From patchwork Wed Apr 8 18:24:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siarhei Liakh X-Patchwork-Id: 11480615 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 26D781392 for ; Wed, 8 Apr 2020 18:24:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 052F02082F for ; Wed, 8 Apr 2020 18:24:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=concurrentrt.onmicrosoft.com header.i=@concurrentrt.onmicrosoft.com header.b="yP9IZxas" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730841AbgDHSYd (ORCPT ); Wed, 8 Apr 2020 14:24:33 -0400 Received: from mail-eopbgr770139.outbound.protection.outlook.com ([40.107.77.139]:43525 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729346AbgDHSYc (ORCPT ); Wed, 8 Apr 2020 14:24:32 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YDGFUWVg+N2MOKa+f/feLxE+QIUw3IMNYGMFHSLIhoc8OAM41ehWJFO4UXtES6ShWtdgc4Qjlxiu7ST4MoMDKJE1ghK1te4vurmWQedHtLQ/IcZY+wSk0d1N04QFKDoCZtXGl9SMgkcAm7Eualn9sF8/yFddjWTwU6yOEgmMtGSxzS9XT/iDtH+/sNrAaDQwxvwpTywoAvj8NVMC+5Ethbl54xfHSUJ7lo52ZScSbX2jI1o0i4K3EJwQNO/bZA6My1CCpJNU7asWp6h1dsHKJrOWMI53SVR28RNIXZQJd7BgnT4WkOY5LTE1E87tiHTRue5z4P8nUNmeaPBPJAcK+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KqDYMIHglrkQpu5Cp7eq1H3MjNmJXMo3IELbuMMGKCc=; b=NL7Y5+kFH2WyjEmUEOy0J8AYpUvlcfEuWfQ4SShLGaPjwYdKu5W+Rv0D4GLUzNS5L0r2z4THSq4glaG7gfyGhpo2/1x1kP96P2fzh/p4eWaele7PVe9Ox1UQcaIShJepfPABEwMUkUjYGPv6zFkbLKf0AIWYaZ7Gt23m1fudJu+SsYp7+6oHrualNTf1aOZCr9l5QX2LzfV7RugzzZEwZm7zy0tYN5gml1nSdrczONXasGAmbCT8fAjTyg7Q8/gvdf3HXh+Sc1rM4/mw1pRCtW6LhxBYHKExA1rTPatwDmW/yMNuT+SYzA7ke3ySOBsl6nSyvAUkoJ9W1/4bBOxLxA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=concurrent-rt.com; dmarc=pass action=none header.from=concurrent-rt.com; dkim=pass header.d=concurrent-rt.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concurrentrt.onmicrosoft.com; s=selector2-concurrentrt-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KqDYMIHglrkQpu5Cp7eq1H3MjNmJXMo3IELbuMMGKCc=; b=yP9IZxastkaVc0p96jmZK2w/9ieLZ383lrg/tQDtnf4YdEtKlFOGxXO06ltyeInoOxFA0KU1ZiiQ+HBAzI6llvZroWpzIEHy5KiC8gg7JFOK77l60ObeO0Hz7JjzJ2Oalc9V3OObcCNmKq4E/S4Hb8IRDaUP48Ey3V17I5sO2fI= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Siarhei.Liakh@concurrent-rt.com; Received: from MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) by MN2PR11MB4677.namprd11.prod.outlook.com (2603:10b6:208:24e::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15; Wed, 8 Apr 2020 18:24:29 +0000 Received: from MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a]) by MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a%4]) with mapi id 15.20.2878.018; Wed, 8 Apr 2020 18:24:29 +0000 From: siarhei.liakh@concurrent-rt.com To: selinux@vger.kernel.org Cc: colin.king@canonical.com, eparis@parisplace.org, gregkh@linuxfoundation.org, jeffv@google.com, omosnace@redhat.com, paul@paul-moore.com, stephen.smalley.work@gmail.com, tglx@linutronix.de Subject: [PATCH 1/9] SELinux: Introduce "Advanced Hashing" Kconfig option Date: Wed, 8 Apr 2020 14:24:08 -0400 Message-Id: <20200408182416.30995-2-siarhei.liakh@concurrent-rt.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> References: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> X-ClientProxiedBy: BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) To MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sl-s76.concurrent-rt.com (65.190.80.89) by BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.16 via Frontend Transport; Wed, 8 Apr 2020 18:24:28 +0000 X-Mailer: git-send-email 2.17.1 X-Originating-IP: [65.190.80.89] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: b8a24d56-7365-4584-f753-08d7dbea1365 X-MS-TrafficTypeDiagnostic: MN2PR11MB4677: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6790; X-Forefront-PRVS: 0367A50BB1 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MN2PR11MB3885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(10019020)(366004)(346002)(396003)(376002)(39830400003)(136003)(9686003)(6666004)(508600001)(316002)(6486002)(6916009)(8676002)(52116002)(7696005)(81156014)(8936002)(1076003)(66476007)(186003)(4326008)(86362001)(2906002)(81166007)(16526019)(2616005)(26005)(956004)(66946007)(66556008)(36756003)(5660300002);DIR:OUT;SFP:1102; Received-SPF: None (protection.outlook.com: concurrent-rt.com does not designate permitted sender hosts) X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 9nYKkZ7RBFczDiexdYSIQ/6Rt0SWC0ihbpLV2SqOiabGFXMqWZP00PDjvAyvqmeevtmobRyEFRkYIiS5nisamVomkDIReqFMdvZtDmxZYVWbd54RdTEWe+yjMmnjzNeLsw09akRnrUoy2uTbbXLa1V1tWp81rtgYEsdJZwzHyOoE7qxcWSLhdOI2GX8gXU5WJLT+FsEmMX89M51lzpmUn72eGw2nmOrFDhay1fuTsoSw2W2kjxYzth4f8A1vJ/NANITDRYNDsrRA2vuvcCu3WHpE82TgGRtfMn8bga7rETmdDBhKQno1vPb48yRffHakVj/pLDXQCv6FIW16UwAnG2INbswAZ6B6jURqK+YNZSdCc4jsCiGxfiNgVyAdg/wYhVMaQnqnItrHjnRFwkeCFT2FlUou8Q5T9l9QG0bu2p43STe9ky3IXfTcafYGJ5jp X-MS-Exchange-AntiSpam-MessageData: sa1hPqyKE/K23wto2d4Ux6EfFEFMMc2X6SL1s7jqxY7xXW/HN8ZSPHsBJZ4jeeGCNgxvv8SmKGD/5MhgNzqdHKF7lH0On6zx5G+hnIdOGB0tjG2RwwKfNu3DSSjkYn1GOlOy83cnVMo8ucH9qWTTiA== X-OriginatorOrg: concurrent-rt.com X-MS-Exchange-CrossTenant-Network-Message-Id: b8a24d56-7365-4584-f753-08d7dbea1365 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Apr 2020 18:24:29.2533 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38747689-e6b0-4933-86c0-1116ee3ef93e X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: aTHEfY1HEpC4J2fws6IOre3QdRm24e2m+0GNk17b5FquX6O1j+CriSSI2qFofH8MMvCoPeEwe1jYqPbJ8IWNhI8kPNQUXZmqK0FsErRu1fA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4677 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Siarhei Liakh This patch introduces "Advanced Hashing" Kconfig option for SELinux, which is used by subsequent patches to switch between faster, simpler local hash functions and a bit slower, but much better ones from standard Linux library. The patch only adds an option; hash function changes are provided as separate patches, one per function changed. Signed-off-by: Siarhei Liakh --- Please CC me directly in all replies. security/selinux/Kconfig | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 9e921fc72538..4b5c9fa510a1 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -61,6 +61,15 @@ config SECURITY_SELINUX_DEVELOP permissive mode (if permitted by the policy) via /sys/fs/selinux/enforce. +config SECURITY_SELINUX_ADVANCED_HASHING + bool "Advanced hashing for primary hash tables" + depends on SECURITY_SELINUX + default n + help + This enables better, but a little slower hashing functions in hash + tables. New hashing function greatly reduces hash collisions, thus + improving performance of large/complex SELinux configurations. + config SECURITY_SELINUX_AVC_STATS bool "NSA SELinux AVC Statistics" depends on SECURITY_SELINUX From patchwork Wed Apr 8 18:24:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siarhei Liakh X-Patchwork-Id: 11480609 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F2C6C1392 for ; Wed, 8 Apr 2020 18:24:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BFA112082F for ; Wed, 8 Apr 2020 18:24:36 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=concurrentrt.onmicrosoft.com header.i=@concurrentrt.onmicrosoft.com header.b="qkskwy8D" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730854AbgDHSYf (ORCPT ); Wed, 8 Apr 2020 14:24:35 -0400 Received: from mail-eopbgr770139.outbound.protection.outlook.com ([40.107.77.139]:43525 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730849AbgDHSYe (ORCPT ); Wed, 8 Apr 2020 14:24:34 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dvnSwJMYrbBPupPQEZuSfkUtJaNu1YdoPBeqpHcL+dE3f/ehhnLyrIactISbCNVg1rmfHHnaB8c1tEDqLdX92HqGGl+/LWFbHf79iYEsc8kYoXN2PJqx2JCY/KQbuiym+flP+JMXU/o/6otDKPTkpDTFXsM4RmQITOktUo79WCOpeT5BWhIyphtYCAvCvtwQI7MoapFVA4a3tnz0asElBywZCBIZ1sx4AeyF/UNGxnrZ8Od4txQsdJJje5JiyRzFxtPIGAfc9rEm0NdsAFVyjixXjBMwMmydLsCNCzKxG/FlilLGK/usw1rkGH3nMqlemApR/MjfAWRX2S19Qm8TMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ud22KMce5TwmIGLZlKSMjtT0eA8RL2O+PqxGBtf3B7Y=; b=C7+SgydUiyyeGzX51x0dIU/azPFiui2pOK4PtVxK6T5VuxdO+gvuHV4JZ5i8JfAERemqvXRPBFrOFpbCj5lvleai1N12LvL2CtSjRfc5Z0oNEs5XVXHekC+9v4YaxRtH3hHUQ6IncpShHEWiI/fhDIon3GC8IPIggXVQgKVsgA8IrfnxOwQAQZNGL/3a15hheyYoUoyqswaja6YHozkcZ0hEDsR+/g1ghB10Vs3jtXtSwnQBO2Z42oUG1vnzUi3b4bsyELhPtUYsPzRo4GfGqp2iV6Dd0ObQirjXtindGdq5iT7BDBsW54yxA8ltTM/wkPmpEAeSN3TdzoosaMTrzw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=concurrent-rt.com; dmarc=pass action=none header.from=concurrent-rt.com; dkim=pass header.d=concurrent-rt.