summaryrefslogtreecommitdiffstats
path: root/security/selinux/Kconfig
diff options
context:
space:
mode:
authorOndrej Mosnacek <omosnace@redhat.com>2019-11-26 14:57:00 +0100
committerPaul Moore <paul@paul-moore.com>2019-12-09 22:14:51 +0100
commitd97bd23c2d7d866e99eb3a927c742715c85a90ef (patch)
treed5c29d661384fbc83a0244623b9daac7f3715d5a /security/selinux/Kconfig
parentselinux: sidtab reverse lookup hash table (diff)
downloadlinux-d97bd23c2d7d866e99eb3a927c742715c85a90ef.tar.xz
linux-d97bd23c2d7d866e99eb3a927c742715c85a90ef.zip
selinux: cache the SID -> context string translation
Translating a context struct to string can be quite slow, especially if the context has a lot of category bits set. This can cause quite noticeable performance impact in situations where the translation needs to be done repeatedly. A common example is a UNIX datagram socket with the SO_PASSSEC option enabled, which is used e.g. by systemd-journald when receiving log messages via datagram socket. This scenario can be reproduced with: cat /dev/urandom | base64 | logger & timeout 30s perf record -p $(pidof systemd-journald) -a -g kill %1 perf report -g none --pretty raw | grep security_secid_to_secctx Before the caching introduced by this patch, computing the context string (security_secid_to_secctx() function) takes up ~65% of systemd-journald's CPU time (assuming a context with 1024 categories set and Fedora x86_64 release kernel configs). After this patch (assuming near-perfect cache hit ratio) this overhead is reduced to just ~2%. This patch addresses the issue by caching a certain number (compile-time configurable) of recently used context strings to speed up repeated translations of the same context, while using only a small amount of memory. The cache is integrated into the existing sidtab table by adding a field to each entry, which when not NULL contains an RCU-protected pointer to a cache entry containing the cached string. The cache entries are kept in a linked list sorted according to how recently they were used. On a cache miss when the cache is full, the least recently used entry is removed to make space for the new entry. The patch migrates security_sid_to_context_core() to use the cache (also a few other functions where it was possible without too much fuss, but these mostly use the translation for logging in case of error, which is rare). Link: https://bugzilla.redhat.com/show_bug.cgi?id=1733259 Cc: Michal Sekletar <msekleta@redhat.com> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> Tested-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Paul E. McKenney <paulmck@kernel.org> [PM: lots of merge fixups due to collisions with other sidtab patches] Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/Kconfig')
-rw-r--r--security/selinux/Kconfig11
1 files changed, 11 insertions, 0 deletions
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index c9e576c430c2..996d35d950f7 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -97,3 +97,14 @@ config SECURITY_SELINUX_SIDTAB_HASH_BITS
collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If
chain lengths are high (e.g. > 20) then selecting a higher value here
will ensure that lookups times are short and stable.
+
+config SECURITY_SELINUX_SID2STR_CACHE_SIZE
+ int "NSA SELinux SID to context string translation cache size"
+ depends on SECURITY_SELINUX
+ default 256
+ help
+ This option defines the size of the internal SID -> context string
+ cache, which improves the performance of context to string
+ conversion. Setting this option to 0 disables the cache completely.
+
+ If unsure, keep the default value.