From: Siarhei Liakh <siarhei.liakh@xxxxxxxxxxxxxxxxx> This change exposes previously hardcoded AVC sizing tunables via Kconfig, which provides a more convenient tuning mechanism for downstream distributions. Default sizing is not affected. Signed-off-by: Siarhei Liakh <siarhei.liakh@xxxxxxxxxxxxxxxxx> --- Please CC me directly in all replies. security/selinux/Kconfig | 32 ++++++++++++++++++++++++++++++++ security/selinux/avc.c | 6 +++--- 2 files changed, 35 insertions(+), 3 deletions(-) diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig index 4b5c9fa510a1..3a736a1c6806 100644 --- a/security/selinux/Kconfig +++ b/security/selinux/Kconfig @@ -79,6 +79,38 @@ config SECURITY_SELINUX_AVC_STATS /sys/fs/selinux/avc/cache_stats, which may be monitored via tools such as avcstat. +config SECURITY_SELINUX_AVC_DEF_THRESHOLD + int "Default value for AVC reclamation threshold" + depends on SECURITY_SELINUX + range 64 1048576 + default "512" + help + Reclamation threshold effectively sets a limit on AVC size. + Increasing this number could improve performance of busy + systems with lots of complex policies. Threshold value can + also be changed at run-time via selinuxfs. + +config SECURITY_SELINUX_AVC_HASH_BITS + int "Number of slots (buckets) for AVC hash table, expressed as number of bits (i.e. 2^n)" + depends on SECURITY_SELINUX + range 1 32 + default "9" + help + This is a power of 2 representing the number of slots (buckets) + used for AVC hash table. Smaller value reduces memory footprint + at price of hash table lookup efficiency. + +config SECURITY_SELINUX_AVC_RECLAIM_COUNT + int "Number of AVC entries to reclaim in a single cycle" + depends on SECURITY_SELINUX + range 1 SECURITY_SELINUX_AVC_DEF_THRESHOLD + default "16" + help + A single reclamation cycle will evict this many AVC entries + from the cache. Small values may require multiple reclamation + cycles to bring AVC size under the threshold. Large values may + cause excessive latency of reclamation events. + config SECURITY_SELINUX_CHECKREQPROT_VALUE int "NSA SELinux checkreqprot default value" depends on SECURITY_SELINUX diff --git a/security/selinux/avc.c b/security/selinux/avc.c index b5893621290b..80af3d1f31fd 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -31,9 +31,9 @@ #include "avc_ss.h" #include "classmap.h" -#define AVC_CACHE_SLOTS 512 -#define AVC_DEF_CACHE_THRESHOLD 512 -#define AVC_CACHE_RECLAIM 16 +#define AVC_CACHE_SLOTS (1 << CONFIG_SECURITY_SELINUX_AVC_HASH_BITS) +#define AVC_DEF_CACHE_THRESHOLD CONFIG_SECURITY_SELINUX_AVC_DEF_THRESHOLD +#define AVC_CACHE_RECLAIM CONFIG_SECURITY_SELINUX_AVC_RECLAIM_COUNT #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS #define avc_cache_stats_incr(field) this_cpu_inc(avc_cache_stats.field) -- 2.17.1