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concurrentrt.onmicrosoft.com; s=selector2-concurrentrt-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ud22KMce5TwmIGLZlKSMjtT0eA8RL2O+PqxGBtf3B7Y=; b=qkskwy8DPxJSkRMCLhMkrRlyHdn1O1fDhCRgMA3EtWffOl+zgZCDsNSUrTar/fxEL+hlZf1Sq2JVgRVB4gPpDEkBx8rupaWgC4yoB78C+3VdMsrX3+lUDDpW3vAaFBiHhugDybNbvlRzCtDwGQx6vKKgtlsldPp9cl2d+VOaQMI= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Siarhei.Liakh@concurrent-rt.com; Received: from MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) by MN2PR11MB4677.namprd11.prod.outlook.com (2603:10b6:208:24e::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15; Wed, 8 Apr 2020 18:24:30 +0000 Received: from MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a]) by MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a%4]) with mapi id 15.20.2878.018; Wed, 8 Apr 2020 18:24:30 +0000 From: siarhei.liakh@concurrent-rt.com To: selinux@vger.kernel.org Cc: colin.king@canonical.com, eparis@parisplace.org, gregkh@linuxfoundation.org, jeffv@google.com, omosnace@redhat.com, paul@paul-moore.com, stephen.smalley.work@gmail.com, tglx@linutronix.de Subject: [PATCH 2/9] SELinux: Use Bob Jenkins' lookup3 hash in AVC Date: Wed, 8 Apr 2020 14:24:09 -0400 Message-Id: <20200408182416.30995-3-siarhei.liakh@concurrent-rt.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> References: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> X-ClientProxiedBy: BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) To MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sl-s76.concurrent-rt.com (65.190.80.89) by BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.16 via Frontend Transport; Wed, 8 Apr 2020 18:24:29 +0000 X-Mailer: git-send-email 2.17.1 X-Originating-IP: [65.190.80.89] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 624ea0cf-7b64-4849-bd0b-08d7dbea13f0 X-MS-TrafficTypeDiagnostic: MN2PR11MB4677: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1227; X-Forefront-PRVS: 0367A50BB1 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MN2PR11MB3885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(10019020)(366004)(346002)(396003)(376002)(39830400003)(136003)(9686003)(6666004)(508600001)(316002)(6486002)(6916009)(8676002)(52116002)(7696005)(81156014)(8936002)(1076003)(66476007)(186003)(4326008)(86362001)(2906002)(81166007)(16526019)(2616005)(26005)(956004)(66946007)(66556008)(36756003)(5660300002);DIR:OUT;SFP:1102; Received-SPF: None (protection.outlook.com: concurrent-rt.com does not designate permitted sender hosts) X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: vlf9Wyy9Djyy6hOKHIlo64Gz07i3JBs1yWYmcUrssxMS8huRfyqdqeADHtMaaZ4/cjNXC8o2so6jnmlCATVSA81/5QwXpj1lnAdFRouCQ+JQdr1r12zLkSUfkuTQgyw15bXxrK1hrLYYP/QFZEydtc5ihamBPFfaGMiC3lv9bncmVS+TT4UAF8k4D0c47HVpn9b285zs/XK6NHcY26N/Dr9gQQyeW/OXyBA4GLXql8Ixy1PiyWUDZ75KiD8BgfbxoTYC1GsezN1FiQjOPpXpZSoXsn5eFT5brbHyqQRCS0zsCW739EGKSYOb18Zr+LlL958AG811gyQag92rYpBqUhbGHZUnNmTyT9jzekg4W/2f8RAsR7dbkgdvELoT6g9XARgLeDvNKcFMZGjr8aLxJieXYOm4XcjoNL/mxNaE4i2g9b4qq3Q/U6mPDqNEr9DA X-MS-Exchange-AntiSpam-MessageData: aNMYt21wO60LxFYr7d0rdf1QHXmkiQ8J7AgZMbhdC0ILK9o+MmQ14A4YHEfk5HPQC2BfmBdVkqQLmHjCgUAHprqwJAeMayZusm05RBr1a43HjfGYDSF0Ao5ChMqc1CtLfvMzt4fhQiC1LZ+XWQAHWA== X-OriginatorOrg: concurrent-rt.com X-MS-Exchange-CrossTenant-Network-Message-Id: 624ea0cf-7b64-4849-bd0b-08d7dbea13f0 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Apr 2020 18:24:30.1157 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38747689-e6b0-4933-86c0-1116ee3ef93e X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ZWNXNJH4sX37H23ESw1gFeUBX6B0lBso5cOJYExRvmXN8Lct0WqHttudrhr4bq/aLSvH6DVN3cmEcSjPNJQUwnQc0aZKH2g7Axc8h+V6cHU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4677 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Siarhei Liakh This patch allows use of lookup3 as a hash function within AVC with following benefits: 1. lookup3 has much better bit avalanche properties as compared to local version of custom hash function, thus reducing hash table collisions. 2. lookup3 is part of standard Linux library, thus provides a much better long-term maintenance path Here is an example of how lookup3 improves distribution of entries within AVC: BJ's lookup3: entries: 4962 buckets used: 2839/4096 longest chain: 7 Standard hash function: entries: 4974 buckets used: 2582/4096 longest chain: 12 Signed-off-by: Siarhei Liakh --- Please CC me directly in all replies. security/selinux/avc.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/security/selinux/avc.c b/security/selinux/avc.c index d18cb32a242a..b5893621290b 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -121,9 +121,24 @@ static struct kmem_cache *avc_xperms_data_cachep; static struct kmem_cache *avc_xperms_decision_cachep; static struct kmem_cache *avc_xperms_cachep; +#ifdef CONFIG_SECURITY_SELINUX_ADVANCED_HASHING + +#include +#define _avc_hash3(a, b, c) jhash_3words(a, b, c, 0) + +#else /* #ifdef CONFIG_SECURITY_SELINUX_ADVANCED_HASHING */ +/* + * Original hashing function + */ +static inline u32 _avc_hash3(u32 a, u32 b, u32 c) +{ + return (a ^ (b << 2) ^ (c << 4)); +} +#endif /* #else #ifdef CONFIG_SECURITY_SELINUX_ADVANCED_HASHING */ + static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) { - return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (AVC_CACHE_SLOTS - 1); + return _avc_hash3(ssid, tsid, tclass) & (AVC_CACHE_SLOTS - 1); } /** From patchwork Wed Apr 8 18:24:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siarhei Liakh X-Patchwork-Id: 11480613 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id ACF2F1871 for ; Wed, 8 Apr 2020 18:24:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 80FCB20784 for ; Wed, 8 Apr 2020 18:24:37 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=concurrentrt.onmicrosoft.com header.i=@concurrentrt.onmicrosoft.com header.b="SiuWhozZ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730856AbgDHSYh (ORCPT ); Wed, 8 Apr 2020 14:24:37 -0400 Received: from mail-eopbgr770139.outbound.protection.outlook.com ([40.107.77.139]:43525 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730851AbgDHSYf (ORCPT ); Wed, 8 Apr 2020 14:24:35 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GE+JLptok7hBKa1pK4LhIql8k73enfMT7FpO3fDH2mAdR1L+GM9aCRy9/FYckrCkp3BCy6IWQ2Equp/NUeCMqPjZ6DkbllQtNnRSiftMtKBjcHjcWBDN+TJLfNOpPT+ewhPmzvnwHVCtGk5h3JzvzTsmP8dtexAH3d1HiSPJ06a6teP/z+5KfgE6xhCWfmB9SCnHhnu+/IEGNOrw9HyjU15f0cKhy1UwtCRELCXKQIY/W4Y+BzLmhitgKYvK+ocN0Ul0DpHEGbLD4NYEthQSY/ZsUDSAjS349LBkLvrQyIaireQpvrezfC88GW8P9hLXOdx+SHcH84RiIdHUmAxtRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EiUPASNy1md0M0PAgCMU9ISa22x/WZCIZX/txj/Xdbw=; b=R4RNfusHX8Rn+qLdA/ZZ3qC+7dJiOjFzE0pgnI7JfirjYDCD4Ilz436EBy8ZGl7CYfuUkeWNMQo5ZAFzW9aVJt2gEzXRjaoe1uoiHP2U01fzC1qknKBC2jRPYNwKJ9sbYb04C6DohVutix81hyZMPPVi1uL3A+H0/dui7hYv4sj7kWZHy9HWGISg98B+8NbBYFUW3Yia7Dnf1MjuH8U2G95sZCUcGGIHkEsL3MAa1hBG6Zpt6jVdEGxxH/OyXHbgahq0t59D6z9tCHMlJ8XUwfzN33XLvT5U/cJjYj4PiOazz7INApqOoUEr17fA8zS5EunTw6GjTzvSMZRQXNpr+A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=concurrent-rt.com; dmarc=pass action=none header.from=concurrent-rt.com; dkim=pass header.d=concurrent-rt.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concurrentrt.onmicrosoft.com; s=selector2-concurrentrt-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EiUPASNy1md0M0PAgCMU9ISa22x/WZCIZX/txj/Xdbw=; b=SiuWhozZaLZwutR+oGygfiIYc9LzFx+FvV0j1UtqZfBv4wQZkAmVad47Acl9M5Da/RNHamcx8Cko30Y//iWInco/moo0VvZYewGdb6EQcy1TMzEo0/igmwKTZIVqTdTOQ2zTYacV8MnshxqdPcbjJQdjS4eOgLZAd2wiOUP38UE= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Siarhei.Liakh@concurrent-rt.com; Received: from MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) by MN2PR11MB4677.namprd11.prod.outlook.com (2603:10b6:208:24e::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15; Wed, 8 Apr 2020 18:24:31 +0000 Received: from MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a]) by MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a%4]) with mapi id 15.20.2878.018; Wed, 8 Apr 2020 18:24:30 +0000 From: siarhei.liakh@concurrent-rt.com To: selinux@vger.kernel.org Cc: colin.king@canonical.com, eparis@parisplace.org, gregkh@linuxfoundation.org, jeffv@google.com, omosnace@redhat.com, paul@paul-moore.com, stephen.smalley.work@gmail.com, tglx@linutronix.de Subject: [PATCH 3/9] SELinux: Expose AVC sizing tunables via Kconfig Date: Wed, 8 Apr 2020 14:24:10 -0400 Message-Id: <20200408182416.30995-4-siarhei.liakh@concurrent-rt.