| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cc48748e9dcfa63fbbaeabad0b2536a0f602cb1d.1761217900.git.zhanghongru@xiaomi.com> Date: Thu, 23 Oct 2025 19:29:19 +0800 From: Hongru Zhang <zhanghongru06@...il.com> To: paul@...l-moore.com, stephen.smalley.work@...il.com, omosnace@...hat.com Cc: linux-kernel@...r.kernel.org, selinux@...r.kernel.org, zhanghongru@...omi.com Subject: [PATCH v4 1/3] selinux: Introduce a new config to make avc cache slot size adjustable From: Hongru Zhang <zhanghongru@...omi.com> On mobile device high-load situations, permission check can happen more than 90,000/s (8 core system). With default 512 cache nodes configuration, avc cache miss happens more often and occasionally leads to long time (>2ms) irqs off on both big and little cores, which decreases system real-time capability. An actual call stack is as follows: => avc_compute_av => avc_perm_nonode => avc_has_perm_noaudit => selinux_capable => security_capable => capable => __sched_setscheduler => do_sched_setscheduler => __arm64_sys_sched_setscheduler => invoke_syscall => el0_svc_common => do_el0_svc => el0_svc => el0t_64_sync_handler => el0t_64_sync Although we can expand avc nodes through /sys/fs/selinux/cache_threshold to mitigate long time irqs off, hash conflicts make the bucket average length longer because of the fixed size of cache slots, leading to avc_search_node() latency increase. So introduce a new config to make avc cache slot size also configurable, and with fine tuning, we can mitigate long time irqs off with slightly avc_search_node() performance regression. Theoretically, the main overhead is memory consumption. Signed-off-by: Hongru Zhang <zhanghongru@...omi.com> --- security/selinux/Kconfig | 11 +++++++++++ security/selinux/avc.c | 6 +++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 61abc1e094a8..5588c4d573f6 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -69,6 +69,17 @@ config SECURITY_SELINUX_SID2STR_CACHE_SIZE If unsure, keep the default value. +config SECURITY_SELINUX_AVC_HASH_BITS + int "SELinux avc hashtable size" + depends on SECURITY_SELINUX + range 9 14 + default 9 + help + This option sets the number of buckets used in the AVC hash table + to 2^SECURITY_SELINUX_AVC_HASH_BITS. A higher value helps maintain + shorter chain lengths especially when expanding AVC nodes via + /sys/fs/selinux/avc/cache_threshold. + config SECURITY_SELINUX_DEBUG bool "SELinux kernel debugging support" depends on SECURITY_SELINUX diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 430b0e23ee00..c12d45e46db6 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -34,9 +34,9 @@ #define CREATE_TRACE_POINTS #include <trace/events/avc.h> -#define AVC_CACHE_SLOTS 512 -#define AVC_DEF_CACHE_THRESHOLD 512 -#define AVC_CACHE_RECLAIM 16 +#define AVC_CACHE_SLOTS (1 << CONFIG_SECURITY_SELINUX_AVC_HASH_BITS) +#define AVC_DEF_CACHE_THRESHOLD AVC_CACHE_SLOTS +#define AVC_CACHE_RECLAIM 16 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS #define avc_cache_stats_incr(field) this_cpu_inc(avc_cache_stats.field) -- 2.43.0
Powered by blists - more mailing lists