Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp880224ybg; Wed, 3 Jun 2020 16:37:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyGn/WlJC8c9KJEMNs+9MTCGsWr8FsXjM/QMtKyOnyEO8WZZRbRFrAIhxastfDdxgbpuuGW X-Received: by 2002:a17:906:f2d9:: with SMTP id gz25mr1609332ejb.467.1591227457151; Wed, 03 Jun 2020 16:37:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591227457; cv=none; d=google.com; s=arc-20160816; b=1BTfKpQ3o91w0S/bWSYKNgJAM4S0MStkS6VDKq1WZxRkyRU556MATh0XTCfAgfEVSu FmkdtNochF6vuDqHjmsCL5pNxQetFndEtF96B/OHg0xzcuihSnxN6xHnrXfe04EQNbDG roEeXs8E2vk9tYGiDZjUqK56GYVFoZqpHz1H4St0rP4uSyUD9o3sRKsykhEKEfR2OGvu mXqdIMNI7OekE5hxol/vvdj2C7mDCSEWsRqIQJcVbAUzlecwygTaGjF/oh+JniTdXa5R cike5gm4iJoZ3qsiqkq3EBp/VZTmgchTVcczCkfb7IDEhmo2dBkj9C94Kpt8KKuAwnkd 24dQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=4W+pwBV/mV37XypbafarSnoIpb157MO7R0Lt+xMM2XY=; b=opf2e2RLfvCPOPM/ntRmqifGu03f0g4BkdYcH5PbjDS23J2yLwiZ0TtvhIOdR5VK/D fjJGkpegMlQPuhroLV8WPvxhQqsrO2/sbV7nYTmi8Mq6aUxdP1Rc5inzaFRG7xdy/NJd 4NJ3TEhblfPPoEiFWPetxvsxvuvzifWR+sSzDpatrf+DXMnmaeTR/tvgeJkW8sdIudSf OKVFC8KisOdwTC1D7lOQWRvzuRtWyMEFkUQ9hJ1IK4a2lP6hHaVCK8+4ZSv1ZdHpGhBr Q+34agv1WQQyRqPvyT5+v5TMogdsvI4HI15H6X1HxtL0mDH1K5OnbLmVo97cWYl8MypO XsuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=IrVDJRYB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z3si587246ejm.403.2020.06.03.16.37.14; Wed, 03 Jun 2020 16:37:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=IrVDJRYB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726594AbgFCXfQ (ORCPT + 99 others); Wed, 3 Jun 2020 19:35:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56118 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726022AbgFCXfP (ORCPT ); Wed, 3 Jun 2020 19:35:15 -0400 Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E1264C08C5C2 for ; Wed, 3 Jun 2020 16:35:14 -0700 (PDT) Received: by mail-ej1-x632.google.com with SMTP id y13so4044288eju.2 for ; Wed, 03 Jun 2020 16:35:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4W+pwBV/mV37XypbafarSnoIpb157MO7R0Lt+xMM2XY=; b=IrVDJRYBvShwaz9jFI1Vg8hoNLNLP8LAt3BGU3N4cSS1dFwNh596fdNHNruj/106sE KaI75eZ69dRttV4MoxtGRt5SIEoAgrvFosoCHmeMOj0MSop1p32uWtrURygHuy8Ale7L uefIOZAFLT+aeyv9zWUcFHlYSTpdUDMeJYE0v9dDPPZQaCaFuFqltHL3laGRipjMLOaV VhV7aDpO9DsZypYp3owSl8jm1L4H1HlwtD76StMd+H4sbmj8NEpH8Pl5A6mDVk26qrdr KOuS4CE29fM87rjTLr0H3LAZAEewxRL5Qk2yc33IMUrhKHQMrmMhg8suhNHcg/D48OTI taIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4W+pwBV/mV37XypbafarSnoIpb157MO7R0Lt+xMM2XY=; b=oRNVdeNh2yCPVnJji1iHZEUGuQ2rlV/5mJmAt8jX/2uEaJBvxlof1fr5BFpbj3gklG GZTN4mlfIHzQ7zVQsiLhiYcgjyL1xpCvrtl8rRKAG/sB2xFq2Trkp8JYES1797lbAowK WqXdZU6Djo0rFenHvklWUSdyUwkzL05lTVaVByfDArjoNIXaGGU330NhkZenXZQVR2ER jFTszUpqEfv8rWTrfD6VM0Ud4R38miMjKBixh24Q3U6VrdXGv0LrpOO1hebRBvcUKPQc VoqfuN9rCOpIWb1E4FbwChtzqLP5uwBq1WlU/88SpzO34ufq/kInkJnZLVx/x5lIPshO dz7g== X-Gm-Message-State: AOAM533/UlkhGf0+HRlfKSBaawbOpYpPGpgkHzI1hqohfmTZpxz8+t5T 2TwL0ekXoQ1zW/0QpKa+/VBge622o+D+x5mJD3eT X-Received: by 2002:a17:906:19d3:: with SMTP id h19mr1534177ejd.106.1591227313295; Wed, 03 Jun 2020 16:35:13 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Paul Moore Date: Wed, 3 Jun 2020 19:35:02 -0400 Message-ID: Subject: Re: [GIT PULL] SELinux patches for v5.8 To: Linus Torvalds Cc: selinux@vger.kernel.org, LSM List , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 