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> References: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> X-ClientProxiedBy: BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) To MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sl-s76.concurrent-rt.com (65.190.80.89) by BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.16 via Frontend Transport; Wed, 8 Apr 2020 18:24:30 +0000 X-Mailer: git-send-email 2.17.1 X-Originating-IP: [65.190.80.89] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7ac3f2af-a5bd-4b72-32eb-08d7dbea1459 X-MS-TrafficTypeDiagnostic: MN2PR11MB4677: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-Forefront-PRVS: 0367A50BB1 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MN2PR11MB3885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(10019020)(366004)(346002)(396003)(376002)(39830400003)(136003)(9686003)(6666004)(508600001)(316002)(6486002)(6916009)(8676002)(52116002)(7696005)(81156014)(8936002)(1076003)(66476007)(186003)(4326008)(86362001)(2906002)(81166007)(16526019)(2616005)(26005)(956004)(66946007)(66556008)(36756003)(5660300002);DIR:OUT;SFP:1102; Received-SPF: None (protection.outlook.com: concurrent-rt.com does not designate permitted sender hosts) X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: YrkmVaYLXOLi69bYJQ/G3Xj+avEWE9F3U7ydGywdwvQWSG/IwX/6df8b1HzoUA+g+LCbhMunC0mXrYaEKV/VeS81l9PV2Amb/LeDXgw54GB9mSy8PwJBoMDDAnYsfe33muA+OW+1zp32Pytc9P/00S9COpxeQ3jVzCtvYKC/UYFuzkwcIoWsow7XuAljXRhunzBCPdOuU0FnITYSY+h4VR8hWhIUj0Xp3LJCwDlO7lWcHyheaLJa7F1GUJgInXD/fXnzdIfJvClCVZCC7KmZPlx57v+qTMk4Rg+DRqBDxHNGXMu9QD8ZPb4aMA6JVS/eHUeTeHSDE0qjyXAIK98GWPWCET/qhas/7FYf4V/SNR60cjH6s7J7GP7+mxn0eSzhAsWnKQF1Ur/jm40/UtWBZ5ylIhKhjkeI7d9QCRKLCpM+OJJxCdfRlK0nALYS3zbP X-MS-Exchange-AntiSpam-MessageData: WI+K1Zo91cbbogtXD37M/JFkCCg9Zw+vkVcY9HZpgy68KIRdrNBv7Lk5GbAxQQp/Pz8PuEFnluWKOsHMQJVBSf1WSTwjAAV0QOoL2tCOSAaVU1uKvySM5SJcsHuNqLcSAYFId0bG5V+6xxijFZNRog== X-OriginatorOrg: concurrent-rt.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7ac3f2af-a5bd-4b72-32eb-08d7dbea1459 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Apr 2020 18:24:30.8153 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38747689-e6b0-4933-86c0-1116ee3ef93e X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 3q4twZoVy1IqPX6cNVEHXxUQCS00p9TFuBEx2RlYxQdOKarMGQzGLkRVrJmBtibhRa4pGjjiS9sEC8/gIvQdsC6M4445sBXyt59vb7+kG1o= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4677 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Siarhei Liakh This change exposes previously hardcoded AVC sizing tunables via Kconfig, which provides a more convenient tuning mechanism for downstream distributions. Default sizing is not affected. Signed-off-by: Siarhei Liakh --- Please CC me directly in all replies. security/selinux/Kconfig | 32 ++++++++++++++++++++++++++++++++ security/selinux/avc.c | 6 +++--- 2 files changed, 35 insertions(+), 3 deletions(-) diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 4b5c9fa510a1..3a736a1c6806 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -79,6 +79,38 @@ config SECURITY_SELINUX_AVC_STATS /sys/fs/selinux/avc/cache_stats, which may be monitored via tools such as avcstat. +config SECURITY_SELINUX_AVC_DEF_THRESHOLD + int "Default value for AVC reclamation threshold" + depends on SECURITY_SELINUX + range 64 1048576 + default "512" + help + Reclamation threshold effectively sets a limit on AVC size. + Increasing this number could improve performance of busy + systems with lots of complex policies. Threshold value can + also be changed at run-time via selinuxfs. + +config SECURITY_SELINUX_AVC_HASH_BITS + int "Number of slots (buckets) for AVC hash table, expressed as number of bits (i.e. 2^n)" + depends on SECURITY_SELINUX + range 1 32 + default "9" + help + This is a power of 2 representing the number of slots (buckets) + used for AVC hash table. Smaller value reduces memory footprint + at price of hash table lookup efficiency. + +config SECURITY_SELINUX_AVC_RECLAIM_COUNT + int "Number of AVC entries to reclaim in a single cycle" + depends on SECURITY_SELINUX + range 1 SECURITY_SELINUX_AVC_DEF_THRESHOLD + default "16" + help + A single reclamation cycle will evict this many AVC entries + from the cache. Small values may require multiple reclamation + cycles to bring AVC size under the threshold. Large values may + cause excessive latency of reclamation events. + config SECURITY_SELINUX_CHECKREQPROT_VALUE int "NSA SELinux checkreqprot default value" depends on SECURITY_SELINUX diff --git a/security/selinux/avc.c b/security/selinux/avc.c index b5893621290b..80af3d1f31fd 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -31,9 +31,9 @@ #include "avc_ss.h" #include "classmap.h" -#define AVC_CACHE_SLOTS 512 -#define AVC_DEF_CACHE_THRESHOLD 512 -#define AVC_CACHE_RECLAIM 16 +#define AVC_CACHE_SLOTS (1 << CONFIG_SECURITY_SELINUX_AVC_HASH_BITS) +#define AVC_DEF_CACHE_THRESHOLD CONFIG_SECURITY_SELINUX_AVC_DEF_THRESHOLD +#define AVC_CACHE_RECLAIM CONFIG_SECURITY_SELINUX_AVC_RECLAIM_COUNT #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS #define avc_cache_stats_incr(field) this_cpu_inc(avc_cache_stats.field) From patchwork Wed Apr 8 18:24:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siarhei Liakh X-Patchwork-Id: 11480621 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EBB251871 for ; Wed, 8 Apr 2020 18:24:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C921920784 for ; Wed, 8 Apr 2020 18:24:41 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=concurrentrt.onmicrosoft.com header.i=@concurrentrt.onmicrosoft.com header.b="N3y078Ot" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730863AbgDHSYi (ORCPT ); Wed, 8 Apr 2020 14:24:38 -0400 Received: from mail-eopbgr770139.outbound.protection.outlook.com ([40.107.77.139]:43525 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729779AbgDHSYi (ORCPT ); Wed, 8 Apr 2020 14:24:38 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=msWQP8A9xuqu9Hv2XLOEr2XaZxpaGqacaN5Vu7428AzDeUDbCKNkwJyjZJqTaC0tCh8cEUltBeKUa6sZobg9XemAnpjP59ZGiN7hJEaT2KiF9iR4dkVKvxmAeBsKP6WZvk/JhGDt6na66fiuB3EBGXayJe2iLDs7qhbREAPdoTmfrkpISVdmnauukywmwNawAGl2nkR2Rgx7wAoL36Mk38eEF3BTW4HNkwkwlDoqpg2ti7obMhqpk3RVNoF0+8r7F0f5CNZ8lRYRdmB86fv6U6dzeFXvzdSfawjtV7BeQQLOySLQgXW9F1MuFM1WP83TZ3t7jocJkarovkW37rKGTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5ORhfV8J2sru70F8aBPMjETga5ccf2dxxWPJ0rmuNP8=; b=UticO005QulXf2VHYl+0B/OXMEGpF4KnkNzPp+R6o2Yvk01teNiJPqkcR4a9suF+zHLbKqr/HjgGDo+HhQVK3qOwX4RrHsO69lw35j+qrQ4YlKldLbyOanki/LMfj7jpMkQJBHXTzxwOVS99sXNyaOb6ofX4ggWuOVzP7RClj87jZEu/8BU8yPdH248UkVMc8KK/IKE3VVGz7080EqqZU+l0Di0aWmCrXtR14R7ETI6BJFOg7MEG/f2nunwePbMbs2Qaamq43FZsN9u66LVZ1+77sCrCiMhG5fMEcd+iX4Iky7mcH81qm+26QjAyp7hYhoMR3xHJFzFnEwTrrLaUtQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=concurrent-rt.com; dmarc=pass action=none header.from=concurrent-rt.com; dkim=pass header.d=concurrent-rt.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concurrentrt.onmicrosoft.com; s=selector2-concurrentrt-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5ORhfV8J2sru70F8aBPMjETga5ccf2dxxWPJ0rmuNP8=; b=N3y078Otzh3i3wMpwScRrutaTg6R4yOsAYc7BBGhbnT7wzPsCiikxO+Aa+yle5hxoFv6ekGFfSpW0nvUrP3gNrlBqiJm01AIY72W1OAxxXWVL7jKVOjNjRmJjHz/tYVrJgVzuMAHaIQWPEpMQOHXKjH9c+C/dmj440qGD4uIhQI= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Siarhei.Liakh@concurrent-rt.com; Received: from MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) by MN2PR11MB4677.namprd11.prod.outlook.com (2603:10b6:208:24e::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15; Wed, 8 Apr 2020 18:24:31 +0000 Received: from MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a]) by MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a%4]) with mapi id 15.20.2878.018; Wed, 8 Apr 2020 18:24:31 +0000 From: siarhei.liakh@concurrent-rt.com To: selinux@vger.kernel.org Cc: colin.king@canonical.com, eparis@parisplace.org, gregkh@linuxfoundation.org, jeffv@google.com, omosnace@redhat.com, paul@paul-moore.com, stephen.smalley.work@gmail.com, tglx@linutronix.de Subject: [PATCH 4/9] SELinux: Replace custom hash in avtab with generic lookup3 from the library Date: Wed, 8 Apr 2020 14:24:11 -0400 Message-Id: <20200408182416.30995-5-siarhei.liakh@concurrent-rt.