Re: [PATCH v3] selinux: reduce the use of hard-coded hash sizes

Ondrej Mosnacek <omosnace@xxxxxxxxxx> · Tue, 3 Mar 2020 09:33:13 +0100

On Tue, Mar 3, 2020 at 12:16 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> On Mon, Mar 2, 2020 at 2:11 PM Stephen Smalley
> <stephen.smalley.work@xxxxxxxxx> wrote:
> > On Wed, Feb 26, 2020 at 10:55 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> > >
> > > Instead allocate hash tables with just the right size based on the
> > > actual number of elements (which is almost always known beforehand, we
> > > just need to defer the hashtab allocation to the right time). The only
> > > case when we don't know the size (with the current policy format) is the
> > > new filename transitions hashtable. Here I just left the existing value.
> > >
> > > After this patch, the time to load Fedora policy on x86_64 decreases
> > > from 790 ms to 167 ms. If the unconfined module is removed, it decreases
> > > from 750 ms to 122 ms. It is also likely that other operations are going
> > > to be faster, mainly string_to_context_struct() or mls_compute_sid(),
> > > but I didn't try to quantify that.
> > >
> > > The memory usage of all hash table arrays increases from ~58 KB to
> > > ~163 KB (with Fedora policy on x86_64).
> > >
> > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > > ---
> >
> > > diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
> > > index 32b3a8acf96f..7ca8c74efba3 100644
> > > --- a/security/selinux/ss/policydb.c
> > > +++ b/security/selinux/ss/policydb.c
> > > @@ -503,20 +482,12 @@ static int policydb_init(struct policydb *p)
> > >                 goto out;
> > >         }
> > >
> > > -       p->range_tr = hashtab_create(rangetr_hash, rangetr_cmp, 256);
> > > -       if (!p->range_tr) {
> > > -               rc = -ENOMEM;
> > > -               goto out;
> > > -       }
> > > -
> > >         ebitmap_init(&p->filename_trans_ttypes);
> > >         ebitmap_init(&p->policycaps);
> > >         ebitmap_init(&p->permissive_map);
> > >
> > >         return 0;
> > >  out:
> > > -       hashtab_destroy(p->filename_trans);
> > > -       hashtab_destroy(p->range_tr);
> > >         for (i = 0; i < SYM_NUM; i++) {
> > >                 hashtab_map(p->symtab[i].table, destroy_f[i], NULL);
> > >                 hashtab_destroy(p->symtab[i].table);
> >
> > Sorry, just pointed out to me that this left the symtab destruction
> > code in the out path of policydb_init()
> > even though we are no longer creating them there.  Harmless but should
> > be dropped.
>
> Ondrej, can you submit a cleanup patch for this?

Sure, already on it...

--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.