable. Out of curiosity, have you done any before/after > performance tests? It's early in the benchmark process, but TCP looks to be about 6% better. UDP numbers should be better. I'm not expecting the level of improvement SELinux saw because the label mapping from CIPSO isn't as sophisticated for Smack as it is for SELinux. > It was quite significant when we adopted it in > SELinux, but that was some time ago, it would be nice to know that it > is still working well and hasn't been invalidated by some other, > unrelated change. >
On 8/13/2020 9:36 AM, Casey Schaufler wrote: > On 8/11/2020 7:10 PM, Paul Moore wrote: >> On Tue, Aug 11, 2020 at 8:39 PM Casey Schaufler <casey@schaufler-ca.com> wrote: >>> Update the Smack security module to use the Netlabel cache >>> mechanism to speed the processing of incoming labeled packets. >>> There is some refactoring of the existing code that makes it >>> simpler, and reduces duplication. The outbound packet labeling >>> is also optimized to track the labeling state of the socket. >>> Prior to this the socket label was redundantly set on each >>> packet send. >>> >>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> >>> --- >>> security/smack/smack.h | 19 ++-- >>> security/smack/smack_access.c | 55 ++++++---- >>> security/smack/smack_lsm.c | 245 ++++++++++++++++++++++++------------------ >>> security/smack/smackfs.c | 23 ++-- >>> 4 files changed, 193 insertions(+), 149 deletions(-) >> FWIW, I gave this a cursory look just now and the NetLabel usage >> seemed reasonable. Out of curiosity, have you done any before/after >> performance tests? > It's early in the benchmark process, but TCP looks to be about 6% better. > UDP numbers should be better. I'm not expecting the level of improvement > SELinux saw because the label mapping from CIPSO isn't as sophisticated > for Smack as it is for SELinux. UDP looks like a 12% improvement, which I had expected. On the whole, worth the effort.
On August 13, 2020 8:32:16 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > On 8/13/2020 9:36 AM, Casey Schaufler wrote: >> On 8/11/2020 7:10 PM, Paul Moore wrote: >>> On Tue, Aug 11, 2020 at 8:39 PM Casey Schaufler <casey@schaufler-ca.com> wrote: >>>> Update the Smack security module to use the Netlabel cache >>>> mechanism to speed the processing of incoming labeled packets. >>>> There is some refactoring of the existing code that makes it >>>> simpler, and reduces duplication. The outbound packet labeling >>>> is also optimized to track the labeling state of the socket. >>>> Prior to this the socket label was redundantly set on each >>>> packet send. >>>> >>>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> >>>> --- >>>> security/smack/smack.h | 19 ++-- >>>> security/smack/smack_access.c | 55 ++++++---- >>>> security/smack/smack_lsm.c | 245 ++++++++++++++++++++++++------------------ >>>> security/smack/smackfs.c | 23 ++-- >>>> 4 files changed, 193 insertions(+), 149 deletions(-) >>> FWIW, I gave this a cursory look just now and the NetLabel usage >>> seemed reasonable. Out of curiosity, have you done any before/after >>> performance tests? >> It's early in the benchmark process, but TCP looks to be about 6% better. >> UDP numbers should be better. I'm not expecting the level of improvement >> SELinux saw because the label mapping from CIPSO isn't as sophisticated >> for Smack as it is for SELinux. > > UDP looks like a 12% improvement, which I had expected. > On the whole, worth the effort. Great, thanks for the follow-up. -- paul moore www.paul-moore.com
Update the Smack security module to use the Netlabel cache mechanism to speed the processing of incoming labeled packets. There is some refactoring of the existing code that makes it simpler, and reduces duplication. The outbound packet labeling is also optimized to track the labeling state of the socket. Prior to this the socket label was redundantly set on each packet send. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- security/smack/smack.h | 19 ++-- security/smack/smack_access.c | 55 ++++++---- security/smack/smack_lsm.c | 245 ++++++++++++++++++++++++------------------ security/smack/smackfs.c | 23 ++-- 4 files changed, 193 insertions(+), 149 deletions(-)