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> References: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> X-ClientProxiedBy: BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) To MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sl-s76.concurrent-rt.com (65.190.80.89) by BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.16 via Frontend Transport; Wed, 8 Apr 2020 18:24:31 +0000 X-Mailer: git-send-email 2.17.1 X-Originating-IP: [65.190.80.89] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: cb648525-ff96-4715-443d-08d7dbea14cb X-MS-TrafficTypeDiagnostic: MN2PR11MB4677: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6790; X-Forefront-PRVS: 0367A50BB1 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MN2PR11MB3885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(10019020)(366004)(346002)(396003)(376002)(39830400003)(136003)(9686003)(6666004)(508600001)(316002)(6486002)(6916009)(8676002)(52116002)(7696005)(81156014)(8936002)(1076003)(66476007)(186003)(4326008)(86362001)(2906002)(81166007)(16526019)(2616005)(26005)(956004)(66946007)(66556008)(36756003)(5660300002)(41533002);DIR:OUT;SFP:1102; Received-SPF: None (protection.outlook.com: concurrent-rt.com does not designate permitted sender hosts) X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: lb8+5c7EmPYleQGtS7H1SgOTJfmIR6FiJGS5Fq4J7iqG8nMsYVcjp9wnWseJ8IpKQfR/JxgpUOrOWIsoS4sOc2ZE1jX3J7490JAenrSALQgROWQB7/y62KBLkhATWmXFtjelVGQqb7pXD8wTKwZ4VNWY4CE2Uq7lEG4R+hyF6s8+lyLwWVO/9IwnRZ7hrnnifRNAmJpVr5+PnrkCo/Umy4RExVGFYtOFqPfltOKrU4ZGkHx/xgKS8kZKMSwIw52VcwvoaZIFcSP5qI3aYCc44T/z3D0bsYg60s4yiYGtAkPOc4Ghkk8EiEZj/43plr/a6Mon983MzJfz6BE5fP/Wx7qT9ZANVkryFj+eW7YESIwwzH6wdZS8ajPoh04vNngPtHzThg9PpFQftzkWHNGuxUconfXXxybE8yRbpkkJIFQW3foy7e9HbUphRdq4gyNQ3wBMvGyIbR2CELOZXuJfNIgECpFkSxFa2XuDeaHhqicSXjd2wov4Y/4+e0KTKKd2 X-MS-Exchange-AntiSpam-MessageData: 4KSwl4yCct72ljWRgFKoQd1OXuRyNGWO5k10X2rOma0Woq5Eb4U3Z0Q5XbVrKLDkYsfLRhhcxe3BsrkZvaVbIV3CERztx3/pwwtP/aZ4jk4swepPgA68BFCxnJLWJYBV2R2uqGFopq105feZlxXcxA== X-OriginatorOrg: concurrent-rt.com X-MS-Exchange-CrossTenant-Network-Message-Id: cb648525-ff96-4715-443d-08d7dbea14cb X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Apr 2020 18:24:31.5789 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38747689-e6b0-4933-86c0-1116ee3ef93e X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: mP6sD9NQAlOTTdXERCauiXNHQH8ulKyfJ38xSX17eZ3XaR6XAeJSCBm/4k+KB6HKpC+Ulx0O4v357IY26YM1QJNjVq6/UBDn9AUlBEM3hwA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4677 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Siarhei Liakh This patch replaces local copy of custom implementation of MurmurHash3 in avtab.c with existing generic implementation of lookup3 from the standard Linux library. The library version of hash used to mix 3 x u32 values is comparable to the custom implementation in run time complexity and bit avalanche. This change allows to reduce the amount of custom code with has to be maintained, while preserving overall performance of the hash table in question. Before (MurmurHash3): rules: 282731 entries and 64534/65536 buckets used, longest chain length 17 sum of chain length^2 1522043 After (lookup3): rules: 282731 entries and 64572/65536 buckets used, longest chain length 16 sum of chain length^2 1517651 Please note that either hash can show a slight [dis]advantage over the other depending purely on actual rule sets loaded and number of buckets configured. Signed-off-by: Siarhei Liakh --- Please CC me directly in all replies. security/selinux/ss/avtab.c | 39 +++++-------------------------------- 1 file changed, 5 insertions(+), 34 deletions(-) diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c index 01b300a4a882..58f0de17e463 100644 --- a/security/selinux/ss/avtab.c +++ b/security/selinux/ss/avtab.c @@ -20,49 +20,20 @@ #include #include #include +#include #include "avtab.h" #include "policydb.h" static struct kmem_cache *avtab_node_cachep; static struct kmem_cache *avtab_xperms_cachep; -/* Based on MurmurHash3, written by Austin Appleby and placed in the - * public domain. +/* + * Use existing Bob Jenkins' lookup3 hash from the library */ static inline int avtab_hash(struct avtab_key *keyp, u32 mask) { - static const u32 c1 = 0xcc9e2d51; - static const u32 c2 = 0x1b873593; - static const u32 r1 = 15; - static const u32 r2 = 13; - static const u32 m = 5; - static const u32 n = 0xe6546b64; - - u32 hash = 0; - -#define mix(input) { \ - u32 v = input; \ - v *= c1; \ - v = (v << r1) | (v >> (32 - r1)); \ - v *= c2; \ - hash ^= v; \ - hash = (hash << r2) | (hash >> (32 - r2)); \ - hash = hash * m + n; \ -} - - mix(keyp->target_class); - mix(keyp->target_type); - mix(keyp->source_type); - -#undef mix - - hash ^= hash >> 16; - hash *= 0x85ebca6b; - hash ^= hash >> 13; - hash *= 0xc2b2ae35; - hash ^= hash >> 16; - - return hash & mask; + return jhash_3words(keyp->target_class, keyp->target_type, + keyp->source_type) & mask; } static struct avtab_node* From patchwork Wed Apr 8 18:24:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siarhei Liakh X-Patchwork-Id: 11480619 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C18961744 for ; Wed, 8 Apr 2020 18:24:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9F00F20784 for ; Wed, 8 Apr 2020 18:24:41 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=concurrentrt.onmicrosoft.com header.i=@concurrentrt.onmicrosoft.com header.b="x840W/4n" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730869AbgDHSYk (ORCPT ); Wed, 8 Apr 2020 14:24:40 -0400 Received: from mail-eopbgr770102.outbound.protection.outlook.com ([40.107.77.102]:22754 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730862AbgDHSYi (ORCPT ); Wed, 8 Apr 2020 14:24:38 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EYQKr4QZc2FEcBr2SqsM4wIQ1kR5HONhnxAUyWAyxjArKTRgJshVircop6lC89XCGHTR7OAUkWplKNVM7rGUOXEuq6+IEoQJTNk3LUd5E3xLzW07KGCqt+Le82hL0fnAviQU2fFUebwq4sV1r7FPG4G8FrIbuG99EBQkpdt1X7wej1C6HT6jvE0a73JRg662UHa0mQ4DlZC50pl1bh12FbFONhBmJPtbDeSmF9p1pNIRYpfEfKUPSIJK8ymwABPFPHvk1q7lkxANGKu1poJZptN2cWfcodAN/uqijWgU4p7B1rwj8BmlvvGan6hCk1blDWMBczFqXmQha6aEfV+0Jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9FKQGmX6WEAM1zYgX/RtKbzmuySB2oZSfTgMUI0lQ7c=; b=nlQwa4aAuRp0QWuAdpoXVrEfv6bbLVVacD801pHEnyGRftdXM3RubZ3w3Tqzk9m7b+kTEBdB1SWSc2vcDMU0LCjDnaR/o1IwJu1rWnexJI5ZkpqBj7v4lRmOCVCLngIWT2UCqDy3ubne3Hc6nTKmhYrulLd8jtZg62PBr+/lAS/ly7ATQJeMrhRftdP+mbaXW6DRXa6UJlsNJfLeAnU64/rOuKm1VvbpPryLC2xqwQ1Mhyz0aWXFEf2meTP4sh/kt3+2fM7G7uKTelSrn3facqysC0gDexODNLoNjkCCKxsjVc80GOEMt9sBmCQfEouWcnImlio/xlbK+HVv8wQKlg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=concurrent-rt.com; dmarc=pass action=none header.from=concurrent-rt.com; dkim=pass header.d=concurrent-rt.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concurrentrt.onmicrosoft.com; s=selector2-concurrentrt-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9FKQGmX6WEAM1zYgX/RtKbzmuySB2oZSfTgMUI0lQ7c=; b=x840W/4n2noe1VYc8Vj1kezQqMiceMVyOUJdTV+zRjMHRtRRkj9czcnkJiYpj9M/Bs3G5hh3LaFsG4WCtNtBxnX0ASX8iaz0X4cSlgGjwKBT84L7guroUJwc14NaLMoRASIVZHkyHeMhws1cc6bI5EzItGtvFle6S/Hjye9KOQw= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Siarhei.Liakh@concurrent-rt.com; Received: from MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) by MN2PR11MB4677.namprd11.prod.outlook.com (2603:10b6:208:24e::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15; Wed, 8 Apr 2020 18:24:32 +0000 Received: from MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a]) by MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a%4]) with mapi id 15.20.2878.018; Wed, 8 Apr 2020 18:24:32 +0000 From: siarhei.liakh@concurrent-rt.com To: selinux@vger.kernel.org Cc: colin.king@canonical.com, eparis@parisplace.org, gregkh@linuxfoundation.org, jeffv@google.com, omosnace@redhat.com, paul@paul-moore.com, stephen.smalley.work@gmail.com, tglx@linutronix.de Subject: [PATCH 5/9] SELinux: Expose AVTab sizing tunables via Kconfig Date: Wed, 8 Apr 2020 14:24:12 -0400 Message-Id: <20200408182416.30995-6-siarhei.liakh@concurrent-rt.