| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 Dec 2023 19:36:52 -0500
From: Paul Moore <paul@...l-moore.com>
To: Dave Chinner <david@...morbit.com>
Cc: linux-fsdevel@...r.kernel.org, linux-block@...r.kernel.org,
linux-cachefs@...hat.com, dhowells@...hat.com,
gfs2@...ts.linux.dev, dm-devel@...ts.linux.dev,
linux-security-module@...r.kernel.org, selinux@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 05/11] selinux: use dlist for isec inode list
On Wed, Dec 6, 2023 at 6:04 PM Dave Chinner <david@...morbit.com> wrote:
> On Wed, Dec 06, 2023 at 04:52:42PM -0500, Paul Moore wrote:
> > On Wed, Dec 6, 2023 at 1:07 AM Dave Chinner <david@...morbit.com> wrote:
> > >
> > > From: Dave Chinner <dchinner@...hat.com>
> > >
> > > Because it's a horrible point of lock contention under heavily
> > > concurrent directory traversals...
> > >
> > > - 12.14% d_instantiate
> > > - 12.06% security_d_instantiate
> > > - 12.13% selinux_d_instantiate
> > > - 12.16% inode_doinit_with_dentry
> > > - 15.45% _raw_spin_lock
> > > - do_raw_spin_lock
> > > 14.68% __pv_queued_spin_lock_slowpath
> > >
> > >
> > > Signed-off-by: Dave Chinner <dchinner@...hat.com>
> > > ---
> > > include/linux/dlock-list.h | 9 ++++
> > > security/selinux/hooks.c | 72 +++++++++++++++----------------
> > > security/selinux/include/objsec.h | 6 +--
> > > 3 files changed, 47 insertions(+), 40 deletions(-)
> >
> > In the cover letter you talk about testing, but I didn't see any
> > mention of testing with SELinux enabled. Given the lock contention
> > stats in the description above I'm going to assume you did test this
> > and pass along my ACK, but if you haven't tested the changes below
> > please do before sending this anywhere important.
>
> AFAIA, I've been testing with selinux enabled - I'm trying to run
> these tests in an environment as close to typical production systems
> as possible and that means selinux needs to be enabled.
>
> As such, all the fstests and perf testing has been done with selinux
> in permissive mode using "-o context=system_u:object_r:root_t:s0" as
> the default context for the mount.
>
> I see this sort of thing in the profiles:
>
> - 87.13% path_lookupat
> - 86.46% walk_component
> - 84.20% lookup_slow
> - 84.05% __lookup_slow
> - 80.81% xfs_vn_lookup
> - 77.84% xfs_lookup
> ....
> - 2.91% d_splice_alias
> - 1.52% security_d_instantiate
> - 1.50% selinux_d_instantiate
> - 1.47% inode_doinit_with_dentry
> - 0.83% inode_doinit_use_xattr
> 0.52% __vfs_getxattr
>
> Which tells me that selinux is definitely doing -something- on every
> inode being instantiated, so I'm pretty sure the security and
> selinux paths are getting exercised...
That's great, thanks for the confirmation. FWIW, for these patches it
doesn't really matter if the system is in enforcing or permissive
mode, or what label you use, the important bit is that you've got a
system with SELinux enabled in the kernel and you have a reasonable
policy loaded.
--
paul-moore.com
Powered by blists - more mailing lists