public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-08-05 16:54:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/security/selinux/include
History
Exact
Stephen Smalley 951b2de06a selinux: optimize selinux_inode_getattr/permission() based on neveraudit|permissive 
Extend the task avdcache to also cache whether the task SID is both
permissive and neveraudit, and return immediately if so in both
selinux_inode_getattr() and selinux_inode_permission().

The same approach could be applied to many of the hook functions
although the avdcache would need to be updated for more than directory
search checks in order for this optimization to be beneficial for checks
on objects other than directories.

To test, apply https://github.com/SELinuxProject/selinux/pull/473 to
your selinux userspace, build and install libsepol, and use the following
CIL policy module:
$ cat neverauditpermissive.cil
(typeneveraudit unconfined_t)
(typepermissive unconfined_t)

Without this module inserted, running the following commands:
   perf record make -jN # on an already built allmodconfig tree
   perf report --sort=symbol,dso
yields the following percentages (only showing __d_lookup_rcu for
reference and only showing relevant SELinux functions):
   1.65%  [k] __d_lookup_rcu
   0.53%  [k] selinux_inode_permission
   0.40%  [k] selinux_inode_getattr
   0.15%  [k] avc_lookup
   0.05%  [k] avc_has_perm
   0.05%  [k] avc_has_perm_noaudit
   0.02%  [k] avc_policy_seqno
   0.02%  [k] selinux_file_permission
   0.01%  [k] selinux_inode_alloc_security
   0.01%  [k] selinux_file_alloc_security
for a total of 1.24% for SELinux compared to 1.65% for
__d_lookup_rcu().

After running the following command to insert this module:
   semodule -i neverauditpermissive.cil
and then re-running the same perf commands from above yields
the following non-zero percentages:
   1.74%  [k] __d_lookup_rcu
   0.31%  [k] selinux_inode_permission
   0.03%  [k] selinux_inode_getattr
   0.03%  [k] avc_policy_seqno
   0.01%  [k] avc_lookup
   0.01%  [k] selinux_file_permission
   0.01%  [k] selinux_file_open
for a total of 0.40% for SELinux compared to 1.74% for
__d_lookup_rcu().

Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2025-06-19 17:23:05 -04:00
..
audit.h lsm: add lsmprop_to_secctx hook 2024-10-11 14:34:12 -04:00
avc.h selinux: introduce neveraudit types 2025-06-19 17:23:04 -04:00
avc_ss.h selinux: fix style issues in security/selinux/include/avc_ss.h 2023-12-22 18:09:26 -05:00
classmap.h net: Retire DCCP socket. 2025-04-11 18:58:10 -07:00
conditional.h selinux: constify and reconcile function parameter names 2025-01-07 23:14:38 -05:00
ibpkey.h selinux: make header files self-including 2023-05-18 14:12:43 -04:00
ima.h selinux: fix style issues in security/selinux/include/ima.h 2023-12-22 18:09:28 -05:00
initial_sid_to_string.h selinux: do not include <linux/*.h> headers from host programs 2024-10-03 15:34:24 -04:00
netif.h selinux: fix style issues in security/selinux/include/netif.h 2023-12-22 18:09:28 -05:00
netlabel.h selinux: fix style issues with security/selinux/include/netlabel.h 2023-12-22 18:09:28 -05:00
netnode.h selinux: constify network address pointer 2025-04-11 16:29:50 -04:00
netport.h selinux: include necessary headers in headers 2022-05-03 14:11:13 -04:00
objsec.h selinux: optimize selinux_inode_getattr/permission() based on neveraudit|permissive 2025-06-19 17:23:05 -04:00
policycap.h selinux: support wildcard match in genfscon 2025-04-11 16:36:34 -04:00
policycap_names.h selinux: support wildcard match in genfscon 2025-04-11 16:36:34 -04:00
security.h selinux: introduce neveraudit types 2025-06-19 17:23:04 -04:00
xfrm.h selinux: fix style issues in security/selinux/include/xfrm.h 2023-12-22 18:09:30 -05:00