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> References: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> X-ClientProxiedBy: BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) To MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sl-s76.concurrent-rt.com (65.190.80.89) by BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.16 via Frontend Transport; Wed, 8 Apr 2020 18:24:31 +0000 X-Mailer: git-send-email 2.17.1 X-Originating-IP: [65.190.80.89] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 361a6504-b7ee-49e7-1d46-08d7dbea153c X-MS-TrafficTypeDiagnostic: MN2PR11MB4677: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7219; X-Forefront-PRVS: 0367A50BB1 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MN2PR11MB3885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(10019020)(366004)(346002)(396003)(376002)(39830400003)(136003)(9686003)(6666004)(508600001)(316002)(6486002)(6916009)(8676002)(52116002)(7696005)(81156014)(8936002)(1076003)(66476007)(186003)(4326008)(86362001)(2906002)(81166007)(16526019)(2616005)(26005)(956004)(66946007)(66556008)(36756003)(5660300002);DIR:OUT;SFP:1102; Received-SPF: None (protection.outlook.com: concurrent-rt.com does not designate permitted sender hosts) X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 9YE0FwxTmIhjrjGCnHAlUj6ndHWY/aXZ/KKhwrXh09Fy+87efc/9ouGp2YjPrHfxnPMd3Akc8yYKs5JxoXfu2ffI4B7TbLO/v3ly6+6mC6DxDsIZNnXIsU35LvfpJJq7hnuiAg7o0flNPJN+nyj5lqDxsc9tVC7bZJ51Au1sR9fcuNCCcsz4P0uXT2fhr3ioDTyI9yzghi75XTn1snib70lPTtNj/uS7UgR2PrwxYyv6WBtQxyxUttdrGX3OsnFCxC5c4YCpf2VyUbSW5w0ktGA81OW+YTQgbigZnJR1jZrUZTIgHquqh2szA4bsiM18tBseumj+FsM6pcQxQijeV6itKpavBt3yobb55kxkLFmuKZiBDk/kSM9bA7tFpwIZ09klzQbOZO2E75z9zfyvv8/5vB6lqW+bF2WOaE71santPFNbLOdWxu6AnCJgN6RF X-MS-Exchange-AntiSpam-MessageData: 0i2tNqKULxFfkh/xMi8XiJlDEiw2amXfkgw92eI0dqwElaH6lZKMUI6KL3KiuxoKqeMnCOCZPsn/+oZq31/q3Y2smhoHPTB8k35BHBzSHP2oVNQvPZRwP+IgqBwFiaqZ5v2rXRe/7SVI3KmPXJV53A== X-OriginatorOrg: concurrent-rt.com X-MS-Exchange-CrossTenant-Network-Message-Id: 361a6504-b7ee-49e7-1d46-08d7dbea153c X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Apr 2020 18:24:32.2845 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38747689-e6b0-4933-86c0-1116ee3ef93e X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: j/yzfPGhUZuQjoeLfhX3l/TBmfZ+wCpA+vXy2CJ6DYEQlzWh3+dfNgig3CCH9ct14TGPmfJPzSGI2b2dsmiu3j+lo/GaYQnHXVsRKsKtR9E= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4677 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Siarhei Liakh This change exposes previously hardcoded AVTab sizing tunables via Kconfig, which provides a more convenient tuning mechanism for downstream distributions. Default sizing is not affected. Signed-off-by: Siarhei Liakh --- Please CC me directly in all replies. security/selinux/Kconfig | 12 ++++++++++++ security/selinux/ss/avtab.h | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 3a736a1c6806..b7ced53ffd76 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -111,6 +111,18 @@ config SECURITY_SELINUX_AVC_RECLAIM_COUNT cycles to bring AVC size under the threshold. Large values may cause excessive latency of reclamation events. +config SECURITY_SELINUX_AVTAB_HASH_BITS + int "Number of slots (buckets) for AVTab hash table, expressed as number of bits (i.e. 2^n)" + depends on SECURITY_SELINUX + range 1 32 + default "16" + help + This is a power of 2 representing the number of slots (buckets) + used for AVTab hash table. AVTab is the core SELinux database + holding all of the applicable rules. Smaller value reduces memory + footprint at price of hash table lookup efficiency. One bucket + per 10 to 100 rules is reasonable. + config SECURITY_SELINUX_CHECKREQPROT_VALUE int "NSA SELinux checkreqprot default value" depends on SECURITY_SELINUX diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h index 5fdcb6696bcc..52b3f82ddacd 100644 --- a/security/selinux/ss/avtab.h +++ b/security/selinux/ss/avtab.h @@ -110,7 +110,7 @@ struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_key *key); struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified); -#define MAX_AVTAB_HASH_BITS 16 +#define MAX_AVTAB_HASH_BITS CONFIG_SECURITY_SELINUX_AVTAB_HASH_BITS #define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS) #endif /* _SS_AVTAB_H_ */ From patchwork Wed Apr 8 18:24:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siarhei Liakh X-Patchwork-Id: 11480617 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 972251392 for ; Wed, 8 Apr 2020 18:24:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6A74F20784 for ; Wed, 8 Apr 2020 18:24:41 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=concurrentrt.onmicrosoft.com header.i=@concurrentrt.onmicrosoft.com header.b="nZtrAA2O" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730862AbgDHSYk (ORCPT ); Wed, 8 Apr 2020 14:24:40 -0400 Received: from mail-eopbgr770139.outbound.protection.outlook.com ([40.107.77.139]:43525 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730860AbgDHSYj (ORCPT ); Wed, 8 Apr 2020 14:24:39 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dQSL2shHUrXNhPWSePR9f99w1jD1QTImDPQc7gwJFVnVa91bGe+gteEadic85WL4Uxsm84HonI5fWbFBd57YtBKVKLmPslq9gdaq/hNtDzxT41b0wY3BTc2sAqeAUQUXcpExM34Rt3UsQiHQFfcBp/7k1JYAcJa4vhThiu1TJ3jrXwPsPqnMtKaV+FbwySgJzYR/mRRG7XYTpexK2AWKUtCQm91j4fHr0YSgdyiq0L/ndz/z71yjXyBH8AqdHD30Q3Q2LWqRwezXG9xuCEghnqN8wrqRXxq3m4kFvmFL9iUzn1AfeJ8MHcGBWfyY1b43ICH6my00cdSIgOukKVRTtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VpinJPN8AAeZsBa5+Vo4HlZG01e5K/FwbcyJLVe5+GQ=; b=B/QVAd1w4iK5wcqkkVVyWWQ6rLdh5HK3FfcEQIGG99ZnD2O/XPVK0Jn2xmV9g2AliNkBs4bll/5EuqL7FEVvbIdzatUGFjUxHlPD/5brfzNhQJEL+smUESefcaP0maYlCNF721ZT1wcXmuQyer4rJ3xFNPL+xQSQP7ACZ0fD7884ixEhTcy7D9yKrOLdlblU/aQoPLcxXDB+46IUv3jZEiRyFwjk5Okn2WcLHObnT+VHR3K2wbqeZLCIKTto/5oy6zM6ve16/YeUBD5FNCAiW0jDO7QM4gysXD5BOUWc0svfCi7BFa+xpLpP2BYRPt0jUp0zl811O34c/MeJhCRX9w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=concurrent-rt.com; dmarc=pass action=none header.from=concurrent-rt.com; dkim=pass header.d=concurrent-rt.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concurrentrt.onmicrosoft.com; s=selector2-concurrentrt-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VpinJPN8AAeZsBa5+Vo4HlZG01e5K/FwbcyJLVe5+GQ=; b=nZtrAA2OtrWWdJ6j/MAIOtzvqtPxGUNVhZZT1ezFVNSdA61TWyJiEDNa3XvMGGGI815tAsq8cPFZsYX754kqjWIr4GR9K6LdaOqkQyVKGa/MIYsFLqzJCrcYi0OF1lnmNdbsXLF2RQcMImiIdsXQkjDwf2iQcgCZu6TvhfjtTAc= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Siarhei.Liakh@concurrent-rt.com; Received: from MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) by MN2PR11MB4677.namprd11.prod.outlook.com (2603:10b6:208:24e::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15; Wed, 8 Apr 2020 18:24:33 +0000 Received: from MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a]) by MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a%4]) with mapi id 15.20.2878.018; Wed, 8 Apr 2020 18:24:33 +0000 From: siarhei.liakh@concurrent-rt.com To: selinux@vger.kernel.org Cc: colin.king@canonical.com, eparis@parisplace.org, gregkh@linuxfoundation.org, jeffv@google.com, omosnace@redhat.com, paul@paul-moore.com, stephen.smalley.work@gmail.com, tglx@linutronix.de Subject: [PATCH 6/9] SELinux: Replace custom hash with generic lookup3 in policydb Date: Wed, 8 Apr 2020 14:24:13 -0400 Message-Id: <20200408182416.30995-7-siarhei.liakh@concurrent-rt.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> References: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> X-ClientProxiedBy: BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) To MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sl-s76.concurrent-rt.com (65.190.80.89) by BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.16 via Frontend Transport; Wed, 8 Apr 2020 18:24:32 +0000 X-Mailer: git-send-email 2.17.1 X-Originating-IP: [65.190.80.89] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 483250b1-b542-4df8-4b51-08d7dbea15c4 X-MS-TrafficTypeDiagnostic: MN2PR11MB4677: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5797; X-Forefront-PRVS: 0367A50BB1 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MN2PR11MB3885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(10019020)(366004)(346002)(396003)(376002)(39830400003)(136003)(9686003)(6666004)(508600001)(316002)(6486002)(6916009)(8676002)(52116002)(7696005)(81156014)(8936002)(1076003)(66476007)(186003)(4326008)(86362001)(2906002)(81166007)(16526019)(2616005)(26005)(956004)(66946007)(66556008)(36756003)(5660300002)(41533002);DIR:OUT;SFP:1102; Received-SPF: None (protection.outlook.com: concurrent-rt.com does not designate permitted sender hosts) X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ydI/ZxL+ejldEWOlFF+OnPwPiz+IKt5GAyqFNzU2NgdEVkaFwBrRJkMb7Y+HDWKdbsxBfNo5apCjvWtUsJGP5uAkOdk3ACOknwCvqkqasZjHq/ng1wXIWN10jxbcaeUPDbw6fiGOerUX0urflZEsHtRMsI6/1wkG+53ay5hyUTmEh3lDYNFV1GtwKX8z1atiP8LweiWQCtBiITsbDMvtqrkWHJqevMkexOBrIgjU8GNDrHSUNJY+LOo2ddvT9fmLRdoO5OtyYr2+/JJkCgUTnKAis9bdUs5VlIzxQry00DoR55FAqMB+GVLVNU+M/FwUSpfy4v0eIJ0HPI02msVQIKPbHV02ahwRqbkc/zIZUGgz+aJ2kEY5TWbg0SU/0LkLljm9Rndd5LZrLQh2obIzPM2kd4qgpB+sDznVeBCM82hXryYW9v4CVn7qpHVUVY3me6LJyhJPX+2EVU+dMN9GOel5xoIAmtUSFw2NA9DH+BpnLtHuTR81YjXIxttECpZG