[v2,0/4] selinux: avtab arrays and refactors

Message

Jacob Satterfield Sept. 29, 2023, 7:56 p.m. UTC

As the refpolicy and the default Fedora policy continue to grow in
size, especially with regard to rules / access vectors, the memory
usage of the policydb and runtime to search through it increases.
Looking at /proc/slabinfo indicates that the avtab_node_cachep
kmem_cache is significantly responsible for overall memory usage and
was a good target for optimizations. Running "perf record" on the
"load_policy" command shows that a majority of time is spent adding
rules into the avtab.

This patch series is an at optimizing these hot spots within the
security server implementation to help it scale with  additional rules
in the future.

All patches are independent of each other.

Patches 1-3 are a series of refactors of the internal avtab.c
interfaces and code paths with no logic changes. It removes duplicative
code and homogenizes access patterns.

Patch 4 changes avtab to use arrays instead of a kmem_cache for
individual nodes of the hastable.

Jacob Satterfield (4):
  selinux: simplify avtab_insert_node() prototype
  selinux: refactor avtab_node comparisons
  selinux: avtab iteration macros
  selinux: use arrays for avtab hashtable nodes

 security/selinux/ss/avtab.c       | 206 ++++++++++++++----------------
 security/selinux/ss/avtab.h       |   4 +-
 security/selinux/ss/conditional.c |  37 ++++--
 security/selinux/ss/conditional.h |   2 +-
 4 files changed, 123 insertions(+), 126 deletions(-)