2, 2020 at 8:31 PM Linus Torvalds wrote: > Side note since you mention performance work: in the past when I've > looked at SELinux performance (generally as part of pathname lookup > etc VFS loads), the biggest cost by far was that all the SELinux data > structures take a ton of cache misses. > > Yes, some of the hashing shows up in the profiles, but _most_ of it > was loading the data from inode->i_security etc. > > And the reason seemed to be that every single inode ends up having a > separately allocated "struct inode_security_struct" (aka "isec"). Even > if the contents are often all exactly the same for a large set of > inodes that thus _could_ conceptually share the data. > > Now, it used to be - before being able to stack security layers - > SElinux would control that pointer, and it could have done some kind > of sharing scheme with copy-on-write behavior (the way we do 'struct > cred' for processes), and it would have caused a much smaller cache > footprint (and thus likely much fewer cache misses). I believe right about the time that Eric Paris was stepping away from SELinux he was working on a patchset that basically did what you describe: copy-on-write for the SELinux inode blobs (aka inode_security_struct, aka isec, etc.). Unfortunately I don't believe that work was ever finished and the idea was lost many years ago in the maintainer shuffle; I was trying to figure out this whole "maintainer thing" and perhaps didn't push Eric to post those patches as much as I should have. Although it's a big academic now with the LSM stacking work. Most of my SELinux thoughts these days are around the correctness and robustness of the code, making sure we are testing as much as possible (related to the first point), and trying to catch changes in other subsystems which cause us breakage. Not the most glamorous stuff, but it's important. SELinux is lucky enough to have a few active kernel developers, and thankfully a couple of them appear to be looking at some of the performance issues. > These days, that sharing of the i_security pointer across different > security layers makes that sound really really painful. Yeah. It's pretty much impossible now to do copy-on-write with the main security blobs due to the differing nature of the LSMs and the single, shared allocation for each blob. I suppose if you wanted to attempt copy-on-write inside a LSM you could introduce another layer of pointers/allocation, but I'm not sure how much of an improvement that might be. Perhaps a bit more thought will produce a "eureka!" moment, but I'm not overly optimistic. > But I do wonder if anybody in selinux land (or general security > subsystem land) has been thinking of maybe at least having a "this > inode has no special labeling" marker that could possibly avoid having > all those extra allocations. I don't want to get into the "security people can't agree on anything" discussion, but I think for that to work all of the loaded LSMs would need to agree that they don't need to stash anything in the inode (or other object); which I think is pretty much impossible most of the time. At least in the SELinux case, even if we were doing some sort of copy-on-write, we would need to keep a reference back to the inode security blob that does contain our needed info. -- paul moore www.paul-moore.com