X-MS-Exchange-AntiSpam-MessageData: pyEGUAgnrh2oxUMF4lgco9PCPvpoJdHkhVHdapJHfcdJnqxvr+jOPS9YIX1QWxbDkUJ0tlDqfXoy1w+P0ILs4e6+ZfHZW2HN+B0U5oFPl6j5BonoTof/GNwANGbgrOJ1QCHjHVf5bovTD8ElHmFesA== X-OriginatorOrg: concurrent-rt.com X-MS-Exchange-CrossTenant-Network-Message-Id: 483250b1-b542-4df8-4b51-08d7dbea15c4 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Apr 2020 18:24:33.2139 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38747689-e6b0-4933-86c0-1116ee3ef93e X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 14Gdvg8a3MezWxkktXdnXLc/eO6JIh9ks1wtVg0k1xyPXq8tnrsOTi+Goap4+u1qlFXqGZ7TXKzasF05H+zhmdXNf5KXs4iCgg6WPIl9RfU= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4677 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Siarhei Liakh This patch replaces local copy of custom hash function with existing implementation of lookup3 from the standard Linux library. This change allows to reduce the amount of custom code with has to be maintained, while potentially improving overall performance of the hash table in question. Signed-off-by: Siarhei Liakh --- Please CC me directly in all replies. security/selinux/ss/policydb.c | 43 +++++++++++++++++++++++++++------- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 70ecdc78efbd..0d03036ca20d 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -41,6 +41,10 @@ #include "mls.h" #include "services.h" +#ifdef CONFIG_SECURITY_SELINUX_ADVANCED_HASHING +#include +#endif /* #ifdef CONFIG_SECURITY_SELINUX_ADVANCED_HASHING */ + #define _DEBUG_HASHES #ifdef DEBUG_HASHES @@ -399,6 +403,27 @@ static int roles_init(struct policydb *p) return rc; } +#ifdef CONFIG_SECURITY_SELINUX_ADVANCED_HASHING + +static u32 filenametr_hash(struct hashtab *h, const void *k) +{ + const struct filename_trans_key *ft = k; + unsigned long hash; + + hash = jhash_2words(ft->ttype, ft->tclass, 0); + hash = jhash(ft->name, strlen(ft->name), hash); + return hash & (h->size - 1); +} + +static u32 rangetr_hash(struct hashtab *h, const void *k) +{ + const struct range_trans_key *key = k; + return jhash_3words(key->source_type, key->target_type, + key->target_class, 0) & (h->size - 1); +} + +#else /* #ifdef CONFIG_SECURITY_SELINUX_ADVANCED_HASHING */ + static u32 filenametr_hash(struct hashtab *h, const void *k) { const struct filename_trans_key *ft = k; @@ -414,6 +439,16 @@ static u32 filenametr_hash(struct hashtab *h, const void *k) return hash & (h->size - 1); } +static u32 rangetr_hash(struct hashtab *h, const void *k) +{ + const struct range_trans *key = k; + + return (key->source_type + (key->target_type << 3) + + (key->target_class << 5)) & (h->size - 1); +} + +#endif /* #else #ifdef CONFIG_SECURITY_SELINUX_ADVANCED_HASHING */ + static int filenametr_cmp(struct hashtab *h, const void *k1, const void *k2) { const struct filename_trans_key *ft1 = k1; @@ -432,14 +467,6 @@ static int filenametr_cmp(struct hashtab *h, const void *k1, const void *k2) } -static u32 rangetr_hash(struct hashtab *h, const void *k) -{ - const struct range_trans *key = k; - - return (key->source_type + (key->target_type << 3) + - (key->target_class << 5)) & (h->size - 1); -} - static int rangetr_cmp(struct hashtab *h, const void *k1, const void *k2) { const struct range_trans *key1 = k1, *key2 = k2; From patchwork Wed Apr 8 18:24:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siarhei Liakh X-Patchwork-Id: 11480623 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BE90A1392 for ; Wed, 8 Apr 2020 18:24:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 92C742087E for ; Wed, 8 Apr 2020 18:24:43 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=concurrentrt.onmicrosoft.com header.i=@concurrentrt.onmicrosoft.com header.b="nNxwDawY" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729827AbgDHSYn (ORCPT ); Wed, 8 Apr 2020 14:24:43 -0400 Received: from mail-eopbgr770102.outbound.protection.outlook.com ([40.107.77.102]:22754 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730840AbgDHSYk (ORCPT ); Wed, 8 Apr 2020 14:24:40 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fJGl7uOU4vr8FXc4xcxPoeU6gzT7KpPKiP6EFxHsWoOXQB1bIaqooE7trl/CpL+p/Xk2chn1H0v+ZRSARWMMfQsHaNb8Z7xVwqiNQAQWvo5eF9w39ybsfizjYsFsMpYZEUcAXRJTE99H9LEUKDHheJ9UFkvX8bPmHNtlDV9QHT59TkFwT3jga7k7LzUXIfGYfe757p7oPrcoIKSyVXredAshKvyIYYZwU3GN7paEdmSUF83qN279PLa/s2frwr5o3y4pJ3SMj3aGCspZzcaOVhukD9pV0DiH2vZzPWZc8cj0RlGHZEYXPZ2CHOjmNOamF2MAngv12jw7DDJU/JTfFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4V/IO9wmy8YvnrX406MJhRSSMBEC0CXnKXQb9YPqQgo=; b=Nji+lSmu+eaWWrvZaqOsfWjb5ly4tXHoXPnxpdg/TouMnWazmVEhdV3he0INUZmWF7HuCprUA4Zp6vOSxJdpNVifnr66VK/E58C1FpTxO1eMmkLDEFValMZVy+A3Ea6ifNJDsInqCahiub6AA9GzTiPTLvHVgm1HlwxMKi/WdVYDR0ZsvGeyhJPeSeJdEYPW/mX3JHXFkqtugOccTHROJyhZ7qb1LEXz7yHA9Rolcyk9AAuYWm1F1a/pi//MoxH+pd8M75SCQy9mxR8IsBYac0kt8gy37BQ4bOf0j4rKG1zQbuGpOrS6eXPapZiDrMnBOKzktn2w8DWm5dAgPyz5Cg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=concurrent-rt.com; dmarc=pass action=none header.from=concurrent-rt.com; dkim=pass header.d=concurrent-rt.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concurrentrt.onmicrosoft.com; s=selector2-concurrentrt-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4V/IO9wmy8YvnrX406MJhRSSMBEC0CXnKXQb9YPqQgo=; b=nNxwDawYz0+rcdvzN1EQqW+eOBHhAaKNOHyvxOfUrN9TsGhjuFOogOrSU4/tQMY+tj5ya5D4Q9I0cWhDA9KKXYCvOxTyxbyTCVKMZkx9KsqobMvaJaRHjdgH2N+plz8zUKsouBTdEBcijI39yoYNBFV/8dzroqISOttHuOzBTTA= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Siarhei.Liakh@concurrent-rt.com; Received: from MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) by MN2PR11MB4677.namprd11.prod.outlook.com (2603:10b6:208:24e::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15; Wed, 8 Apr 2020 18:24:34 +0000 Received: from MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a]) by MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a%4]) with mapi id 15.20.2878.018; Wed, 8 Apr 2020 18:24:34 +0000 From: siarhei.liakh@concurrent-rt.com To: selinux@vger.kernel.org Cc: colin.king@canonical.com, eparis@parisplace.org, gregkh@linuxfoundation.org, jeffv@google.com, omosnace@redhat.com, paul@paul-moore.com, stephen.smalley.work@gmail.com, tglx@linutronix.de Subject: [PATCH 7/9] SELinux: Expose filename_tr hash table sizing via Kconfig Date: Wed, 8 Apr 2020 14:24:14 -0400 Message-Id: <20200408182416.30995-8-siarhei.liakh@concurrent-rt.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> References: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> X-ClientProxiedBy: BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) To MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sl-s76.concurrent-rt.com (65.190.80.89) by BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.16 via Frontend Transport; Wed, 8 Apr 2020 18:24:33 +0000 X-Mailer: git-send-email 2.17.1 X-Originating-IP: [65.190.80.89] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a9d8a6ea-8669-43b4-8b53-08d7dbea1644 X-MS-TrafficTypeDiagnostic: MN2PR11MB4677: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:6430; X-Forefront-PRVS: 0367A50BB1 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MN2PR11MB3885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(10019020)(366004)(346002)(396003)(376002)(39830400003)(136003)(9686003)(6666004)(508600001)(316002)(6486002)(6916009)(8676002)(52116002)(7696005)(81156014)(8936002)(1076003)(66476007)(186003)(4326008)(86362001)(2906002)(81166007)(16526019)(2616005)(26005)(956004)(66946007)(66556008)(36756003)(5660300002);DIR:OUT;SFP:1102; Received-SPF: None (protection.outlook.com: concurrent-rt.com does not designate permitted sender hosts) X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: dzkaR0R6WPaYZ9vCDJ1mvxDHq/ScU6ZmOgn6TAtWvflo9OtYteWW51waf6KnmGvLJ8Txilk0euZkVwo99dzkgcWwIFS7kPxUA7Z94iT6wdnQWvDqymGTJndmZg0Q/3uQ1zlQyDNlm6H5ytULCPVihEMfonN6phmww22H6ofGcB++Cpy0oJut7QFcM8YrrVPRYFkUC9EYAn41HQ6jOOin31CZ0L54Sf0789vOhZW70p0rNVUZHb56eOFVfxCWKzFNudTgo7KLr0MUs9IZQS2pJ2ZxMwrUImRO3N90HdZ7f7jPSQYo4vmLDY2jnLxowpiEWNFW8edxTDhOCPcUSNHlmoXngMIVXm3UkQ7HEP6S/Yk7SLyp1x4piytlxBYajTqFPP8EsGPlplxrmXJTeyQxj+/YRnyWW/PbnQZqlH/gmWhJI0eqZa+cSQ8YtF98/iLH X-MS-Exchange-AntiSpam-MessageData: 