Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp95310ybg; Tue, 2 Jun 2020 17:34:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxcvibS2rSOHxHbW69AsEj38zzAd7R9SJSIDkvhuV5aXyisPiMEoFdHsFgpgeON+RTf0XLR X-Received: by 2002:a17:906:b7cd:: with SMTP id fy13mr258063ejb.443.1591144452691; Tue, 02 Jun 2020 17:34:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591144452; cv=none; d=google.com; s=arc-20160816; b=ubOPMU5IdplPfufCYn5QokNDy3Eo5U9p5SgTyIIe82ncVm+GtnNK+NioySQsGSKvwy YghnwjMbZRfy2sx2QWeX2dgeZZQriTtN5Kew9rmn85H7mYtdckr9JVhADyKdituBR6b9 kSf8Z/BaoF2FSxfKRhS3K49qig1DwX2pGOe5FTjsU98h+34Kay+xLQZhH10Rqt/AghOU kl6Dsqg3alQiJjIoEIC8k+WckpVJWDJBa6rSKBle464qIDfHYT/+GRztVusr3i7hi2j4 sxCZdSPTspD/HWFPXGLk7Ow4bSx//em0FySH2UJRVrKl81IE8rtnTUaqrrwWPac7tS8O MeZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Y05Eb9eafJ0NXvQYL09qhaAipJ12OeTgF1kVh6EgfnQ=; b=lRQL4xV9JRouRCL09DJESmb47/k6YtEMHVSux42+/tSup4oOHdXSpYmARFpHPkhC5Y v3cBX+F8GbSZcMt+iwIZ93qo0/CGgmeFZS71HEpvNFbln0S+z58wZZ4A+XAA+G2yVUQ2 eahKWj5lFrs7JCgz4vntu6AusI+hZRuwIdta2otQvagrhJGWIuYJJdy7odW2iRoIag8b Nj4qZPiEAcwHFcM5ZeNW7L3QCWczoCWEf31ZAZVXR3AKfbSXCx2g+TOLPfE4NXMCtIy/ wQFp5CPe/1lNUOpdOyWPQAW3rG/79y1WM1tcFNBm+8JkPzAcw9o/Sw8rF5WuAhYfUwVZ tkDA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=BIdCjuRk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cc25si147135edb.467.2020.06.02.17.33.49; Tue, 02 Jun 2020 17:34:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=BIdCjuRk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727784AbgFCAby (ORCPT + 99 others); Tue, 2 Jun 2020 20:31:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39550 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726112AbgFCAbx (ORCPT ); Tue, 2 Jun 2020 20:31:53 -0400 Received: from mail-lj1-x242.google.com (mail-lj1-x242.google.com [IPv6:2a00:1450:4864:20::242]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1C7DCC08C5C1 for ; Tue, 2 Jun 2020 17:31:52 -0700 (PDT) Received: by mail-lj1-x242.google.com with SMTP id e4so517926ljn.4 for ; Tue, 02 Jun 2020 17:31:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Y05Eb9eafJ0NXvQYL09qhaAipJ12OeTgF1kVh6EgfnQ=; b=BIdCjuRkcZ6AtUKiMEcL/bPMx/D1bItwVGJFF1ZfEiSaScUoFvZ1ZZsl3PQqkbQ7I+ 1pgdNd5VxSPlPrPUxZOkdE8JL51bKGr0g+MkbxHFdq1zz9DHgwUHcu6VSzZYXPad+csj 3uML97UaIPUm1p1BiOICKjeYpqfWTK6nFQlZM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Y05Eb9eafJ0NXvQYL09qhaAipJ12OeTgF1kVh6EgfnQ=; b=YQ8ohF5XRG5YvcPJsUjVV/qtoUvpzCtiXB+S4oYkBPlLYAEFqjD8V/fcvyp8zDL0Gz nffFjp9cDRJGMoZ+FgZqPo/n+fTnGrTJhKtfGFWlJQl6LgZ0Rs1cp7H3VjZNrAyJrZJJ 0BnpJNea7BJaObp+t58j+OH6Mki7Ll9OTnkNy3PPNI0WKwwIXdK8Ue1BTqsFCezliEcq z+ZsCFBiL5S3Ex0YAWjsjxhYgJ1isWVBxZ3wMa7DBpGhEJxK03jDzkBfazBQs3d9e0HM rReqV2CMKSeqhYvT8dz7l9avXPE7qtH65Ky3QNwLQPSopqpEbUGtGkrqggeRfc3p8YuO BVMA== X-Gm-Message-State: AOAM532pCjajAKRtEk564kAF7B577psgzamnW4pcfqOjGp/FnhVnwp1r HaT2Kk3Pyi8Br28uI8DdH77zDvdZJGQ= X-Received: by 2002:a2e:8053:: with SMTP id p19mr740165ljg.199.1591144310037; Tue, 02 Jun 2020 17:31:50 -0700 (PDT) Received: from mail-lj1-f177.google.com (mail-lj1-f177.google.com. [209.85.208.177]) by smtp.gmail.com with ESMTPSA id j17sm92021ljo.95.2020.06.02.17.31.48 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Jun 2020 17:31:49 -0700 (PDT) Received: by mail-lj1-f177.google.com with SMTP id s1so539840ljo.0 for ; Tue, 02 Jun 2020 17:31:48 -0700 (PDT) X-Received: by 2002:a05:651c:2c6:: with SMTP id f6mr702860ljo.371.1591144308329; Tue, 02 Jun 2020 17:31:48 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Linus Torvalds Date: Tue, 2 Jun 2020 17:31:32 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [GIT PULL] SELinux patches for v5.8 To: Paul Moore Cc: selinux@vger.kernel.org, LSM List , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 1, 2020 at 6:07 PM Paul Moore wrote: > > - A number of improvements to various SELinux internal data structures > to help improve performance. We move the role transitions into a hash > table. In the content structure we shift from hashing the content > string (aka SELinux label) to the structure itself, when it is valid. > This last change not only offers a speedup, but it helps us simplify > the code some as well. Side note since you mention performance work: in the past when I've looked at SELinux performance (generally as part of pathname lookup etc VFS loads), the biggest cost by far was that all the SELinux data structures take a ton of cache misses. Yes, some of the hashing shows up in the profiles, but _most_ of it was loading the data from inode->i_security etc. And the reason seemed to be that every single inode ends up having a separately allocated "struct inode_security_struct" (aka "isec"). Even if the contents are often all exactly the same for a large set of inodes that thus _could_ conceptually share the data. Now, it used to be - before being able to stack security layers - SElinux would control that pointer, and it could have done some kind of sharing scheme with copy-on-write behavior (the way we do 'struct cred' for processes), and it would have caused a much smaller cache footprint (and thus likely much fewer cache misses). These days, that sharing of the i_security pointer across different security layers makes that sound really really painful. But I do wonder if anybody in selinux land (or general security subsystem land) has been thinking of maybe at least having a "this inode has no special labeling" marker that could possibly avoid having all those extra allocations. Because it really does end up being visible in profiles how costly it is to look up any data behind inode->i_security. Linus