As the refpolicy and the default Fedora policy continue to grow in size, especially with regard to rules / access vectors, the memory usage of the policydb and runtime to search through it increases. Looking at /proc/slabinfo indicates that the avtab_node_cachep kmem_cache is significantly responsible for overall memory usage and was a good target for optimizations. Running "perf record" on the "load_policy" command shows that a majority of time is spent adding rules into the avtab. This patch series is an at optimizing these hot spots within the security server implementation to help it scale with additional rules in the future. All patches are independent of each other. Patches 1-3 are a series of refactors of the internal avtab.c interfaces and code paths with no logic changes. It removes duplicative code and homogenizes access patterns. Patch 4 changes avtab to use arrays instead of a kmem_cache for individual nodes of the hastable. Jacob Satterfield (4): selinux: simplify avtab_insert_node() prototype selinux: refactor avtab_node comparisons selinux: avtab iteration macros selinux: use arrays for avtab hashtable nodes security/selinux/ss/avtab.c | 206 ++++++++++++++---------------- security/selinux/ss/avtab.h | 4 +- security/selinux/ss/conditional.c | 37 ++++-- security/selinux/ss/conditional.h | 2 +- 4 files changed, 123 insertions(+), 126 deletions(-) -- 2.41.0
