Commit 7cae7e26 authored by James Morris's avatar James Morris Committed by Linus Torvalds

[PATCH] SELinux: add slab cache for inode security struct

Add a slab cache for the SELinux inode security struct, one of which is
allocated for every inode instantiated by the system.

The memory savings are considerable.

On 64-bit, instead of the size-128 cache, we have a slab object of 96
bytes, saving 32 bytes per object.  After booting, I see about 4000 of
these and then about 17,000 after a kernel compile.  With this patch, we
save around 530KB of kernel memory in the latter case.  On 32-bit, the
savings are about half of this.
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent cf01efd0
...@@ -117,6 +117,8 @@ static struct security_operations *secondary_ops = NULL; ...@@ -117,6 +117,8 @@ static struct security_operations *secondary_ops = NULL;
static LIST_HEAD(superblock_security_head); static LIST_HEAD(superblock_security_head);
static DEFINE_SPINLOCK(sb_security_lock); static DEFINE_SPINLOCK(sb_security_lock);
static kmem_cache_t *sel_inode_cache;
/* Allocate and free functions for each kind of security blob. */ /* Allocate and free functions for each kind of security blob. */
static int task_alloc_security(struct task_struct *task) static int task_alloc_security(struct task_struct *task)
...@@ -146,10 +148,11 @@ static int inode_alloc_security(struct inode *inode) ...@@ -146,10 +148,11 @@ static int inode_alloc_security(struct inode *inode)
struct task_security_struct *tsec = current->security; struct task_security_struct *tsec = current->security;
struct inode_security_struct *isec; struct inode_security_struct *isec;
isec = kzalloc(sizeof(struct inode_security_struct), GFP_KERNEL); isec = kmem_cache_alloc(sel_inode_cache, SLAB_KERNEL);
if (!isec) if (!isec)
return -ENOMEM; return -ENOMEM;
memset(isec, 0, sizeof(*isec));
init_MUTEX(&isec->sem); init_MUTEX(&isec->sem);
INIT_LIST_HEAD(&isec->list); INIT_LIST_HEAD(&isec->list);
isec->inode = inode; isec->inode = inode;
...@@ -172,7 +175,7 @@ static void inode_free_security(struct inode *inode) ...@@ -172,7 +175,7 @@ static void inode_free_security(struct inode *inode)
spin_unlock(&sbsec->isec_lock); spin_unlock(&sbsec->isec_lock);
inode->i_security = NULL; inode->i_security = NULL;
kfree(isec); kmem_cache_free(sel_inode_cache, isec);
} }
static int file_alloc_security(struct file *file) static int file_alloc_security(struct file *file)
...@@ -4406,6 +4409,9 @@ static __init int selinux_init(void) ...@@ -4406,6 +4409,9 @@ static __init int selinux_init(void)
tsec = current->security; tsec = current->security;
tsec->osid = tsec->sid = SECINITSID_KERNEL; tsec->osid = tsec->sid = SECINITSID_KERNEL;
sel_inode_cache = kmem_cache_create("selinux_inode_security",
sizeof(struct inode_security_struct),
0, SLAB_PANIC, NULL, NULL);
avc_init(); avc_init();
original_ops = secondary_ops = security_ops; original_ops = secondary_ops = security_ops;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment