Commit e0ac568d authored by Ondrej Mosnacek's avatar Ondrej Mosnacek Committed by Paul Moore

selinux: reduce the use of hard-coded hash sizes

Instead allocate hash tables with just the right size based on the
actual number of elements (which is almost always known beforehand, we
just need to defer the hashtab allocation to the right time). The only
case when we don't know the size (with the current policy format) is the
new filename transitions hashtable. Here I just left the existing value.

After this patch, the time to load Fedora policy on x86_64 decreases
from 790 ms to 167 ms. If the unconfined module is removed, it decreases
from 750 ms to 122 ms. It is also likely that other operations are going
to be faster, mainly string_to_context_struct() or mls_compute_sid(),
but I didn't try to quantify that.

The memory usage of all hash table arrays increases from ~58 KB to
~163 KB (with Fedora policy on x86_64).
Signed-off-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent e4cfa05e
...@@ -12,12 +12,29 @@ ...@@ -12,12 +12,29 @@
static struct kmem_cache *hashtab_node_cachep; static struct kmem_cache *hashtab_node_cachep;
/*
* Here we simply round the number of elements up to the nearest power of two.
* I tried also other options like rouding down or rounding to the closest
* power of two (up or down based on which is closer), but I was unable to
* find any significant difference in lookup/insert performance that would
* justify switching to a different (less intuitive) formula. It could be that
* a different formula is actually more optimal, but any future changes here
* should be supported with performance/memory usage data.
*
* The total memory used by the htable arrays (only) with Fedora policy loaded
* is approximately 163 KB at the time of writing.
*/
static u32 hashtab_compute_size(u32 nel)
{
return nel == 0 ? 0 : roundup_pow_of_two(nel);
}
struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key),
int (*keycmp)(struct hashtab *h, const void *key1, const void *key2), int (*keycmp)(struct hashtab *h, const void *key1, const void *key2),
u32 size) u32 nel_hint)
{ {
struct hashtab *p; struct hashtab *p;
u32 i; u32 i, size = hashtab_compute_size(nel_hint);
p = kzalloc(sizeof(*p), GFP_KERNEL); p = kzalloc(sizeof(*p), GFP_KERNEL);
if (!p) if (!p)
...@@ -27,6 +44,9 @@ struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void * ...@@ -27,6 +44,9 @@ struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *
p->nel = 0; p->nel = 0;
p->hash_value = hash_value; p->hash_value = hash_value;
p->keycmp = keycmp; p->keycmp = keycmp;
if (!size)
return p;
p->htable = kmalloc_array(size, sizeof(*p->htable), GFP_KERNEL); p->htable = kmalloc_array(size, sizeof(*p->htable), GFP_KERNEL);
if (!p->htable) { if (!p->htable) {
kfree(p); kfree(p);
...@@ -46,7 +66,7 @@ int hashtab_insert(struct hashtab *h, void *key, void *datum) ...@@ -46,7 +66,7 @@ int hashtab_insert(struct hashtab *h, void *key, void *datum)
cond_resched(); cond_resched();
if (!h || h->nel == HASHTAB_MAX_NODES) if (!h || !h->size || h->nel == HASHTAB_MAX_NODES)
return -EINVAL; return -EINVAL;
hvalue = h->hash_value(h, key); hvalue = h->hash_value(h, key);
...@@ -82,7 +102,7 @@ void *hashtab_search(struct hashtab *h, const void *key) ...@@ -82,7 +102,7 @@ void *hashtab_search(struct hashtab *h, const void *key)
u32 hvalue; u32 hvalue;
struct hashtab_node *cur; struct hashtab_node *cur;
if (!h) if (!h || !h->size)
return NULL; return NULL;
hvalue = h->hash_value(h, key); hvalue = h->hash_value(h, key);
......
...@@ -42,7 +42,7 @@ struct hashtab_info { ...@@ -42,7 +42,7 @@ struct hashtab_info {
*/ */
struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key), struct hashtab *hashtab_create(u32 (*hash_value)(struct hashtab *h, const void *key),
int (*keycmp)(struct hashtab *h, const void *key1, const void *key2), int (*keycmp)(struct hashtab *h, const void *key1, const void *key2),
u32 size); u32 nel_hint);
/* /*
* Inserts the specified (key, datum) pair into the specified hash table. * Inserts the specified (key, datum) pair into the specified hash table.
......
...@@ -56,17 +56,6 @@ static const char *symtab_name[SYM_NUM] = { ...@@ -56,17 +56,6 @@ static const char *symtab_name[SYM_NUM] = {
}; };
#endif #endif
static unsigned int symtab_sizes[SYM_NUM] = {
2,
32,
16,
512,
128,
16,
16,
16,
};
struct policydb_compat_info { struct policydb_compat_info {
int version; int version;
int sym_num; int sym_num;
