[PATCH 0/3] Smack: Use the netlbl incoming cache
Casey Schaufler
casey at schaufler-ca.com
Fri Aug 14 00:32:12 UTC 2020
On 8/13/2020 9:36 AM, Casey Schaufler wrote:
> On 8/11/2020 7:10 PM, Paul Moore wrote:
>> On Tue, Aug 11, 2020 at 8:39 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>>> Update the Smack security module to use the Netlabel cache
>>> mechanism to speed the processing of incoming labeled packets.
>>> There is some refactoring of the existing code that makes it
>>> simpler, and reduces duplication. The outbound packet labeling
>>> is also optimized to track the labeling state of the socket.
>>> Prior to this the socket label was redundantly set on each
>>> packet send.
>>>
>>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>>> ---
>>> security/smack/smack.h | 19 ++--
>>> security/smack/smack_access.c | 55 ++++++----
>>> security/smack/smack_lsm.c | 245 ++++++++++++++++++++++++------------------
>>> security/smack/smackfs.c | 23 ++--
>>> 4 files changed, 193 insertions(+), 149 deletions(-)
>> FWIW, I gave this a cursory look just now and the NetLabel usage
>> seemed reasonable. Out of curiosity, have you done any before/after
>> performance tests?
> It's early in the benchmark process, but TCP looks to be about 6% better.
> UDP numbers should be better. I'm not expecting the level of improvement
> SELinux saw because the label mapping from CIPSO isn't as sophisticated
> for Smack as it is for SELinux.
UDP looks like a 12% improvement, which I had expected.
On the whole, worth the effort.
More information about the Linux-security-module-archive
mailing list