On Wed, Sep 6, 2023 at 11:46 AM Jacob Satterfield <jsatterfield.linux@xxxxxxxxx> wrote: > > Due to how conditional rules are written in the binary policy, the > code responsible for loading does not know how many conditional rules > there are before creating the avtab structure. Instead, it uses the > number of elements in the non-conditional avtab as a hint and allocates > the hash table based on it. Therefore, pre-allocating an array of nodes > based on this hint over-allocates at best and under-allocates at worst. > > This patch includes two functions, avtab_grow_nodes and > avtab_shrink_nodes, which help manage the size of the nodes array in the > unlikely case when there are more conditional rules than non-conditional > and in the likely case when there are more non-conditional rules than > conditional rules respectively. > > This patch required struct cond_av_list to become an array of indices > instead of pointers so that the nodes array can be copied and moved. > This coveniently results in a reduction of memory usage on 64-bit archs > as pointers become u32 integers. > > Future improvements to the binary policy to provide the correct hint to > the loader code will make these functions obsolete. But as this would be > a breaking change to the format, it is not a part of this patch series. > > Signed-off-by: Jacob Satterfield <jsatterfield.linux@xxxxxxxxx> Reviewed-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > --- > security/selinux/ss/avtab.c | 61 +++++++++++++++++++++++++------ > security/selinux/ss/avtab.h | 8 ++-- > security/selinux/ss/conditional.c | 46 ++++++++++++++--------- > security/selinux/ss/conditional.h | 2 +- > 4 files changed, 84 insertions(+), 33 deletions(-)
