On Thu, Apr 16, 2020 at 4:22 PM Jeffrey Vander Stoep <jeffv@xxxxxxxxxx> wrote:
> Thanks for fixing this!
>
> On Thu, Apr 16, 2020 at 2:41 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> >
> > Always hashing the string representation is inefficient. Just hash the
> > contents of the structure directly (using jhash). If the context is
> > invalid (str & len are set), then hash the string as before, otherwise
> > hash the structured data. Any context that is valid under the given
> > policy should always be structured, and also any context that is invalid
> > should be never structured, so the hashes should always match for the
> > same context. The fact that context_cmp() also follows this logic
> > further reinforces this assumption.
> >
> > Since the context hashing function is now faster (about 10 times), this
> > patch decreases the overhead of security_transition_sid(), which is
> > called from many hooks.
> >
> > The jhash function seemed as a good choice, since it is used as the
> > default hashing algorithm in rhashtable.
> >
> > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
> > ---
> > security/selinux/Makefile | 2 +-
> > security/selinux/ss/context.c | 24 +++++++++++++++++++++++
> > security/selinux/ss/context.h | 6 ++++--
> > security/selinux/ss/ebitmap.c | 14 ++++++++++++++
> > security/selinux/ss/ebitmap.h | 1 +
> > security/selinux/ss/mls.h | 11 +++++++++++
> > security/selinux/ss/policydb.c | 7 ++-----
> > security/selinux/ss/services.c | 35 ++++------------------------------
> > security/selinux/ss/services.h | 3 ---
> > 9 files changed, 61 insertions(+), 42 deletions(-)
> > create mode 100644 security/selinux/ss/context.c
> >
> > diff --git a/security/selinux/Makefile b/security/selinux/Makefile
> > index 0c77ede1cc11..4d8e0e8adf0b 100644
> > --- a/security/selinux/Makefile
> > +++ b/security/selinux/Makefile
> > @@ -8,7 +8,7 @@ obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
> > selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \
> > netnode.o netport.o status.o \
> > ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \
> > - ss/policydb.o ss/services.o ss/conditional.o ss/mls.o
> > + ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/context.o
> >
> > selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
> >
> > diff --git a/security/selinux/ss/context.c b/security/selinux/ss/context.c
> > new file mode 100644
> > index 000000000000..cc0895dc7b0f
> > --- /dev/null
> > +++ b/security/selinux/ss/context.c
> > @@ -0,0 +1,24 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +/*
> > + * Implementations of the security context functions.
> > + *
> > + * Author: Ondrej Mosnacek <omosnacek@xxxxxxxxx>
> > + * Copyright (C) 2018 Red Hat, Inc.
> > + */
> > +
> > +#include <linux/jhash.h>
> > +
> > +#include "context.h"
> > +#include "mls.h"
> > +
> > +u32 context_compute_hash(const struct context *c)
> > +{
> > + u32 hash = 0;
> > +
>
> You describe why this is safe in the commit message.
> Could that same explanation be a comment here?
> Otherwise it's not clear when reading the code why
> this is safe.
I assume you mean the fact that valid and invalid contexts are hashed
differently? In that case, yes I agree it deserves a comment.
> > + if (c->len)
> > + return full_name_hash(NULL, c->str, c->len);
> > +
> > + hash = jhash_3words(c->user, c->role, c->type, hash);
> > + hash = mls_range_hash(&c->range, hash);
> > + return hash;
> > +}
--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.
