[PATCH v2 0/5] selinux:Significant reduce of preempt_disable holds

peter.enderborg at sony.com peter.enderborg at sony.com
Fri Jan 26 14:32:36 UTC 2018

Holding the preempt_disable is very bad for low latency tasks
as audio and therefore we need to break out the rule-set dependent
part from this disable. By using a RCU instead of rwlock we
have an efficient locking and less preemption interference.

Selinux uses a lot of read_locks. This patch replaces the rwlock
with RCY that does not hold preempt_disable.

Intel Xeon W3520 2.67 Ghz running FC27 with 4.15.0-rc9git (+measurement)
I get preempt_disable in worst case for 1.2ms in security_compute_av().
With the patch I get 960us as the longest security_compute_av()
without preempt disabeld. It very much noise in the measurement
but it is not likely a degrade.

And the preempt_disable times is also very dependent on the selinux

In security_get_user_sids() we have two nested for-loops and the
inner part calls sittab_context_to_sid() that calls
sidtab_search_context() that has a for loop() over a while() where
the loops is dependent on the rules.

On the test system the average lookup time is 60us and does
not change with the RCU usage.

To use RCU the structure of policydb has to be accesses through a pointer.
We need 4 patches to get there.

  [PATCH v2 1/5] selinux:Remove direct references to policydb.
  We remove direct references and pass it through function arguments.

  [PATCH v2 2/5] selinux: Move policydb to pointer structure
  Move the policydb to dynamic allocated structure.

  [PATCH v2 3/5] selinux: Move sidtab to pointer structure
  Same as for policydb but for sidtab. They are closly related
  and should be switched at the same time.
  [PATCH v2 4/5] selinux: Use pointer to switch policydb and sidtab
  Now we can switch rules by switching pointers.

  [PATCH v2 5/5] selinux: Switch locking to RCU.
  We are now ready to use RCU.
History: V1 rwsem
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the Linux-security-module-archive mailing list