[PATCH 9/9] SELinux: Expose netport hash table sizing via Kconfig

siarhei.liakh@xxxxxxxxxxxxxxxxx · Wed, 8 Apr 2020 14:24:16 -0400

From: Siarhei Liakh <siarhei.liakh@xxxxxxxxxxxxxxxxx>

This change exposes previously hardcoded netport sizing tunables via Kconfig,
which provides a more convenient tuning mechanism for downstream distributions.
Default sizing is not affected.

Signed-off-by: Siarhei Liakh <siarhei.liakh@xxxxxxxxxxxxxxxxx>
---
Please CC me directly in all replies.

 security/selinux/Kconfig   | 20 ++++++++++++++++++++
 security/selinux/netport.c |  4 ++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 23ec741b1ce6..d65626142bcf 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -133,6 +133,26 @@ config SECURITY_SELINUX_PDB_FILE_TR_HASH_BITS
 	  used for File Transitions hash table. Smaller value reduces memory
 	  footprint at price of hash table lookup efficiency.
 
+config SECURITY_SELINUX_NETPORT_HASH_BITS
+	int "Number of slots (buckets) for Netport hash table, expressed as number of bits (i.e. 2^n)"
+	depends on SECURITY_SELINUX
+	range 1 16
+	default "8"
+	help
+	  This is a power of 2 representing the number of slots (buckets)
+	  used for Netport hash table. Smaller value reduces memory
+	  footprint at price of hash table lookup efficiency.
+
+config SECURITY_SELINUX_NETPORT_HASH_BLIMIT
+	int "Bucket size limit for Netport hash table."
+	depends on SECURITY_SELINUX
+	range 1 131072
+	default "16"
+	help
+	  This is a an upper limit on number of entries a bucket can hold
+	  within Netport hash. Lower values conserve memory at price of
+	  more expensive lookups when a Netport cache miss occurs.
+
 config SECURITY_SELINUX_CHECKREQPROT_VALUE
 	int "NSA SELinux checkreqprot default value"
 	depends on SECURITY_SELINUX
diff --git a/security/selinux/netport.c b/security/selinux/netport.c
index de727f7489b7..ef8e9abcadf7 100644
--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@@ -32,8 +32,8 @@
 #include "netport.h"
 #include "objsec.h"
 
-#define SEL_NETPORT_HASH_SIZE       256
-#define SEL_NETPORT_HASH_BKT_LIMIT   16
+#define SEL_NETPORT_HASH_SIZE (1 << CONFIG_SECURITY_SELINUX_NETPORT_HASH_BITS)
+#define SEL_NETPORT_HASH_BKT_LIMIT CONFIG_SECURITY_SELINUX_NETPORT_HASH_BLIMIT
 
 struct sel_netport_bkt {
 	int size;
-- 
2.17.1







