| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHC9VhQeW7fFtB5uGRJhU7882MsSLazHmOZ0UKj=pX6PKiwz8A@mail.gmail.com> Date: Tue, 21 Oct 2025 11:44:47 -0400 From: Paul Moore <paul@...l-moore.com> To: Hongru Zhang <zhanghongru06@...il.com> Cc: linux-kernel@...r.kernel.org, omosnace@...hat.com, selinux@...r.kernel.org, stephen.smalley.work@...il.com, zhanghongru@...omi.com Subject: Re: [PATCH v3 1/2] selinux: Make avc cache slot size configurable during boot On Tue, Oct 21, 2025 at 8:38 AM Hongru Zhang <zhanghongru06@...il.com> wrote: > > I would imagine that a very simple implementation would simply convert > > the selinux_avc variable from an instance of selinux_avc to a RCU > > protected selinux_avc pointer. As the AVC already uses RCU, I think > > the number of changes should be relatively minimal: > > > > * Ensure we wrap selinux_avc derefs with rcu_dereference(). This > > should be the only real change needed for lookups and insertions as > > every search through the AVC will start with deref'ing the selinux_avc > > pointer. > > > > * Update avc_init() to allocate the cache slots with a default value, > > fail if unable to allocate the cache memory. If we ensure that the > > selinux_avc pointer will always be valid, we can avoid having to check > > it. > > > > * Policy (re)loads which would change the number of AVC cache slots > > would allocate and initialize a new selinux_avc then swap the global > > selinux_avc pointer under spinlock. The old AVC cache could then be > > free'd according to RCU rules. I haven't thought about it too much, > > but I suspect we could do away with flushing the old AVC in these > > cases, even if we can't, flushing the old AVC is easy enough. > > > > > When increasing slot size, we could directly copy the contents from the > > > old table. When decreasing slot size, nodes exceeding the new slot size > > > would need to be re-hashed and attached to appropriate positions. > > > > Changing the number of cache slots should happen infrequently enough > > that I see no need to migrate the old entries to the new cache > > instance. It's a cache, it will fill back up naturally. > > > > > On my Android device, policies are fixed before system image release and > > > don't change or load dynamically during system running. Using kernel > > > parameters for adjustment ensures no additional locks or checks are neede= > > d > > > during runtime table access, maintaining simplicity and efficiency of the > > > lookup code. > > > > If your system does not update its policy over the course of a single > > boot, and presumably doesn't drastically change its behavior during > > that time, there is another, simpler option that we should consider: > > setting AVC_CACHE_SLOTS at compile time based on a Kconfig tunable. > > The code change would essentially be one line: > > > > #define AVC_CACHE_SLOTS (2 << CONFIG_SECURITY_SELINUX_AVC_HASH_BITS) > > > > ... with a corresponding entry in security/selinux/Kconfig. That > > should be a very easy change, and if you set the default value such > > that AVC_CACHE_SLOTS remains at 512, there should be no impact on > > existing systems. > > Alright,I will add a CONFIG_SECURITY_SELINUX_AVC_HASH_BITS in > security/selinux/Kconfig, the range is between 9 and 14 (512 : 16384), > with a default value of 9. And then I will send a new patchset version. That seems reasonable. I'm sure you've seen it already, but you'll likely need to modify AVC_DEF_CACHE_THRESHOLD as well ... or honestly just remove it in favor of AVC_CACHE_SLOTS, it's only used to set an initial value for the cache threshold. > I will try to submit the final version in Q1 2026 based on the discussion > (Because I have some planned Q4 work that hasn't been completed yet). No worries, thank you! -- paul-moore.com
Powered by blists - more mailing lists