...@@ -478,20 +467,10 @@ static int policydb_init(struct policydb *p) ...@@ -478,20 +467,10 @@ static int policydb_init(struct policydb *p)
memset(p, 0, sizeof(*p)); memset(p, 0, sizeof(*p));
for (i = 0; i < SYM_NUM; i++) {
rc = symtab_init(&p->symtab[i], symtab_sizes[i]);
if (rc)
goto out;
}
rc = avtab_init(&p->te_avtab); rc = avtab_init(&p->te_avtab);
if (rc) if (rc)
goto out; goto out;
rc = roles_init(p);
if (rc)
goto out;
rc = cond_policydb_init(p); rc = cond_policydb_init(p);
if (rc) if (rc)
goto out; goto out;
...@@ -503,20 +482,12 @@ static int policydb_init(struct policydb *p) ...@@ -503,20 +482,12 @@ static int policydb_init(struct policydb *p)
goto out; goto out;
} }
p->range_tr = hashtab_create(rangetr_hash, rangetr_cmp, 256);
if (!p->range_tr) {
rc = -ENOMEM;
goto out;
}
ebitmap_init(&p->filename_trans_ttypes); ebitmap_init(&p->filename_trans_ttypes);
ebitmap_init(&p->policycaps); ebitmap_init(&p->policycaps);
ebitmap_init(&p->permissive_map); ebitmap_init(&p->permissive_map);
return 0; return 0;
out: out:
hashtab_destroy(p->filename_trans);
hashtab_destroy(p->range_tr);
for (i = 0; i < SYM_NUM; i++) { for (i = 0; i < SYM_NUM; i++) {
hashtab_map(p->symtab[i].table, destroy_f[i], NULL); hashtab_map(p->symtab[i].table, destroy_f[i], NULL);
hashtab_destroy(p->symtab[i].table); hashtab_destroy(p->symtab[i].table);
...@@ -1142,12 +1113,12 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp) ...@@ -1142,12 +1113,12 @@ static int common_read(struct policydb *p, struct hashtab *h, void *fp)
len = le32_to_cpu(buf[0]); len = le32_to_cpu(buf[0]);
comdatum->value = le32_to_cpu(buf[1]); comdatum->value = le32_to_cpu(buf[1]);
nel = le32_to_cpu(buf[3]);
rc = symtab_init(&comdatum->permissions, PERM_SYMTAB_SIZE); rc = symtab_init(&comdatum->permissions, nel);
if (rc) if (rc)
goto bad; goto bad;
comdatum->permissions.nprim = le32_to_cpu(buf[2]); comdatum->permissions.nprim = le32_to_cpu(buf[2]);
nel = le32_to_cpu(buf[3]);
rc = str_read(&key, GFP_KERNEL, fp, len); rc = str_read(&key, GFP_KERNEL, fp, len);
if (rc) if (rc)
...@@ -1308,12 +1279,12 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp) ...@@ -1308,12 +1279,12 @@ static int class_read(struct policydb *p, struct hashtab *h, void *fp)
len = le32_to_cpu(buf[0]); len = le32_to_cpu(buf[0]);
len2 = le32_to_cpu(buf[1]); len2 = le32_to_cpu(buf[1]);
cladatum->value = le32_to_cpu(buf[2]); cladatum->value = le32_to_cpu(buf[2]);
nel = le32_to_cpu(buf[4]);
rc = symtab_init(&cladatum->permissions, PERM_SYMTAB_SIZE); rc = symtab_init(&cladatum->permissions, nel);
if (rc) if (rc)
goto bad; goto bad;
cladatum->permissions.nprim = le32_to_cpu(buf[3]); cladatum->permissions.nprim = le32_to_cpu(buf[3]);
nel = le32_to_cpu(buf[4]);
ncons = le32_to_cpu(buf[5]); ncons = le32_to_cpu(buf[5]);
...@@ -1826,6 +1797,11 @@ static int range_read(struct policydb *p, void *fp) ...@@ -1826,6 +1797,11 @@ static int range_read(struct policydb *p, void *fp)
return rc; return rc;
nel = le32_to_cpu(buf[0]); nel = le32_to_cpu(buf[0]);
p->range_tr = hashtab_create(rangetr_hash, rangetr_cmp, nel);
if (!p->range_tr)
return -ENOMEM;
for (i = 0; i < nel; i++) { for (i = 0; i < nel; i++) {
rc = -ENOMEM; rc = -ENOMEM;
rt = kzalloc(sizeof(*rt), GFP_KERNEL); rt = kzalloc(sizeof(*rt), GFP_KERNEL);
...@@ -2418,6 +2394,17 @@ int policydb_read(struct policydb *p, void *fp) ...@@ -2418,6 +2394,17 @@ int policydb_read(struct policydb *p, void *fp)
goto bad; goto bad;
nprim = le32_to_cpu(buf[0]); nprim = le32_to_cpu(buf[0]);
nel = le32_to_cpu(buf[1]); nel = le32_to_cpu(buf[1]);
rc = symtab_init(&p->symtab[i], nel);
if (rc)
goto out;
if (i == SYM_ROLES) {
rc = roles_init(p);
if (rc)
goto out;
}
for (j = 0; j < nel; j++) { for (j = 0; j < nel; j++) {
rc = read_f[i](p, p->symtab[i].table, fp); rc = read_f[i](p, p->symtab[i].table, fp);
if (rc) if (rc)
......
...@@ -321,8 +321,6 @@ extern int policydb_role_isvalid(struct policydb *p, unsigned int role); ...@@ -321,8 +321,6 @@ extern int policydb_role_isvalid(struct policydb *p, unsigned int role);
extern int policydb_read(struct policydb *p, void *fp); extern int policydb_read(struct policydb *p, void *fp);
extern int policydb_write(struct policydb *p, void *fp); extern int policydb_write(struct policydb *p, void *fp);
#define PERM_SYMTAB_SIZE 32
#define POLICYDB_CONFIG_MLS 1 #define POLICYDB_CONFIG_MLS 1
/* the config flags related to unknown classes/perms are bits 2 and 3 */ /* the config flags related to unknown classes/perms are bits 2 and 3 */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment