d97bd23c2d
Translating a context struct to string can be quite slow, especially if the context has a lot of category bits set. This can cause quite noticeable performance impact in situations where the translation needs to be done repeatedly. A common example is a UNIX datagram socket with the SO_PASSSEC option enabled, which is used e.g. by systemd-journald when receiving log messages via datagram socket. This scenario can be reproduced with: cat /dev/urandom | base64 | logger & timeout 30s perf record -p $(pidof systemd-journald) -a -g kill %1 perf report -g none --pretty raw | grep security_secid_to_secctx Before the caching introduced by this patch, computing the context string (security_secid_to_secctx() function) takes up ~65% of systemd-journald's CPU time (assuming a context with 1024 categories set and Fedora x86_64 release kernel configs). After this patch (assuming near-perfect cache hit ratio) this overhead is reduced to just ~2%. This patch addresses the issue by caching a certain number (compile-time configurable) of recently used context strings to speed up repeated translations of the same context, while using only a small amount of memory. The cache is integrated into the existing sidtab table by adding a field to each entry, which when not NULL contains an RCU-protected pointer to a cache entry containing the cached string. The cache entries are kept in a linked list sorted according to how recently they were used. On a cache miss when the cache is full, the least recently used entry is removed to make space for the new entry. The patch migrates security_sid_to_context_core() to use the cache (also a few other functions where it was possible without too much fuss, but these mostly use the translation for logging in case of error, which is rare). Link: https://bugzilla.redhat.com/show_bug.cgi?id=1733259 Cc: Michal Sekletar <msekleta@redhat.com> Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-by: Stephen Smalley <sds@tycho.nsa.gov> Tested-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Paul E. McKenney <paulmck@kernel.org> [PM: lots of merge fixups due to collisions with other sidtab patches] Signed-off-by: Paul Moore <paul@paul-moore.com>
111 lines
4.3 KiB
Plaintext
111 lines
4.3 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-only
|
|
config SECURITY_SELINUX
|
|
bool "NSA SELinux Support"
|
|
depends on SECURITY_NETWORK && AUDIT && NET && INET
|
|
select NETWORK_SECMARK
|
|
default n
|
|
help
|
|
This selects NSA Security-Enhanced Linux (SELinux).
|
|
You will also need a policy configuration and a labeled filesystem.
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config SECURITY_SELINUX_BOOTPARAM
|
|
bool "NSA SELinux boot parameter"
|
|
depends on SECURITY_SELINUX
|
|
default n
|
|
help
|
|
This option adds a kernel parameter 'selinux', which allows SELinux
|
|
to be disabled at boot. If this option is selected, SELinux
|
|
functionality can be disabled with selinux=0 on the kernel
|
|
command line. The purpose of this option is to allow a single
|
|
kernel image to be distributed with SELinux built in, but not
|
|
necessarily enabled.
|
|
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config SECURITY_SELINUX_DISABLE
|
|
bool "NSA SELinux runtime disable"
|
|
depends on SECURITY_SELINUX
|
|
select SECURITY_WRITABLE_HOOKS
|
|
default n
|
|
help
|
|
This option enables writing to a selinuxfs node 'disable', which
|
|
allows SELinux to be disabled at runtime prior to the policy load.
|
|
SELinux will then remain disabled until the next boot.
|
|
This option is similar to the selinux=0 boot parameter, but is to
|
|
support runtime disabling of SELinux, e.g. from /sbin/init, for
|
|
portability across platforms where boot parameters are difficult
|
|
to employ.
|
|
|
|
NOTE: selecting this option will disable the '__ro_after_init'
|
|
kernel hardening feature for security hooks. Please consider
|
|
using the selinux=0 boot parameter instead of enabling this
|
|
option.
|
|
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
config SECURITY_SELINUX_DEVELOP
|
|
bool "NSA SELinux Development Support"
|
|
depends on SECURITY_SELINUX
|
|
default y
|
|
help
|
|
This enables the development support option of NSA SELinux,
|
|
which is useful for experimenting with SELinux and developing
|
|
policies. If unsure, say Y. With this option enabled, the
|
|
kernel will start in permissive mode (log everything, deny nothing)
|
|
unless you specify enforcing=1 on the kernel command line. You
|
|
can interactively toggle the kernel between enforcing mode and
|
|
permissive mode (if permitted by the policy) via /selinux/enforce.
|
|
|
|
config SECURITY_SELINUX_AVC_STATS
|
|
bool "NSA SELinux AVC Statistics"
|
|
depends on SECURITY_SELINUX
|
|
default y
|
|
help
|
|
This option collects access vector cache statistics to
|
|
/selinux/avc/cache_stats, which may be monitored via
|
|
tools such as avcstat.
|
|
|
|
config SECURITY_SELINUX_CHECKREQPROT_VALUE
|
|
int "NSA SELinux checkreqprot default value"
|
|
depends on SECURITY_SELINUX
|
|
range 0 1
|
|
default 0
|
|
help
|
|
This option sets the default value for the 'checkreqprot' flag
|
|
that determines whether SELinux checks the protection requested
|
|
by the application or the protection that will be applied by the
|
|
kernel (including any implied execute for read-implies-exec) for
|
|
mmap and mprotect calls. If this option is set to 0 (zero),
|
|
SELinux will default to checking the protection that will be applied
|
|
by the kernel. If this option is set to 1 (one), SELinux will
|
|
default to checking the protection requested by the application.
|
|
The checkreqprot flag may be changed from the default via the
|
|
'checkreqprot=' boot parameter. It may also be changed at runtime
|
|
via /selinux/checkreqprot if authorized by policy.
|
|
|
|
If you are unsure how to answer this question, answer 0.
|
|
|
|
config SECURITY_SELINUX_SIDTAB_HASH_BITS
|
|
int "NSA SELinux sidtab hashtable size"
|
|
depends on SECURITY_SELINUX
|
|
range 8 13
|
|
default 9
|
|
help
|
|
This option sets the number of buckets used in the sidtab hashtable
|
|
to 2^SECURITY_SELINUX_SIDTAB_HASH_BITS buckets. The number of hash
|
|
collisions may be viewed at /sys/fs/selinux/ss/sidtab_hash_stats. If
|
|
chain lengths are high (e.g. > 20) then selecting a higher value here
|
|
will ensure that lookups times are short and stable.
|
|
|
|
config SECURITY_SELINUX_SID2STR_CACHE_SIZE
|
|
int "NSA SELinux SID to context string translation cache size"
|
|
depends on SECURITY_SELINUX
|
|
default 256
|
|
help
|
|
This option defines the size of the internal SID -> context string
|
|
cache, which improves the performance of context to string
|
|
conversion. Setting this option to 0 disables the cache completely.
|
|
|
|
If unsure, keep the default value.
|