SELinux: improve performance when AVC misses.

* We add ebitmap_for_each_positive_bit() which enables to walk on
  any positive bit on the given ebitmap, to improve its performance
  using common bit-operations defined in linux/bitops.h.
  In the previous version, this logic was implemented using a combination
  of ebitmap_for_each_bit() and ebitmap_node_get_bit(), but is was worse
  in performance aspect.
  This logic is most frequestly used to compute a new AVC entry,
  so this patch can improve SELinux performance when AVC misses are happen.
* struct ebitmap_node is redefined as an array of "unsigned long", to get
  suitable for using find_next_bit() which is fasted than iteration of
  shift and logical operation, and to maximize memory usage allocated
  from general purpose slab.
* Any ebitmap_for_each_bit() are repleced by the new implementation
  in ss/service.c and ss/mls.c. Some of related implementation are
  changed, however, there is no incompatibility with the previous
  version.
* The width of any new line are less or equal than 80-chars.

The following benchmark shows the effect of this patch, when we
access many files which have different security context one after
another. The number is more than /selinux/avc/cache_threshold, so
any access always causes AVC misses.

      selinux-2.6      selinux-2.6-ebitmap
AVG:   22.763 [s]          8.750 [s]
STD:    0.265              0.019
------------------------------------------
1st:   22.558 [s]          8.786 [s]
2nd:   22.458 [s]          8.750 [s]
3rd:   22.478 [s]          8.754 [s]
4th:   22.724 [s]          8.745 [s]
5th:   22.918 [s]          8.748 [s]
6th:   22.905 [s]          8.764 [s]
7th:   23.238 [s]          8.726 [s]
8th:   22.822 [s]          8.729 [s]

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

1 files changed, 4 insertions, 12 deletions

diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 03140edf97a3..d572dc908f31 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -353,12 +353,8 @@ static int context_struct_compute_av(struct context *scontext,
         avkey.specified = AVTAB_AV;
         sattr = &policydb.type_attr_map[scontext->type - 1];
         tattr = &policydb.type_attr_map[tcontext->type - 1];
-        ebitmap_for_each_bit(sattr, snode, i) {
-                if (!ebitmap_node_get_bit(snode, i))
-                        continue;
-                ebitmap_for_each_bit(tattr, tnode, j) {
-                        if (!ebitmap_node_get_bit(tnode, j))
-                                continue;
+        ebitmap_for_each_positive_bit(sattr, snode, i) {
+                ebitmap_for_each_positive_bit(tattr, tnode, j) {
                         avkey.source_type = i + 1;
                         avkey.target_type = j + 1;
                         for (node = avtab_search_node(&policydb.te_avtab, &avkey);
@@ -1668,14 +1664,10 @@ int security_get_user_sids(u32 fromsid,
                 goto out_unlock;
         }
 
-        ebitmap_for_each_bit(&user->roles, rnode, i) {
-                if (!ebitmap_node_get_bit(rnode, i))
-                        continue;
+        ebitmap_for_each_positive_bit(&user->roles, rnode, i) {
                 role = policydb.role_val_to_struct[i];
                 usercon.role = i+1;
-                ebitmap_for_each_bit(&role->types, tnode, j) {
-                        if (!ebitmap_node_get_bit(tnode, j))
-                                continue;
+                ebitmap_for_each_positive_bit(&role->types, tnode, j) {
                         usercon.type = j+1;
 
                         if (mls_setup_user_range(fromcon, user, &usercon))