linux_dsm_epyc7002/security/selinux/ss
Ondrej Mosnacek d97bd23c2d selinux: cache the SID -> context string translation
Translating a context struct to string can be quite slow, especially if
the context has a lot of category bits set. This can cause quite
noticeable performance impact in situations where the translation needs
to be done repeatedly. A common example is a UNIX datagram socket with
the SO_PASSSEC option enabled, which is used e.g. by systemd-journald
when receiving log messages via datagram socket. This scenario can be
reproduced with:

    cat /dev/urandom | base64 | logger &
    timeout 30s perf record -p $(pidof systemd-journald) -a -g
    kill %1
    perf report -g none --pretty raw | grep security_secid_to_secctx

Before the caching introduced by this patch, computing the context
string (security_secid_to_secctx() function) takes up ~65% of
systemd-journald's CPU time (assuming a context with 1024 categories
set and Fedora x86_64 release kernel configs). After this patch
(assuming near-perfect cache hit ratio) this overhead is reduced to just
~2%.

This patch addresses the issue by caching a certain number (compile-time
configurable) of recently used context strings to speed up repeated
translations of the same context, while using only a small amount of
memory.

The cache is integrated into the existing sidtab table by adding a field
to each entry, which when not NULL contains an RCU-protected pointer to
a cache entry containing the cached string. The cache entries are kept
in a linked list sorted according to how recently they were used. On a
cache miss when the cache is full, the least recently used entry is
removed to make space for the new entry.

The patch migrates security_sid_to_context_core() to use the cache (also
a few other functions where it was possible without too much fuss, but
these mostly use the translation for logging in case of error, which is
rare).

Link: https://bugzilla.redhat.com/show_bug.cgi?id=1733259
Cc: Michal Sekletar <msekleta@redhat.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov>
Tested-by: Stephen Smalley <sds@tycho.nsa.gov>
Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
[PM: lots of merge fixups due to collisions with other sidtab patches]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2019-12-09 16:14:51 -05:00
..
avtab.c selinux: convert to kvmalloc 2019-03-12 10:04:02 -07:00
avtab.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 372 2019-06-05 17:37:10 +02:00
conditional.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 372 2019-06-05 17:37:10 +02:00
conditional.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 372 2019-06-05 17:37:10 +02:00
constraint.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
context.h selinux: sidtab reverse lookup hash table 2019-12-09 16:14:51 -05:00
ebitmap.c selinux: default_range glblub implementation 2019-10-07 19:01:35 -04:00
ebitmap.h selinux: default_range glblub implementation 2019-10-07 19:01:35 -04:00
hashtab.c selinux: wrap global selinux state 2018-03-01 18:48:02 -05:00
hashtab.h selinux: wrap global selinux state 2018-03-01 18:48:02 -05:00
mls_types.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mls.c selinux: default_range glblub implementation 2019-10-07 19:01:35 -04:00
mls.h selinux: overhaul sidtab to fix bug and improve performance 2018-12-05 16:12:32 -05:00
policydb.c selinux: sidtab reverse lookup hash table 2019-12-09 16:14:51 -05:00
policydb.h selinux: default_range glblub implementation 2019-10-07 19:01:35 -04:00
services.c selinux: cache the SID -> context string translation 2019-12-09 16:14:51 -05:00
services.h selinux: sidtab reverse lookup hash table 2019-12-09 16:14:51 -05:00
sidtab.c selinux: cache the SID -> context string translation 2019-12-09 16:14:51 -05:00
sidtab.h selinux: cache the SID -> context string translation 2019-12-09 16:14:51 -05:00
status.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
symtab.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
symtab.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00