diff options
author | Casey Schaufler <casey@schaufler-ca.com> | 2011-09-20 12:24:36 -0700 |
---|---|---|
committer | Casey Schaufler <cschaufler@cschaufler-intel.(none)> | 2011-10-12 14:23:13 -0700 |
commit | 272cd7a8c67dd40a31ecff76a503bbb84707f757 (patch) | |
tree | 467f83c94eb14f8f34508efe891c0dcc62a7ac24 /security/smack/smack.h | |
parent | 828716c28fe4aa232ea280ea8ed6fb103eefb6ac (diff) |
Smack: Rule list lookup performance
This patch is targeted for the smack-next tree.
Smack access checks suffer from two significant performance
issues. In cases where there are large numbers of rules the
search of the single list of rules is wasteful. Comparing the
string values of the smack labels is less efficient than a
numeric comparison would.
These changes take advantage of the Smack label list, which
maintains the mapping of Smack labels to secids and optional
CIPSO labels. Because the labels are kept perpetually, an
access check can be done strictly based on the address of the
label in the list without ever looking at the label itself.
Rather than keeping one global list of rules the rules with
a particular subject label can be based off of that label
list entry. The access check need never look at entries that
do not use the current subject label.
This requires that packets coming off the network with
CIPSO direct Smack labels that have never been seen before
be treated carefully. The only case where they could be
delivered is where the receiving socket has an IPIN star
label, so that case is explicitly addressed.
On a system with 39,800 rules (200 labels in all permutations)
a system with this patch runs an access speed test in 5% of
the time of the old version. That should be a best case
improvement. If all of the rules are associated with the
same subject label and all of the accesses are for processes
with that label (unlikely) the improvement is about 30%.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Diffstat (limited to 'security/smack/smack.h')
-rw-r--r-- | security/smack/smack.h | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h index 2b6c6a516123..174d3be9aaee 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -41,9 +41,9 @@ struct superblock_smack { }; struct socket_smack { - char *smk_out; /* outbound label */ - char *smk_in; /* inbound label */ - char smk_packet[SMK_LABELLEN]; /* TCP peer label */ + char *smk_out; /* outbound label */ + char *smk_in; /* inbound label */ + char *smk_packet; /* TCP peer label */ }; /* @@ -116,13 +116,19 @@ struct smk_netlbladdr { * If there is a cipso value associated with the label it * gets stored here, too. This will most likely be rare as * the cipso direct mapping in used internally. + * + * Keep the access rules for this subject label here so that + * the entire set of rules does not need to be examined every + * time. */ struct smack_known { struct list_head list; char smk_known[SMK_LABELLEN]; u32 smk_secid; struct smack_cipso *smk_cipso; - spinlock_t smk_cipsolock; /* for changing cipso map */ + spinlock_t smk_cipsolock; /* for changing cipso map */ + struct list_head smk_rules; /* access rules */ + struct mutex smk_rules_lock; /* lock for the rules */ }; /* @@ -201,10 +207,11 @@ int smk_access_entry(char *, char *, struct list_head *); int smk_access(char *, char *, int, struct smk_audit_info *); int smk_curacc(char *, u32, struct smk_audit_info *); int smack_to_cipso(const char *, struct smack_cipso *); -void smack_from_cipso(u32, char *, char *); +char *smack_from_cipso(u32, char *); char *smack_from_secid(const u32); char *smk_import(const char *, int); struct smack_known *smk_import_entry(const char *, int); +struct smack_known *smk_find_entry(const char *); u32 smack_to_secid(const char *); /* @@ -223,7 +230,6 @@ extern struct smack_known smack_known_star; extern struct smack_known smack_known_web; extern struct list_head smack_known_list; -extern struct list_head smack_rule_list; extern struct list_head smk_netlbladdr_list; extern struct security_operations smack_ops; |