As the refpolicy and the default Fedora policy continue to grow in size, especially with regard to rules / access vectors, the memory usage of the policydb and runtime to search through it increases. Looking at /proc/slabinfo indicates that the avtab_node_cachep kmem_cache is significantly responsible for overall memory usage and was a good target for optimizations. Running "perf record" on the "load_policy" command shows that a majority of time is spent adding rules into the avtab. This patch series is a first attempt at optimizing these hot spots within the security server implementation to help it scale with additional rules in the future. Patches 1-2 deal specifically with the hashtable implementation within avtab and how memory is allocated for individual nodes. Patch 3 is a runtime optimization discovered through profiling the "load_policy". Jacob Satterfield (3): selinux: use arrays for avtab hashtable nodes selinux: shrink conditional avtab node array selinux: hweight optimization in avtab_read_item security/selinux/ss/avtab.c | 143 ++++++++++++++++++------------ security/selinux/ss/avtab.h | 36 ++++++-- security/selinux/ss/conditional.c | 57 +++++++----- security/selinux/ss/conditional.h | 2 +- security/selinux/ss/services.c | 20 +++-- 5 files changed, 166 insertions(+), 92 deletions(-) -- 2.41.0