5tuYLXk3A1e8izxWGakSNhx0Xj76lWZgmC8FzwOoy1qTeweiWjgB71RAUWLAwOypfn/SiorwB/lFb3l1eh9FqvtVMrFys+dk+LY2LG/cuqzWf8vr813twhhNW9zJR3vZ809drkDLzkwjaiMnmD4lmg== X-OriginatorOrg: concurrent-rt.com X-MS-Exchange-CrossTenant-Network-Message-Id: a9d8a6ea-8669-43b4-8b53-08d7dbea1644 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Apr 2020 18:24:34.0864 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38747689-e6b0-4933-86c0-1116ee3ef93e X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: BrNS54VyLm2tBANz9zyfodE514DUC3qLWXX6U1M1iPxMVHsA8kmGploCmjJ0BZcnhXGJrSBvxE3o+yau8E3UVAQK7XRg9487wJ0zj6ph860= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4677 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Siarhei Liakh This change exposes previously hardcoded filename_tr sizing via Kconfig, which provides a more convenient tuning mechanism for downstream distributions. Default sizing is not affected. Signed-off-by: Siarhei Liakh --- Please CC me directly in all replies. security/selinux/Kconfig | 10 ++++++++++ security/selinux/ss/policydb.c | 3 ++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index b7ced53ffd76..23ec741b1ce6 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -123,6 +123,16 @@ config SECURITY_SELINUX_AVTAB_HASH_BITS footprint at price of hash table lookup efficiency. One bucket per 10 to 100 rules is reasonable. +config SECURITY_SELINUX_PDB_FILE_TR_HASH_BITS + int "Number of slots (buckets) for File Transitions hash table, expressed as number of bits (i.e. 2^n)" + depends on SECURITY_SELINUX + range 1 32 + default "11" + help + This is a power of 2 representing the number of slots (buckets) + used for File Transitions hash table. Smaller value reduces memory + footprint at price of hash table lookup efficiency. + config SECURITY_SELINUX_CHECKREQPROT_VALUE int "NSA SELinux checkreqprot default value" depends on SECURITY_SELINUX diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 0d03036ca20d..f2d809dffb25 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -496,7 +496,8 @@ static int policydb_init(struct policydb *p) cond_policydb_init(p); p->filename_trans = hashtab_create(filenametr_hash, filenametr_cmp, - (1 << 11)); + (1 << CONFIG_SECURITY_SELINUX_PDB_FILE_TR_HASH_BITS)); + if (!p->filename_trans) return -ENOMEM; From patchwork Wed Apr 8 18:24:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siarhei Liakh X-Patchwork-Id: 11480627 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C2A071744 for ; Wed, 8 Apr 2020 18:24:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A013B20753 for ; Wed, 8 Apr 2020 18:24:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=concurrentrt.onmicrosoft.com header.i=@concurrentrt.onmicrosoft.com header.b="LsJOrGFR" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730870AbgDHSYn (ORCPT ); Wed, 8 Apr 2020 14:24:43 -0400 Received: from mail-eopbgr770139.outbound.protection.outlook.com ([40.107.77.139]:43525 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730867AbgDHSYk (ORCPT ); Wed, 8 Apr 2020 14:24:40 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FJQaih2I9j+6PTm0b75WPEdvaCQjXwKOL/CgeBP/lld/W987mdGRwBxfijlaplBRzOIYhhAohwFeW3JjZRv8fzSQ5VqXBeVDiUwP+TD3hdBCkOJzuM1hMIseq2f8r7auqbhACSTZnRyZmeExEiY7TYD2QSy8Iy8s9VD1x03h6jKlHfoTsLnwBUpwftIHciqGZmpN3Br7Rkogsym/LNcNyBMbSm60cWAn06Jln117XC/2FkiGMd7Sf+dG5oTk0ql4WwTHAsGKcRqRWllrEKFSTbOlaYGzwbWeSZ5kAyedldrEEBFHregtFoA1SOoM+3zQsqQBiF6Seh9KgwTDSDIgAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NZMiYpVueZyIHbLVbGFzvxDBQU9pghZxULZSdPSRZFI=; b=QSLn1RTyDPIoCFoShUsDTTLzhz+Idoj/XZr96KL2RVHxfk3oVyNNBxg6S9wU8scoMi3ciKHA5BROUy6+1KCtGYkV/9ZtCDFjZwyDi4ThIVf2ZrbhHhG+MDajbs1avaqC3EySPYHysqG3CQWPZkSVkDHr0qY4MufELGOULG9RwYOpBacG9KICBilFaGD6VB/rNxkpjCENm9SFkuf4fFRqp605YByuIKtZ9Zho6gbh6cl9egeVQG5vgdvHW+QpCaQWA0hGfh/JDmbvv4TtgBqcE1bJSe4gpTVxlhqDBy+YDOvOrwaQzNuiZsbxV7y3s5L+60OwkwKWitZff/FMCvAkSQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=concurrent-rt.com; dmarc=pass action=none header.from=concurrent-rt.com; dkim=pass header.d=concurrent-rt.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concurrentrt.onmicrosoft.com; s=selector2-concurrentrt-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NZMiYpVueZyIHbLVbGFzvxDBQU9pghZxULZSdPSRZFI=; b=LsJOrGFRqDWDkUVey9RIgdXVuFeU5zO13dmRowTXunOEDtMdvtAltWLlVGpwnoVhk4Ud5QhWzGHmbrZvVLmMbkJkNoC9JtKao4uwspQdp4/vNxYPCFdGw2DR1qOAYQGCMLMvrNoYM48humKQecBnVTOBMSHFrRBWWHHavIspkPo= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Siarhei.Liakh@concurrent-rt.com; Received: from MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) by MN2PR11MB4677.namprd11.prod.outlook.com (2603:10b6:208:24e::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15; Wed, 8 Apr 2020 18:24:35 +0000 Received: from MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a]) by MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a%4]) with mapi id 15.20.2878.018; Wed, 8 Apr 2020 18:24:35 +0000 From: siarhei.liakh@concurrent-rt.com To: selinux@vger.kernel.org Cc: colin.king@canonical.com, eparis@parisplace.org, gregkh@linuxfoundation.org, jeffv@google.com, omosnace@redhat.com, paul@paul-moore.com, stephen.smalley.work@gmail.com, tglx@linutronix.de Subject: [PATCH 8/9] SELinux: Replace custom hash with generic lookup3 in symtab Date: Wed, 8 Apr 2020 14:24:15 -0400 Message-Id: <20200408182416.30995-9-siarhei.liakh@concurrent-rt.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> References: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> X-ClientProxiedBy: BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) To MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sl-s76.concurrent-rt.com (65.190.80.89) by BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.16 via Frontend Transport; Wed, 8 Apr 2020 18:24:34 +0000 X-Mailer: git-send-email 2.17.1 X-Originating-IP: [65.190.80.89] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 96ff04e1-1772-4f35-ee94-08d7dbea16bd X-MS-TrafficTypeDiagnostic: MN2PR11MB4677: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5797; X-Forefront-PRVS: 0367A50BB1 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MN2PR11MB3885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(10019020)(366004)(346002)(396003)(376002)(39830400003)(136003)(9686003)(6666004)(508600001)(316002)(6486002)(6916009)(8676002)(52116002)(7696005)(81156014)(8936002)(1076003)(66476007)(186003)(4326008)(86362001)(2906002)(81166007)(16526019)(2616005)(26005)(956004)(66946007)(66556008)(36756003)(5660300002)(41533002);DIR:OUT;SFP:1102; Received-SPF: None (protection.outlook.com: concurrent-rt.com does not designate permitted sender hosts) X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: dE49iIFuTLqaXDm7Oggu1yv1AqcNrndexBLDmAihCBXnnVBUyK7CesnTBSScRuJZxTFtT8M6Un/gGURh8zhlCtKo5E4/NT1k4X0eLC4ECEwn161igbnqcqPshLEbTwRQTIVb/y+azmGIftUWApytfmcXjiDk5BtFLCpnqqQvcMsTYtcKqGgkE1Emes1z7VezrJWutyF30GMRc3cWTp2zCo7V+4iEwkASvlPxk5ONcoXv2PWU6etlgVwhXEqnzVo6/TO7DMghqEwE0ofZqHLeUZfaEgrg/Fm+TGxXK9Kh8AAa2M6iLKzJyKJfT6rcTjETA0QoBXy7VP7uvp7ZO9BHFEN3TNw84PVeAoU8A8X2clxNNplexBzPWxmQOIB8GVnrM5mRotFdvaDW62enHHFO3mDsRzZOmhbdxskFGZ/ZaTQnsAk2l2lKavQwjXBXNAtP0mt5YeY0FXjJw3MjlShbZ5QRDtO0M9jMsFIJRm+8M/Y= X-MS-Exchange-AntiSpam-MessageData: 8qdqvt1FC0A3O93mr+qLaPvrWBlXWYPLEp3E+kBPJV12geaEtC1DFY9Eo3S7T4iFOUYGdMxiRIFujMFEV9yd6Oeb+PfVfN3gYASD0jQt2fj9G0iBhK14i2m9pNVjuLHemnZL4aY6cDty0KDBwz/j/A== X-OriginatorOrg: concurrent-rt.com X-MS-Exchange-CrossTenant-Network-Message-Id: 96ff04e1-1772-4f35-ee94-08d7dbea16bd X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Apr 2020 18:24:34.7980 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38747689-e6b0-4933-86c0-1116ee3ef93e X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 9y7IO8kXMPizNRUT7ITyXvLBocn8BkfusiPjP9A7X6U21d8lOkaF1miNJZH8ojUo7XDKZ1Vt7O+QtRVInSK4cq4I53p/ViocmgdVGzSPOZE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4677 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Siarhei Liakh This patch replaces local copy of custom hash function with existing implementation of lookup3 from the standard Linux library. This change allows to reduce the amount of custom code with has to be maintained, while potentially improving overall performance of the hash table in question. Signed-off-by: Siarhei Liakh --- Please CC me directly in all replies. security/selinux/ss/symtab.