@@ -79,6 +79,38 @@ config SECURITY_SELINUX_AVC_STATS
/sys/fs/selinux/avc/cache_stats, which may be monitored via
tools such as avcstat.
+config SECURITY_SELINUX_AVC_DEF_THRESHOLD
+ int "Default value for AVC reclamation threshold"
+ depends on SECURITY_SELINUX
+ range 64 1048576
+ default "512"
+ help
+ Reclamation threshold effectively sets a limit on AVC size.
+ Increasing this number could improve performance of busy
+ systems with lots of complex policies. Threshold value can
+ also be changed at run-time via selinuxfs.
+
+config SECURITY_SELINUX_AVC_HASH_BITS
+ int "Number of slots (buckets) for AVC hash table, expressed as number of bits (i.e. 2^n)"
+ depends on SECURITY_SELINUX
+ range 1 32
+ default "9"
+ help
+ This is a power of 2 representing the number of slots (buckets)
+ used for AVC hash table. Smaller value reduces memory footprint
+ at price of hash table lookup efficiency.
+
+config SECURITY_SELINUX_AVC_RECLAIM_COUNT
+ int "Number of AVC entries to reclaim in a single cycle"
+ depends on SECURITY_SELINUX
+ range 1 SECURITY_SELINUX_AVC_DEF_THRESHOLD
+ default "16"
+ help
+ A single reclamation cycle will evict this many AVC entries
+ from the cache. Small values may require multiple reclamation
+ cycles to bring AVC size under the threshold. Large values may
+ cause excessive latency of reclamation events.
+
config SECURITY_SELINUX_CHECKREQPROT_VALUE
int "NSA SELinux checkreqprot default value"
depends on SECURITY_SELINUX
@@ -31,9 +31,9 @@
#include "avc_ss.h"
#include "classmap.h"
-#define AVC_CACHE_SLOTS 512
-#define AVC_DEF_CACHE_THRESHOLD 512
-#define AVC_CACHE_RECLAIM 16
+#define AVC_CACHE_SLOTS (1 << CONFIG_SECURITY_SELINUX_AVC_HASH_BITS)
+#define AVC_DEF_CACHE_THRESHOLD CONFIG_SECURITY_SELINUX_AVC_DEF_THRESHOLD
+#define AVC_CACHE_RECLAIM CONFIG_SECURITY_SELINUX_AVC_RECLAIM_COUNT
#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
#define avc_cache_stats_incr(field) this_cpu_inc(avc_cache_stats.field)