From: Siarhei Liakh <siarhei.liakh@xxxxxxxxxxxxxxxxx> This change exposes previously hardcoded filename_tr sizing via Kconfig, which provides a more convenient tuning mechanism for downstream distributions. Default sizing is not affected. Signed-off-by: Siarhei Liakh <siarhei.liakh@xxxxxxxxxxxxxxxxx> --- Please CC me directly in all replies. security/selinux/Kconfig | 10 ++++++++++ security/selinux/ss/policydb.c | 3 ++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index b7ced53ffd76..23ec741b1ce6 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -123,6 +123,16 @@ config SECURITY_SELINUX_AVTAB_HASH_BITS footprint at price of hash table lookup efficiency. One bucket per 10 to 100 rules is reasonable. +config SECURITY_SELINUX_PDB_FILE_TR_HASH_BITS + int "Number of slots (buckets) for File Transitions hash table, expressed as number of bits (i.e. 2^n)" + depends on SECURITY_SELINUX + range 1 32 + default "11" + help + This is a power of 2 representing the number of slots (buckets) + used for File Transitions hash table. Smaller value reduces memory + footprint at price of hash table lookup efficiency. + config SECURITY_SELINUX_CHECKREQPROT_VALUE int "NSA SELinux checkreqprot default value" depends on SECURITY_SELINUX diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index 0d03036ca20d..f2d809dffb25 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -496,7 +496,8 @@ static int policydb_init(struct policydb *p) cond_policydb_init(p); p->filename_trans = hashtab_create(filenametr_hash, filenametr_cmp, - (1 << 11)); + (1 << CONFIG_SECURITY_SELINUX_PDB_FILE_TR_HASH_BITS)); + if (!p->filename_trans) return -ENOMEM; -- 2.17.1
