[PATCH 0/3] Smack: Use the netlbl incoming cache

Paul Moore paul at paul-moore.com
Fri Aug 14 02:03:58 UTC 2020


On August 13, 2020 8:32:16 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
> On 8/13/2020 9:36 AM, Casey Schaufler wrote:
>> On 8/11/2020 7:10 PM, Paul Moore wrote:
>>> On Tue, Aug 11, 2020 at 8:39 PM Casey Schaufler <casey at schaufler-ca.com> wrote:
>>>> Update the Smack security module to use the Netlabel cache
>>>> mechanism to speed the processing of incoming labeled packets.
>>>> There is some refactoring of the existing code that makes it
>>>> simpler, and reduces duplication. The outbound packet labeling
>>>> is also optimized to track the labeling state of the socket.
>>>> Prior to this the socket label was redundantly set on each
>>>> packet send.
>>>>
>>>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>>>> ---
>>>> security/smack/smack.h        |  19 ++--
>>>> security/smack/smack_access.c |  55 ++++++----
>>>> security/smack/smack_lsm.c    | 245 ++++++++++++++++++++++++------------------
>>>> security/smack/smackfs.c      |  23 ++--
>>>> 4 files changed, 193 insertions(+), 149 deletions(-)
>>> FWIW, I gave this a cursory look just now and the NetLabel usage
>>> seemed reasonable.  Out of curiosity, have you done any before/after
>>> performance tests?
>> It's early in the benchmark process, but TCP looks to be about 6% better.
>> UDP numbers should be better. I'm not expecting the level of improvement
>> SELinux saw because the label mapping from CIPSO isn't as sophisticated
>> for Smack as it is for SELinux.
>
> UDP looks like a 12% improvement, which I had expected.
> On the whole, worth the effort.

Great, thanks for the follow-up.

--
paul moore
www.paul-moore.com






More information about the Linux-security-module-archive mailing list