[PATCH 0/3] Smack: Use the netlbl incoming cache
Casey Schaufler
casey at schaufler-ca.com
Thu Aug 13 16:36:13 UTC 2020
On 8/11/2020 7:10 PM, Paul Moore wrote:
> On Tue, Aug 11, 2020 at 8:39 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>> Update the Smack security module to use the Netlabel cache
>> mechanism to speed the processing of incoming labeled packets.
>> There is some refactoring of the existing code that makes it
>> simpler, and reduces duplication. The outbound packet labeling
>> is also optimized to track the labeling state of the socket.
>> Prior to this the socket label was redundantly set on each
>> packet send.
>>
>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>> ---
>> security/smack/smack.h | 19 ++--
>> security/smack/smack_access.c | 55 ++++++----
>> security/smack/smack_lsm.c | 245 ++++++++++++++++++++++++------------------
>> security/smack/smackfs.c | 23 ++--
>> 4 files changed, 193 insertions(+), 149 deletions(-)
> FWIW, I gave this a cursory look just now and the NetLabel usage
> seemed reasonable. Out of curiosity, have you done any before/after
> performance tests?
It's early in the benchmark process, but TCP looks to be about 6% better.
UDP numbers should be better. I'm not expecting the level of improvement
SELinux saw because the label mapping from CIPSO isn't as sophisticated
for Smack as it is for SELinux.
> It was quite significant when we adopted it in
> SELinux, but that was some time ago, it would be nice to know that it
> is still working well and hasn't been invalidated by some other,
> unrelated change.
>
More information about the Linux-security-module-archive
mailing list