| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhTz48LOy5E7ywAFYjp=OK43y4MndV6V9HjLC1CpUCJ0xQ@mail.gmail.com> Date: Mon, 20 Oct 2025 15:22:23 -0400 From: Paul Moore <paul@...l-moore.com> To: Stephen Smalley <stephen.smalley.work@...il.com> Cc: Hongru Zhang <zhanghongru06@...il.com>, omosnace@...hat.com, linux-kernel@...r.kernel.org, selinux@...r.kernel.org, zhanghongru@...omi.com Subject: Re: [PATCH v3 1/2] selinux: Make avc cache slot size configurable during boot On Fri, Oct 17, 2025 at 7:59 AM Stephen Smalley <stephen.smalley.work@...il.com> wrote: > On Thu, Oct 16, 2025 at 5:18 PM Paul Moore <paul@...l-moore.com> wrote: > > On Sep 26, 2025 Hongru Zhang <zhanghongru06@...il.com> wrote: ... > > I would expect the number of active AVC nodes, and AVC churn in general, > > to be very policy dependent; some policies and use cases simply result in > > more AVC nodes than others. With that in mind, I'm wondering if instead > > of using a kernel command line parameter to specify the number of AVC > > buckets, we should instead include an AVC size "hint" in the policy that > > we can use to size the AVC when loading a new policy. > > > > Thoughts? > > > > I think it would be important to consider it strictly as a "hint" as > > that would make life easier, e.g. if the previous policy hinted at a > > larger AVC we may not want to bother with reducing the number of buckets. > > I would suggest starting with an implementation that uses the hint as a > > power of two for the number of AVC slots/buckets, with a value of '0' > > indicating a default value (512 slots, e.g. '2^9'). > > So, aside from Hongru's points about this requiring a change to the > binary policy format and compiler and introducing possible > atomicity/locking issues in the AVC code when accessing the number of > buckets ... I know you've heard me say this before, but for the sake of those who haven't, "because it's a lot of work" isn't something that I consider to be a valid excuse. It's fine, and good (!), to explain the work needed to successfully make a change, but I have an almost allergic reaction to those who use the amount of work needed as an argument against doing The Right Thing. > I am also uncertain that this is something that is fully > determinable from policy alone. Agreed, but if we are going to make this changeable, I'd rather see it as something that could be changed without requiring a reboot. Not wanting to add yet another selinuxfs node, and seeing *some* relationship between AVC size and policy, adding a AVC size hint to the policy seems reasonable. However, as I mentioned in my reply to Hongru, we may be able to solve the immediate problem with a Kconfig tunable. -- paul-moore.com
Powered by blists - more mailing lists