On Thu, Apr 16, 2020 at 2:41 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > Always hashing the string representation is inefficient. Just hash the > contents of the structure directly (using jhash). If the context is > invalid (str & len are set), then hash the string as before, otherwise > hash the structured data. Any context that is valid under the given > policy should always be structured, and also any context that is invalid > should be never structured, so the hashes should always match for the > same context. The fact that context_cmp() also follows this logic > further reinforces this assumption. > > Since the context hashing function is now faster (about 10 times), this > patch decreases the overhead of security_transition_sid(), which is > called from many hooks. > > The jhash function seemed as a good choice, since it is used as the > default hashing algorithm in rhashtable. > > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx> > --- > security/selinux/Makefile | 2 +- > security/selinux/ss/context.c | 24 +++++++++++++++++++++++ > security/selinux/ss/context.h | 6 ++++-- > security/selinux/ss/ebitmap.c | 14 ++++++++++++++ > security/selinux/ss/ebitmap.h | 1 + > security/selinux/ss/mls.h | 11 +++++++++++ > security/selinux/ss/policydb.c | 7 ++----- > security/selinux/ss/services.c | 35 ++++------------------------------ > security/selinux/ss/services.h | 3 --- > 9 files changed, 61 insertions(+), 42 deletions(-) > create mode 100644 security/selinux/ss/context.c > > diff --git a/security/selinux/Makefile b/security/selinux/Makefile > index 0c77ede1cc11..4d8e0e8adf0b 100644 > --- a/security/selinux/Makefile > +++ b/security/selinux/Makefile > @@ -8,7 +8,7 @@ obj-$(CONFIG_SECURITY_SELINUX) := selinux.o > selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \ > netnode.o netport.o status.o \ > ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \ > - ss/policydb.o ss/services.o ss/conditional.o ss/mls.o > + ss/policydb.o ss/services.o ss/conditional.o ss/mls.o ss/context.o > > selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o > > diff --git a/security/selinux/ss/context.c b/security/selinux/ss/context.c > new file mode 100644 > index 000000000000..cc0895dc7b0f > --- /dev/null > +++ b/security/selinux/ss/context.c > @@ -0,0 +1,24 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * Implementations of the security context functions. > + * > + * Author: Ondrej Mosnacek <omosnacek@xxxxxxxxx> > + * Copyright (C) 2018 Red Hat, Inc. *facepalm* I just realized I forgot to update the year... again. I'll fix it along with the added comment. -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc.
