On Nov 3, 2023 Jacob Satterfield <jsatterfield.linux@xxxxxxxxx> wrote:
>
> Due to how conditional rules are written in the binary policy, the
> code responsible for loading does not know how many conditional rules
> there are before creating the avtab structure. Instead, it uses the
> number of elements in the non-conditional avtab as a hint and allocates
> the hash table based on it. In the refpolicy and default Fedora policy,
> the actual sizes of these tables are not similar (~85k vs ~10k) thereby
> creating more slots than needed and resulting in wasted memory.
>
> This patch introduces a two-pass algorithm to calculate the conditional
> rule count before allocating the avtab nodes array. Albeit with a slight
> performance penalty in reading a portion of the binary policy twice,
> this causes the number of hash slots for the conditional array to become
> 4096 instead of 32768. At 8-bytes per slot on 64-bit architectures, this
> results in a net savings of 224 KB of heap memory.
>
> Signed-off-by: Jacob Satterfield <jsatterfield.linux@xxxxxxxxx>
> Reviewed-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> ---
> security/selinux/ss/avtab.c | 15 ++++++++++--
> security/selinux/ss/avtab.h | 2 +-
> security/selinux/ss/conditional.c | 38 ++++++++++++++++++++-----------
> security/selinux/ss/conditional.h | 2 +-
> 4 files changed, 40 insertions(+), 17 deletions(-)
...
> diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c
> index 81ff676f209a..810319bf0e60 100644
> --- a/security/selinux/ss/conditional.c
> +++ b/security/selinux/ss/conditional.c
> @@ -407,16 +408,17 @@ static int cond_read_node(struct policydb *p, struct cond_node *node, void *fp)
> return -EINVAL;
> }
>
> - rc = cond_read_av_list(p, fp, &node->true_list, NULL);
> + rc = cond_read_av_list(p, fp, &node->true_list, NULL, nrules);
> if (rc)
> return rc;
> - return cond_read_av_list(p, fp, &node->false_list, &node->true_list);
> + return cond_read_av_list(p, fp, &node->false_list, &node->true_list, nrules);
> }
>
> -int cond_read_list(struct policydb *p, void *fp)
> +int cond_read_list(struct policydb *p, struct policy_file *fp)
> {
> __le32 buf[1];
> - u32 i, len;
> + struct policy_file tmp_fp;
> + u32 i, len, nrules;
> int rc;
>
> rc = next_entry(buf, fp, sizeof(buf));
> @@ -428,15 +430,25 @@ int cond_read_list(struct policydb *p, void *fp)
> p->cond_list = kcalloc(len, sizeof(*p->cond_list), GFP_KERNEL);
> if (!p->cond_list)
> return -ENOMEM;
> + p->cond_list_len = len;
> +
> + /* first pass to only calculate the avrule count */
> + tmp_fp = *fp;
> + nrules = 0;
> + for (i = 0; i < p->cond_list_len; i++) {
> + rc = cond_read_node(p, &p->cond_list[i], &tmp_fp, &nrules);
> + if (rc)
> + goto err;
> + cond_node_destroy(&p->cond_list[i]);
> + }
I'm a concerned about all the work we have to do just to count the
conditional rules. Other than not working with existing binary
policies, have you looked at bumping the policy version and introducing
a binary format change that would include the number of conditional
rules?
--
paul-moore.com
