diff options
| author | Waiman Long <Waiman.Long@hp.com> | 2013-07-23 17:38:41 -0400 |
|---|---|---|
| committer | Eric Paris <eparis@redhat.com> | 2013-07-25 13:02:18 -0400 |
| commit | fee7114298cf54bbd221cdb2ab49738be8b94f4c (patch) | |
| tree | d89946b8a81e44f56fa7c8c41aaedf128d112e95 /security/selinux/ss/mls.c | |
| parent | bed4d7efb31fd81b3a3c83dc8540197cd0fe81c0 (diff) | |
SELinux: Reduce overhead of mls_level_isvalid() function call
While running the high_systime workload of the AIM7 benchmark on
a 2-socket 12-core Westmere x86-64 machine running 3.10-rc4 kernel
(with HT on), it was found that a pretty sizable amount of time was
spent in the SELinux code. Below was the perf trace of the "perf
record -a -s" of a test run at 1500 users:
5.04% ls [kernel.kallsyms] [k] ebitmap_get_bit
1.96% ls [kernel.kallsyms] [k] mls_level_isvalid
1.95% ls [kernel.kallsyms] [k] find_next_bit
The ebitmap_get_bit() was the hottest function in the perf-report
output. Both the ebitmap_get_bit() and find_next_bit() functions
were, in fact, called by mls_level_isvalid(). As a result, the
mls_level_isvalid() call consumed 8.95% of the total CPU time of
all the 24 virtual CPUs which is quite a lot. The majority of the
mls_level_isvalid() function invocations come from the socket creation
system call.
Looking at the mls_level_isvalid() function, it is checking to see
if all the bits set in one of the ebitmap structure are also set in
another one as well as the highest set bit is no bigger than the one
specified by the given policydb data structure. It is doing it in
a bit-by-bit manner. So if the ebitmap structure has many bits set,
the iteration loop will be done many times.
The current code can be rewritten to use a similar algorithm as the
ebitmap_contains() function with an additional check for the
highest set bit. The ebitmap_contains() function was extended to
cover an optional additional check for the highest set bit, and the
mls_level_isvalid() function was modified to call ebitmap_contains().
With that change, the perf trace showed that the used CPU time drop
down to just 0.08% (ebitmap_contains + mls_level_isvalid) of the
total which is about 100X less than before.
0.07% ls [kernel.kallsyms] [k] ebitmap_contains
0.05% ls [kernel.kallsyms] [k] ebitmap_get_bit
0.01% ls [kernel.kallsyms] [k] mls_level_isvalid
0.01% ls [kernel.kallsyms] [k] find_next_bit
The remaining ebitmap_get_bit() and find_next_bit() functions calls
are made by other kernel routines as the new mls_level_isvalid()
function will not call them anymore.
This patch also improves the high_systime AIM7 benchmark result,
though the improvement is not as impressive as is suggested by the
reduction in CPU time spent in the ebitmap functions. The table below
shows the performance change on the 2-socket x86-64 system (with HT
on) mentioned above.
+--------------+---------------+----------------+-----------------+
| Workload | mean % change | mean % change | mean % change |
| | 10-100 users | 200-1000 users | 1100-2000 users |
+--------------+---------------+----------------+-----------------+
| high_systime | +0.1% | +0.9% | +2.6% |
+--------------+---------------+----------------+-----------------+
Signed-off-by: Waiman Long <Waiman.Long@hp.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Diffstat (limited to 'security/selinux/ss/mls.c')
| -rw-r--r-- | security/selinux/ss/mls.c | 22 |
1 files changed, 7 insertions, 15 deletions
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c index 40de8d3f208e..c85bc1ec040c 100644 --- a/security/selinux/ss/mls.c +++ b/security/selinux/ss/mls.c | |||
| @@ -160,8 +160,6 @@ void mls_sid_to_context(struct context *context, | |||
| 160 | int mls_level_isvalid(struct policydb *p, struct mls_level *l) | 160 | int mls_level_isvalid(struct policydb *p, struct mls_level *l) |
| 161 | { | 161 | { |
| 162 | struct level_datum *levdatum; | 162 | struct level_datum *levdatum; |
| 163 | struct ebitmap_node *node; | ||
| 164 | int i; | ||
| 165 | 163 | ||
| 166 | if (!l->sens || l->sens > p->p_levels.nprim) | 164 | if (!l->sens || l->sens > p->p_levels.nprim) |
| 167 | return 0; | 165 | return 0; |
| @@ -170,19 +168,13 @@ int mls_level_isvalid(struct policydb *p, struct mls_level *l) | |||
| 170 | if (!levdatum) | 168 | if (!levdatum) |
| 171 | return 0; | 169 | return 0; |
| 172 | 170 | ||
| 173 | ebitmap_for_each_positive_bit(&l->cat, node, i) { | 171 | /* |
| 174 | if (i > p->p_cats.nprim) | 172 | * Return 1 iff all the bits set in l->cat are also be set in |
| 175 | return 0; | 173 | * levdatum->level->cat and no bit in l->cat is larger than |
| 176 | if (!ebitmap_get_bit(&levdatum->level->cat, i)) { | 174 | * p->p_cats.nprim. |
| 177 | /* | 175 | */ |
| 178 | * Category may not be associated with | 176 | return ebitmap_contains(&levdatum->level->cat, &l->cat, |
| 179 | * sensitivity. | 177 | p->p_cats.nprim); |
| 180 | */ | ||
| 181 | return 0; | ||
| 182 | } | ||
| 183 | } | ||
| 184 | |||
| 185 | return 1; | ||
| 186 | } | 178 | } |
| 187 | 179 | ||
| 188 | int mls_range_isvalid(struct policydb *p, struct mls_range *r) | 180 | int mls_range_isvalid(struct policydb *p, struct mls_range *r) |