| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5188e81963654bbe9d1e70fe6370a38fdf4ae677.1758633723.git.zhanghongru@xiaomi.com>
Date: Wed, 24 Sep 2025 10:55:53 +0800
From: Hongru Zhang <zhanghongru06@...il.com>
To: paul@...l-moore.com,
stephen.smalley.work@...il.com,
omosnace@...hat.com
Cc: linux-kernel@...r.kernel.org,
selinux@...r.kernel.org,
zhanghongru@...omi.com
Subject: [PATCH v2 2/2] selinux: improve bucket distribution uniformity of avc_hash()
From: Hongru Zhang <zhanghongru@...omi.com>
Under heavy stress testing (on an 8-core system sustaining over 50,000
authentication events per second), sample once per second and take the
mean of 1800 samples:
+--------------------------+-----------------------------------------+
| | bucket utilization rate / longest chain |
| +--------------------+--------------------+
| | no-patch | with-patch |
+--------------------------+--------------------+--------------------+
| 512 nodes, 512 buckets | 52.5%/7.5 | 58.2%/6.2 |
+--------------------------+--------------------+--------------------+
| 1024 nodes, 512 buckets | 68.9%/12.1 | 82.4%/8.9 |
+--------------------------+--------------------+--------------------+
| 2048 nodes, 512 buckets | 83.7%/19.4 | 94.8%/15.2 |
+--------------------------+--------------------+--------------------+
| 8192 nodes, 8192 buckets | 49.5%/11.4 | 61.9%/6.6 |
+--------------------------+--------------------+--------------------+
Signed-off-by: Hongru Zhang <zhanghongru@...omi.com>
---
security/selinux/avc.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 7a7f88012865..d08f30d57bac 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -146,9 +146,23 @@ static struct kmem_cache *avc_xperms_data_cachep __ro_after_init;
static struct kmem_cache *avc_xperms_decision_cachep __ro_after_init;
static struct kmem_cache *avc_xperms_cachep __ro_after_init;
+/*
+ * Advantages of this hash design:
+ * - Minimized collisions: Different inputs won't produce similar
+ * contributions
+ * - Bit diffusion: Each constant effectively scrambles input bits
+ * - Mathematical guarantee: These constants are theoretically analyzed
+ * and empirically validated
+ * - Complementarity: Three constants complement each other at the
+ * binary level
+ */
+#define C1 0x9E3779B9 /* 2^32 * Golden Ratio, classic constant for Knuth's
+ multiplicative hashing */
+#define C2 0x85EBCA77 /* Large prime-like properties */
+#define C3 0xC2B2AE35 /* Large prime-like properties, MurmurHash3 constant */
static inline u32 avc_hash(u32 ssid, u32 tsid, u16 tclass)
{
- return (ssid ^ (tsid<<2) ^ (tclass<<4)) & (avc_cache_slots - 1);
+ return (ssid * C1 + tsid * C2 + tclass * C3) & (avc_cache_slots - 1);
}
/**
--
2.43.0
Powered by blists - more mailing lists