Stephen Smalley wrote: >> IIRC sepostgres reimplemented its sidtab and avc because our current one >> wasn't very friendly to multithread/multiprocess object managers. > > Looking back, I think KaiGai's reasons were: > - he didn't see benefit to the indirection of the AVC SID table since > PostgreSQL has to directly manage security contexts for persistent > labeling, Yes, it uses object identifier which is associated with a certain text representation of security context as a key to lookup its userspace avc. > - he wanted to enable sharing of the AVC (via shared memory) and the > netlink thread among all PostgreSQL instances (processes, not just > threads). The pgsql-hackers didn't like an idea to deploy userspace avc on the shared memory segment, so I had to change its implementation. Now, it put only a flag to notice avc invalidation for all the server processes. A background netlink process updates the flag on the shared memory segment, then other server processed voluntarily invalidates its userspace avc deployed on the process local memory prior to looking up. In addition, characteristic of database workload enables to apply more optimization in the performance perspective. The subject security context of the userspace avc deployed on the process local memory is unchanged (except for trusted procedure execution), so SE-PostgreSQL categorizes all the avc entries by subject context to omit comparison of subject context. (Note that subject context is not database object, so it does not have object identifer. It requires strcmp() to compare subject context.) Because the database workload (with row level security) needs to lookup the avc entry massive times in a short time, this kind of optimization is very important. At the past, I tried to compare subject context to lookup avc entry, then it recorded 50% of transaction-per-second toward the vanilla PostgreSQL. :( Thus, now, it is not necessary to consider use cases in SE-PostgreSQL to update userspace avc stuff in libselinux. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@xxxxxxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
