On Fri, Jan 6, 2023 at 3:30 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > On Mon, Dec 12, 2022 at 10:40 PM Alexander Kozhevnikov > <alexander.kozhevnikov@xxxxxxxxxxxxxxxxxxx> wrote: > > > > This patch is a proposed code optimization for SELinux: > > > > 1) Each inode has SELinux security structure attached > > to it, this one need to be initialized at some point. > > 2) This initialization is done by the function > > inode_doinit_with_dentry ( ). > > 3) In the kernel releases started from some point in the past > > this function (2) is always called normally from function > > __inode_security_revalidate ( ). > > 4) Which in turn is always called from inode_security ( ), which > > is a base point for any selinux calls and always called on > > any access to any inode except a few special cases when > > _inode_security_novalidate ( ) is used. > > 5) Inode security structure initialization can be done only after > > SELinux is fully initialized and policy is loaded. > > 6) So, for this purpose there was a special defeferred inode security > > initialization list protected by a spinlock implemented, which was > > populated instead of isec initialization in function > > inode_doinit_with_dentry ( ), if it was called before SELinux full > > initialization, and processed at the time when SELinux policy load > > occurred by calling again inode_doinit_with_dentry ( ) on each inode > > in this list. > > 7) This list was a part of a default initialization logic before (3) was > > implemented, but now, taking into account new mechanism implemented > > with current approach of inode security revalidation on each access > > (4)-(3)-(2), it looks obsolete and not needed anymore. > > 8) So deferred initialization, this list and code associated with it can > > be safely removed now, as anyway, if inode isec was not initialized > > before it will be processed on any next inode access. > > 9) Another case for calling inode_doinit_with_dentry( ) is when a new > > dentry is created. This is done by call from d_instantiate( ). When > > the deferred initialization list is removed it would be useful to > > also check for SELinux initialization status here before calling > > inode_doinit_with_dentry( ) like it is done in > > __inode_security_revalidate( ). > > 10) There are two possible positive consequences from this removal: > > a. More clean and simple code, less memory consumption; > > b. This deferred initialization in some cases (for example SELinux > > was switched on manually after system was up quite a long time) > > could take some significant time to process, i.e. system looks > > hung for some notable time. And now this is avoided. > > > > Signed-off-by: Alexander Kozhevnikov <alexander.kozhevnikov@xxxxxxxxxxxxxxxxxxx> > > --- > > security/selinux/hooks.c | 91 ++++--------------------------- > > security/selinux/include/objsec.h | 3 - > > 2 files changed, 11 insertions(+), 83 deletions(-) > > Merged into selinux/next with some minor style and grammar fixes, > thanks Alexander! Unfortunately I just had to back this commit out of selinux/next as the automated testing using the selinux-testsuite failed on my Fedora Rawhide test system failed. Please verify that this patch passes the selinux-testsuite on a modern Fedora Rawhide install using Linux v6.2-rc2 as a base. -- paul-moore.com
