[PATCH] selinux: Reduce memory use by avtab

This patch improves memory use by SELinux by both reducing the avtab node size and reducing the number of avtab nodes. The memory savings are substantial, e.g. on a 64-bit system after boot, James Morris reported the following data for the targeted and strict policies: #objs objsize kernmem Targeted: Before: 237888 40 9.1MB After: 19968 24 468KB Strict: Before: 571680 40 21.81MB After: 221052 24 5.06MB The improvement in memory use comes at a cost in the speed of security server computations of access vectors, but these computations are only required on AVC cache misses, and performance measurements by James Morris using a number of benchmarks have shown that the change does not cause any significant degradation. Note that a rebuilt policy via an updated policy toolchain (libsepol/checkpolicy) is required in order to gain the full benefits of this patch, although some memory savings benefits are immediately applied even to older policies (in particular, the reduction in avtab node size). Sources for the updated toolchain are presently available from the sourceforge CVS tree (http://sourceforge.net/cvs/?group_id=21266), and tarballs are available from http://www.flux.utah.edu/~sds. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
author: Stephen Smalley <sds@tycho.nsa.gov> 2005-09-03 18:55:16 -0400
committer: Linus Torvalds <torvalds@evo.osdl.org> 2005-09-05 03:05:50 -0400
commit: 782ebb992ec20b5afdd5786ee8c2f1b58b631f24 (patch)
tree: adf0af44fa591d803ec6b9ab7541ff3e5745dd93 /security/selinux/ss/avtab.h
parent: 720d6c29e146e96cca858057469951e91e0e6850 (diff)
1 files changed, 18 insertions, 19 deletions
diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h
index 519d4f6dc655..0a90d939af93 100644
--- a/security/selinux/ss/avtab.h
+++ b/security/selinux/ss/avtab.h
@@ -21,12 +21,9 @@
 #define _SS_AVTAB_H_
 struct avtab_key {
-        u32 source_type;        /* source type */
+        u16 source_type;        /* source type */
-        u32 target_type;        /* target type */
+        u16 target_type;        /* target type */
-        u32 target_class;       /* target object class */
+        u16 target_class;       /* target object class */
-};
-struct avtab_datum {
 #define AVTAB_ALLOWED     1
 #define AVTAB_AUDITALLOW  2
 #define AVTAB_AUDITDENY   4
@@ -35,15 +32,13 @@ struct avtab_datum {
 #define AVTAB_MEMBER     32
 #define AVTAB_CHANGE     64
 #define AVTAB_TYPE       (AVTAB_TRANSITION | AVTAB_MEMBER | AVTAB_CHANGE)
-#define AVTAB_ENABLED    0x80000000 /* reserved for used in cond_avtab */
+#define AVTAB_ENABLED_OLD    0x80000000 /* reserved for used in cond_avtab */
-        u32 specified;  /* what fields are specified */
+#define AVTAB_ENABLED    0x8000 /* reserved for used in cond_avtab */
-        u32 data[3];    /* access vectors or types */
+        u16 specified;  /* what field is specified */
-#define avtab_allowed(x) (x)->data[0]
+};
-#define avtab_auditdeny(x) (x)->data[1]
-#define avtab_auditallow(x) (x)->data[2]
+struct avtab_datum {
-#define avtab_transition(x) (x)->data[0]
+        u32 data; /* access vector or type value */
-#define avtab_change(x) (x)->data[1]
-#define avtab_member(x) (x)->data[2]
 };
 struct avtab_node {
@@ -58,17 +53,21 @@ struct avtab {
 };
 int avtab_init(struct avtab *);
-struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *k, int specified);
+struct avtab_datum *avtab_search(struct avtab *h, struct avtab_key *k);
 void avtab_destroy(struct avtab *h);
 void avtab_hash_eval(struct avtab *h, char *tag);
-int avtab_read_item(void *fp, struct avtab_datum *avdatum, struct avtab_key *avkey);
+int avtab_read_item(void *fp, uint32_t vers, struct avtab *a,
-int avtab_read(struct avtab *a, void *fp, u32 config);
+                    int (*insert)(struct avtab *a, struct avtab_key *k,
+                                  struct avtab_datum *d, void *p),
+                    void *p);