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/security/selinux/ss/symtab.c b/security/selinux/ss/symtab.c index dc2ce94165d3..8d189d7683d1 100644 --- a/security/selinux/ss/symtab.c +++ b/security/selinux/ss/symtab.c @@ -9,6 +9,16 @@ #include #include "symtab.h" +#ifdef CONFIG_SECURITY_SELINUX_ADVANCED_HASHING +#include + +static unsigned int symhash(struct hashtab *h, const void *key) +{ + return jhash(key, strlen((const char *) key), 0) & (h->size - 1); +} + +#else /* #ifdef CONFIG_SECURITY_SELINUX_ADVANCED_HASHING */ + static unsigned int symhash(struct hashtab *h, const void *key) { const char *p, *keyp; @@ -23,6 +33,8 @@ static unsigned int symhash(struct hashtab *h, const void *key) return val & (h->size - 1); } +#endif /* #else #ifdef CONFIG_SECURITY_SELINUX_ADVANCED_HASHING */ + static int symcmp(struct hashtab *h, const void *key1, const void *key2) { const char *keyp1, *keyp2; From patchwork Wed Apr 8 18:24:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siarhei Liakh X-Patchwork-Id: 11480625 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 985701392 for ; Wed, 8 Apr 2020 18:24:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6D1A320753 for ; Wed, 8 Apr 2020 18:24:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=concurrentrt.onmicrosoft.com header.i=@concurrentrt.onmicrosoft.com header.b="AJ4hOE7W" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729873AbgDHSYp (ORCPT ); Wed, 8 Apr 2020 14:24:45 -0400 Received: from mail-eopbgr770102.outbound.protection.outlook.com ([40.107.77.102]:22754 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729789AbgDHSYo (ORCPT ); Wed, 8 Apr 2020 14:24:44 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DNoiGhbSathkbCfHigIQs8Zvi4TfkfHHIGd5YjZwGLFio/Wyi+XlVWlvU2Zj/LFa9WiDWGJuGaXpiInYn06Bhy9s5PF5OhyzOTpp4KyW3h8+NMTs0QtdTg+EaaXvqiAAwUO7STRNUUDhbebxBGL0KyRdcWSUkHM3ObYkfPsxPEKdwJnhJDF+nKSSGX/Bx1kxobXnRMu6X1VsSD/5BcyS/qN7jWolH5N3JKteBVXiF11k8g+UWbJXffuvk6H/xBV/Fy81h1BR2iLLifMR/xN0KTVgNTwVVDRu69O8Z64bDFLLnDgJ6E8b7VEMo+pUBW0wkKUJjfFsGhNp5xkx9g07SA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JlJbsT0e97LL4eWW8se91Pu1a4i5Pffdsc4945eyeQs=; b=DBWniFEgN66i4V3sApJm62ORIk0+ttPhLAVEPFtU8QMHz71De0x3tZAwP3AzFr+/wSeuudExEZvvC/2cEmOTakmkS3AtgijEVYdm1+cK8ajWbv22Llg9hmcWNzp3bAvdb7q5KUs26YSvniVUqrXhE0nVBGDDDHKaubsmStFhyJzIGYN2n8E4Y5muLXBYAQhZwTHmxZxtQHqTOXJGUAU2AD/JcvAqCH9Q+9PA4oj2M+r2KcIIlhrMNJc5ykyfdvZi47Qvw5UntkPL30aXLNs7IZ8fMvgQSkKvE/19e+tU2ufziUbvwpQ52fxIXJCNGE0DH97r1xyK93kOtzOv1xAQ9A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=concurrent-rt.com; dmarc=pass action=none header.from=concurrent-rt.com; dkim=pass header.d=concurrent-rt.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=concurrentrt.onmicrosoft.com; s=selector2-concurrentrt-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JlJbsT0e97LL4eWW8se91Pu1a4i5Pffdsc4945eyeQs=; b=AJ4hOE7WIBnu1rOGcq/G7M+UdJvceM/4nin7FYz4p/lEMdd7nQ1fmD/dm+7SUXK6q0sg1xGXej74wmUk/o7uEXxxL2wWVktHm9KMoTTcbi78Ypk0kyTAg7OVBEg/kyXWuLTLVyjRR4RbrBVSRPYg2rzhGAcA1TbeYbh7on8o69A= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Siarhei.Liakh@concurrent-rt.com; Received: from MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) by MN2PR11MB4677.namprd11.prod.outlook.com (2603:10b6:208:24e::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15; Wed, 8 Apr 2020 18:24:35 +0000 Received: from MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a]) by MN2PR11MB3885.namprd11.prod.outlook.com ([fe80::984:ec50:d6de:dc0a%4]) with mapi id 15.20.2878.018; Wed, 8 Apr 2020 18:24:35 +0000 From: siarhei.liakh@concurrent-rt.com To: selinux@vger.kernel.org Cc: colin.king@canonical.com, eparis@parisplace.org, gregkh@linuxfoundation.org, jeffv@google.com, omosnace@redhat.com, paul@paul-moore.com, stephen.smalley.work@gmail.com, tglx@linutronix.de Subject: [PATCH 9/9] SELinux: Expose netport hash table sizing via Kconfig Date: Wed, 8 Apr 2020 14:24:16 -0400 Message-Id: <20200408182416.30995-10-siarhei.liakh@concurrent-rt.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> References: <20200408182416.30995-1-siarhei.liakh@concurrent-rt.com> X-ClientProxiedBy: BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) To MN2PR11MB3885.namprd11.prod.outlook.com (2603:10b6:208:151::27) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from sl-s76.concurrent-rt.com (65.190.80.89) by BN6PR19CA0058.namprd19.prod.outlook.com (2603:10b6:404:e3::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.16 via Frontend Transport; Wed, 8 Apr 2020 18:24:35 +0000 X-Mailer: git-send-email 2.17.1 X-Originating-IP: [65.190.80.89] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e8a6b8a1-a02c-4079-8ad0-08d7dbea172f X-MS-TrafficTypeDiagnostic: MN2PR11MB4677: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5516; X-Forefront-PRVS: 0367A50BB1 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MN2PR11MB3885.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(10019020)(366004)(346002)(396003)(376002)(39830400003)(136003)(9686003)(6666004)(508600001)(316002)(6486002)(6916009)(8676002)(52116002)(7696005)(81156014)(8936002)(1076003)(66476007)(186003)(4326008)(86362001)(2906002)(81166007)(16526019)(2616005)(26005)(956004)(66946007)(66556008)(36756003)(5660300002);DIR:OUT;SFP:1102; Received-SPF: None (protection.outlook.com: concurrent-rt.com does not designate permitted sender hosts) X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: eKNZoll1cUx52mdXCyu9a4/1DoyIlGjjjZzQYSs1+e9tgsrkVTHlzlTuf77uG4cQ1w45clR2cgz44PyVaXMd6wqznRXvpaFOve21+0+OxedPAZuGebOpnEMWWDeRc/89exBXPcih/Hb7zKr24mD+Ja533OqLUofCmkCfVPmteQgPZ1sHh6HpSLbZhrnkdjdCkZt2TsQT8Fo7nw32JPwCP8acm07m029GLRQxN8ZC20F3Wrpjh0HrcONdVZmLFRbB8MdaoK8yXkA1xKoV/fb5DPyJ7NCmkK6cUZmzpEoghSAVRi5s4992sNWHi8yuOL3K6kOpJ9rgXiNH6XVXeICJpX8q+PBOw2LEo8XCjp4abkBJrG+RVW+lLhI8oHI91FnI3Zq7Cyh6iFg93ScAMGTlN8BoskxdJnWXmqc6S11he1/bxP30FTETsxt83dxwzgcP X-MS-Exchange-AntiSpam-MessageData: rO4XQvV0NFKe/mHEk4qWgSYI7AQhlnjMHHeS7iPQdIGRK5tVuM0y+VAnqt/isopp5+XbueyXW3k/p9zNc55cBWTjoab/jdliX0QFmJb6sh5xctqbytXfmNV+PZrhATl+93Y7xMMMoqqk/kBA6pEFyQ== X-OriginatorOrg: concurrent-rt.com X-MS-Exchange-CrossTenant-Network-Message-Id: e8a6b8a1-a02c-4079-8ad0-08d7dbea172f X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Apr 2020 18:24:35.5865 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38747689-e6b0-4933-86c0-1116ee3ef93e X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: FBhgG1QGdQsieZ0CPIq+IeGSUuX7R5/8lHWUReyZP9aUJitm39wcwcKixV8Z7e65m2mCqjIROnHhS/coe1D3F2cN99biN86+gidWz8mS8Uo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4677 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org From: Siarhei Liakh This change exposes previously hardcoded netport sizing tunables via Kconfig, which provides a more convenient tuning mechanism for downstream distributions. Default sizing is not affected. Signed-off-by: Siarhei Liakh --- Please CC me directly in all replies. security/selinux/Kconfig | 20 ++++++++++++++++++++ security/selinux/netport.c | 4 ++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 23ec741b1ce6..d65626142bcf 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -133,6 +133,26 @@ config SECURITY_SELINUX_PDB_FILE_TR_HASH_BITS used for File Transitions hash table. Smaller value reduces memory footprint at price of hash table lookup efficiency. +config SECURITY_SELINUX_NETPORT_HASH_BITS + int "Number of slots (buckets) for Netport hash table, expressed as number of bits (i.e. 2^n)" + depends on SECURITY_SELINUX + range 1 16 + default "8" + help + This is a power of 2 representing the number of slots (buckets) + used for Netport hash table. Smaller value reduces memory + footprint at price of hash table lookup efficiency. + +config SECURITY_SELINUX_NETPORT_HASH_BLIMIT + int "Bucket size limit for Netport hash table." + depends on SECURITY_SELINUX + range 1 131072 + default "16" + help + This is a an upper limit on number of entries a bucket can hold + within Netport hash. Lower values conserve memory at price of + more expensive lookups when a Netport cache miss occurs. + config SECURITY_SELINUX_CHECKREQPROT_VALUE int "NSA SELinux checkreqprot default value" depends on SECURITY_SELINUX diff --git a/security/selinux/netport.c b/security/selinux/netport.c index de727f7489b7..ef8e9abcadf7 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c @@ -32,8 +32,8 @@ #include "netport.h" #include "objsec.h" -#define SEL_NETPORT_HASH_SIZE 256 -#define SEL_NETPORT_HASH_BKT_LIMIT 16 +#define SEL_NETPORT_HASH_SIZE (1 << CONFIG_SECURITY_SELINUX_NETPORT_HASH_BITS) +#define SEL_NETPORT_HASH_BKT_LIMIT CONFIG_SECURITY_SELINUX_NETPORT_HASH_BLIMIT struct sel_netport_bkt { int size;