On Wed, Apr 29, 2020 at 4:29 PM <siarhei.liakh@xxxxxxxxxxxxxxxxx> wrote: > > From: Siarhei Liakh <siarhei.liakh@xxxxxxxxxxxxxxxxx> > > This change introduces a median() function which is then used to report > 25th, 50th, and 75th percentile metrics within distributions of hash table > bucket chain lengths. This allows to better assess and compare relative > effectiveness of different hash functions. Specifically, it allows to > ensure new functions not only reduce the maximum, but also improve (or, at > least, have no negative impact) on the median. > > Sample output before change: > > avc: > entries: 508 > buckets used: 213/512 > longest chain: 10 > > policydb: > SELinux: roles: 14 entries and 6/16 buckets used, longest chain length 5 > > Sample output after the change: > > avc: > entries: 508 > buckets used: 217/512 > longest chain: 9 > non-zero chain Q1/Med/Q3: 1/2/3 > > policydb: > SELinux: roles: 14 entries and 6/16 buckets used, longest chain length 5 > non-zero Q1/Med/Q3 1/2/4 > > Signed-off-by: Siarhei Liakh <siarhei.liakh@xxxxxxxxxxxxxxxxx> > --- > Please CC me directly on all replies. > > security/selinux/Kconfig | 10 +++++ > security/selinux/avc.c | 42 ++++++++++++++++--- > security/selinux/include/median.h | 67 +++++++++++++++++++++++++++++++ > security/selinux/ss/avtab.c | 37 ++++++++++++++--- > security/selinux/ss/hashtab.c | 28 ++++++++++++- > security/selinux/ss/hashtab.h | 5 +++ > security/selinux/ss/policydb.c | 14 ++++--- > 7 files changed, 185 insertions(+), 18 deletions(-) > create mode 100644 security/selinux/include/median.h > > diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig > index 9e921fc72538..57c427e019c9 100644 > --- a/security/selinux/Kconfig > +++ b/security/selinux/Kconfig > @@ -115,3 +115,13 @@ config SECURITY_SELINUX_SID2STR_CACHE_SIZE > conversion. Setting this option to 0 disables the cache completely. > > If unsure, keep the default value. > + > +config SECURITY_SELINUX_DEBUG_HASHES > + bool "Print additional information about hash tables" > + depends on SECURITY_SELINUX > + default n > + help > + This option allows to gather and display additional information about > + some of the key hash tables within SELinux. > + > + If unsure, keep the default value. I forgot to mention this earlier, but I think this is another case where we don't need to add another Kconfig option. -- paul moore www.paul-moore.com