+int avtab_read(struct avtab *a, void *fp, u32 vers);
 struct avtab_node *avtab_insert_nonunique(struct avtab *h, struct avtab_key *key,
                                          struct avtab_datum *datum);
-struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_key *key, int specified);
+struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_key *key);
 struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified);
author	Stephen Smalley <sds@tycho.nsa.gov>	2005-09-03 18:55:16 -0400
committer	Linus Torvalds <torvalds@evo.osdl.org>	2005-09-05 03:05:50 -0400
commit	782ebb992ec20b5afdd5786ee8c2f1b58b631f24 (patch)
tree	adf0af44fa591d803ec6b9ab7541ff3e5745dd93 /security/selinux/ss/avtab.h
parent	720d6c29e146e96cca858057469951e91e0e6850 (diff)

diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h index 519d4f6dc655..0a90d939af93 100644 --- a/security/selinux/ss/avtab.h +++ b/security/selinux/ss/avtab.h
@@ -21,12 +21,9 @@
21	#define _SS_AVTAB_H_	21	#define _SS_AVTAB_H_
22		22
23	struct avtab_key {	23	struct avtab_key {
24	u32 source_type; /* source type */	24	u16 source_type; /* source type */
25	u32 target_type; /* target type */	25	u16 target_type; /* target type */
26	u32 target_class; /* target object class */	26	u16 target_class; /* target object class */
27	};
28
29	struct avtab_datum {
30	#define AVTAB_ALLOWED 1	27	#define AVTAB_ALLOWED 1
31	#define AVTAB_AUDITALLOW 2	28	#define AVTAB_AUDITALLOW 2
32	#define AVTAB_AUDITDENY 4	29	#define AVTAB_AUDITDENY 4
@@ -35,15 +32,13 @@ struct avtab_datum {
35	#define AVTAB_MEMBER 32	32	#define AVTAB_MEMBER 32
36	#define AVTAB_CHANGE 64	33	#define AVTAB_CHANGE 64
37	#define AVTAB_TYPE (AVTAB_TRANSITION \| AVTAB_MEMBER \| AVTAB_CHANGE)	34	#define AVTAB_TYPE (AVTAB_TRANSITION \| AVTAB_MEMBER \| AVTAB_CHANGE)
38	#define AVTAB_ENABLED 0x80000000 /* reserved for used in cond_avtab */	35	#define AVTAB_ENABLED_OLD 0x80000000 /* reserved for used in cond_avtab */
39	u32 specified; /* what fields are specified */	36	#define AVTAB_ENABLED 0x8000 /* reserved for used in cond_avtab */
40	u32 data[3]; /* access vectors or types */	37	u16 specified; /* what field is specified */
41	#define avtab_allowed(x) (x)->data[0]	38	};
42	#define avtab_auditdeny(x) (x)->data[1]	39
43	#define avtab_auditallow(x) (x)->data[2]	40	struct avtab_datum {
44	#define avtab_transition(x) (x)->data[0]	41	u32 data; /* access vector or type value */
45	#define avtab_change(x) (x)->data[1]
46	#define avtab_member(x) (x)->data[2]
47	};	42	};
48		43
49	struct avtab_node {	44	struct avtab_node {
@@ -58,17 +53,21 @@ struct avtab {
58	};	53	};
59		54
60	int avtab_init(struct avtab *);	55	int avtab_init(struct avtab *);
61	struct avtab_datum avtab_search(struct avtab h, struct avtab_key *k, int specified);	56	struct avtab_datum avtab_search(struct avtab h, struct avtab_key *k);
62	void avtab_destroy(struct avtab *h);	57	void avtab_destroy(struct avtab *h);
63	void avtab_hash_eval(struct avtab h, char tag);	58	void avtab_hash_eval(struct avtab h, char tag);
64		59
65	int avtab_read_item(void fp, struct avtab_datum avdatum, struct avtab_key *avkey);	60	int avtab_read_item(void fp, uint32_t vers, struct avtab a,
66	int avtab_read(struct avtab a, void fp, u32 config);	61	int (insert)(struct avtab a, struct avtab_key *k,
		62	struct avtab_datum d, void p),
		63	void *p);
		64
		65	int avtab_read(struct avtab a, void fp, u32 vers);
67		66
68	struct avtab_node avtab_insert_nonunique(struct avtab h, struct avtab_key *key,	67	struct avtab_node avtab_insert_nonunique(struct avtab h, struct avtab_key *key,
69	struct avtab_datum *datum);	68	struct avtab_datum *datum);
70		69
71	struct avtab_node avtab_search_node(struct avtab h, struct avtab_key *key, int specified);	70	struct avtab_node avtab_search_node(struct avtab h, struct avtab_key *key);
72		71
73	struct avtab_node avtab_search_node_next(struct avtab_node node, int specified);	72	struct avtab_node avtab_search_node_next(struct avtab_node node, int specified);
74		73