On Fri, Nov 3, 2023 at 1:30 PM Jacob Satterfield <jsatterfield.linux@xxxxxxxxx> wrote: > > Due to how conditional rules are written in the binary policy, the > code responsible for loading does not know how many conditional rules > there are before creating the avtab structure. Instead, it uses the > number of elements in the non-conditional avtab as a hint and allocates > the hash table based on it. In the refpolicy and default Fedora policy, > the actual sizes of these tables are not similar (~85k vs ~10k) thereby > creating more slots than needed and resulting in wasted memory. > > This patch introduces a two-pass algorithm to calculate the conditional > rule count before allocating the avtab nodes array. Albeit with a slight > performance penalty in reading a portion of the binary policy twice, > this causes the number of hash slots for the conditional array to become > 4096 instead of 32768. At 8-bytes per slot on 64-bit architectures, this > results in a net savings of 224 KB of heap memory. > > Signed-off-by: Jacob Satterfield <jsatterfield.linux@xxxxxxxxx> Reviewed-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
