From: Siarhei Liakh <siarhei.liakh@xxxxxxxxxxxxxxxxx> This change exposes previously hardcoded AVTab sizing tunables via Kconfig, which provides a more convenient tuning mechanism for downstream distributions. Default sizing is not affected. Signed-off-by: Siarhei Liakh <siarhei.liakh@xxxxxxxxxxxxxxxxx> --- Please CC me directly in all replies. security/selinux/Kconfig | 12 ++++++++++++ security/selinux/ss/avtab.h | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 3a736a1c6806..b7ced53ffd76 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -111,6 +111,18 @@ config SECURITY_SELINUX_AVC_RECLAIM_COUNT cycles to bring AVC size under the threshold. Large values may cause excessive latency of reclamation events. +config SECURITY_SELINUX_AVTAB_HASH_BITS + int "Number of slots (buckets) for AVTab hash table, expressed as number of bits (i.e. 2^n)" + depends on SECURITY_SELINUX + range 1 32 + default "16" + help + This is a power of 2 representing the number of slots (buckets) + used for AVTab hash table. AVTab is the core SELinux database + holding all of the applicable rules. Smaller value reduces memory + footprint at price of hash table lookup efficiency. One bucket + per 10 to 100 rules is reasonable. + config SECURITY_SELINUX_CHECKREQPROT_VALUE int "NSA SELinux checkreqprot default value" depends on SECURITY_SELINUX diff --git a/security/selinux/ss/avtab.h b/security/selinux/ss/avtab.h index 5fdcb6696bcc..52b3f82ddacd 100644 --- a/security/selinux/ss/avtab.h +++ b/security/selinux/ss/avtab.h @@ -110,7 +110,7 @@ struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_key *key); struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified); -#define MAX_AVTAB_HASH_BITS 16 +#define MAX_AVTAB_HASH_BITS CONFIG_SECURITY_SELINUX_AVTAB_HASH_BITS #define MAX_AVTAB_HASH_BUCKETS (1 << MAX_AVTAB_HASH_BITS) #endif /* _SS_AVTAB_H_ */ -- 2.17.1
