lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220522170641.GA24041@mail.hallyn.com>
Date:   Sun, 22 May 2022 12:06:41 -0500
From:   "Serge E. Hallyn" <serge@...lyn.com>
To:     Stefan Berger <stefanb@...ux.ibm.com>
Cc:     linux-integrity@...r.kernel.org, zohar@...ux.ibm.com,
        serge@...lyn.com, christian.brauner@...ntu.com,
        containers@...ts.linux.dev, dmitry.kasatkin@...il.com,
        ebiederm@...ssion.com, krzysztof.struczynski@...wei.com,
        roberto.sassu@...wei.com, mpeters@...hat.com, lhinds@...hat.com,
        lsturman@...hat.com, puiterwi@...hat.com, jejb@...ux.ibm.com,
        jamjoom@...ibm.com, linux-kernel@...r.kernel.org,
        paul@...l-moore.com, rgb@...hat.com,
        linux-security-module@...r.kernel.org, jmorris@...ei.org,
        jpenumak@...hat.com
Subject: Re: [PATCH v12 10/26] ima: Switch to lazy lsm policy updates for
 better performance

On Wed, Apr 20, 2022 at 10:06:17AM -0400, Stefan Berger wrote:
> Instead of calling ima_lsm_update_rules() for every namespace upon
> invocation of the ima_lsm_policy_change() notification function,
> only set a flag in a namespace and defer the call to
> ima_lsm_update_rules() to before the policy is accessed the next time,
> which is either in ima_policy_start(), when displaying the policy via
> the policy file in securityfs, or when calling ima_match_policy().
> 
> The performance numbers before this change for a test enabling
> and disabling an SELinux module was as follows with a given number
> of IMA namespaces that each a have a policy containing 2 rules
> with SELinux labels:
> 
> 2: ~9s
> 192: ~11s
> 1920: ~80s
> 
> With this change:
> 
> 2: ~6.5s
> 192: ~7s
> 1920: ~8.3s
> 
> Signed-off-by: Stefan Berger <stefanb@...ux.ibm.com>

Acked-by: Serge Hallyn <serge@...lyn.com>

> ---
>  security/integrity/ima/ima.h        |  4 ++++
>  security/integrity/ima/ima_policy.c | 15 ++++++++++++++-
>  2 files changed, 18 insertions(+), 1 deletion(-)
> 
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index c68b5117d034..5bf7f080c2be 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -123,6 +123,10 @@ struct ima_h_table {
>  };
>  
>  struct ima_namespace {
> +	unsigned long ima_ns_flags;
> +/* Bit numbers for above flags; use BIT() to get flag */
> +#define IMA_NS_LSM_UPDATE_RULES		0
> +
>  	/* policy rules */
>  	struct list_head ima_default_rules; /* Kconfig, builtin & arch rules */
>  	struct list_head ima_policy_rules;  /* arch & custom rules */
> diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
> index 23c559c8fae9..59e4ae5a6361 100644
> --- a/security/integrity/ima/ima_policy.c
> +++ b/security/integrity/ima/ima_policy.c
> @@ -228,6 +228,14 @@ static struct ima_rule_entry critical_data_rules[] __ro_after_init = {
>  	{.action = MEASURE, .func = CRITICAL_DATA, .flags = IMA_FUNC},
>  };
>  
> +static void ima_lsm_update_rules(struct ima_namespace *ns);
> +
> +static inline void ima_lazy_lsm_update_rules(struct ima_namespace *ns)
> +{
> +	if (test_and_clear_bit(IMA_NS_LSM_UPDATE_RULES, &ns->ima_ns_flags))
> +		ima_lsm_update_rules(ns);
> +}
> +
>  static int ima_policy __initdata;
>  
>  static int __init default_measure_policy_setup(char *str)
> @@ -478,7 +486,8 @@ int ima_lsm_policy_change(struct notifier_block *nb, unsigned long event,
>  		return NOTIFY_DONE;
>  
>  	ns = container_of(nb, struct ima_namespace, ima_lsm_policy_notifier);
> -	ima_lsm_update_rules(ns);
> +
> +	set_bit(IMA_NS_LSM_UPDATE_RULES, &ns->ima_ns_flags);
>  
>  	return NOTIFY_OK;
>  }
> @@ -705,6 +714,8 @@ int ima_match_policy(struct ima_namespace *ns,
>  	if (template_desc && !*template_desc)
>  		*template_desc = ima_template_desc_current();
>  
> +	ima_lazy_lsm_update_rules(ns);
> +
>  	rcu_read_lock();
>  	ima_rules_tmp = rcu_dereference(ns->ima_rules);
>  	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
> @@ -1907,6 +1918,8 @@ void *ima_policy_start(struct seq_file *m, loff_t *pos)
>  	struct ima_rule_entry *entry;
>  	struct list_head *ima_rules_tmp;
>  
> +	ima_lazy_lsm_update_rules(ns);
> +
>  	rcu_read_lock();
>  	ima_rules_tmp = rcu_dereference(ns->ima_rules);
>  	list_for_each_entry_rcu(entry, ima_rules_tmp, list) {
> -- 
> 2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