| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251021123842.968605-1-zhanghongru@xiaomi.com> Date: Tue, 21 Oct 2025 20:38:38 +0800 From: Hongru Zhang <zhanghongru06@...il.com> To: paul@...l-moore.com Cc: linux-kernel@...r.kernel.org, omosnace@...hat.com, selinux@...r.kernel.org, stephen.smalley.work@...il.com, zhanghongru06@...il.com, zhanghongru@...omi.com Subject: Re: [PATCH v3 1/2] selinux: Make avc cache slot size configurable during boot > I would imagine that a very simple implementation would simply convert > the selinux_avc variable from an instance of selinux_avc to a RCU > protected selinux_avc pointer. As the AVC already uses RCU, I think > the number of changes should be relatively minimal: > > * Ensure we wrap selinux_avc derefs with rcu_dereference(). This > should be the only real change needed for lookups and insertions as > every search through the AVC will start with deref'ing the selinux_avc > pointer. > > * Update avc_init() to allocate the cache slots with a default value, > fail if unable to allocate the cache memory. If we ensure that the > selinux_avc pointer will always be valid, we can avoid having to check > it. > > * Policy (re)loads which would change the number of AVC cache slots > would allocate and initialize a new selinux_avc then swap the global > selinux_avc pointer under spinlock. The old AVC cache could then be > free'd according to RCU rules. I haven't thought about it too much, > but I suspect we could do away with flushing the old AVC in these > cases, even if we can't, flushing the old AVC is easy enough. > > > When increasing slot size, we could directly copy the contents from the > > old table. When decreasing slot size, nodes exceeding the new slot size > > would need to be re-hashed and attached to appropriate positions. > > Changing the number of cache slots should happen infrequently enough > that I see no need to migrate the old entries to the new cache > instance. It's a cache, it will fill back up naturally. > > > On my Android device, policies are fixed before system image release and > > don't change or load dynamically during system running. Using kernel > > parameters for adjustment ensures no additional locks or checks are neede= > d > > during runtime table access, maintaining simplicity and efficiency of the > > lookup code. > > If your system does not update its policy over the course of a single > boot, and presumably doesn't drastically change its behavior during > that time, there is another, simpler option that we should consider: > setting AVC_CACHE_SLOTS at compile time based on a Kconfig tunable. > The code change would essentially be one line: > > #define AVC_CACHE_SLOTS (2 << CONFIG_SECURITY_SELINUX_AVC_HASH_BITS) > > ... with a corresponding entry in security/selinux/Kconfig. That > should be a very easy change, and if you set the default value such > that AVC_CACHE_SLOTS remains at 512, there should be no impact on > existing systems. > Alright,I will add a CONFIG_SECURITY_SELINUX_AVC_HASH_BITS in security/selinux/Kconfig, the range is between 9 and 14 (512 : 16384), with a default value of 9. And then I will send a new patchset version. I will try to submit the final version in Q1 2026 based on the discussion (Because I have some planned Q4 work that hasn't been completed yet).
Powered by blists - more mailing lists