[PATCH v2] apparmor: try to avoid refing the label in apparmor_file_open

Mateusz Guzik mjguzik at gmail.com
Thu Jun 20 18:30:02 UTC 2024 

On Thu, Jun 20, 2024 at 8:23 PM Neeraj Upadhyay <Neeraj.Upadhyay at amd.com> wrote:
>
>
>
> On 6/20/2024 10:45 PM, Mateusz Guzik wrote:
> > apparmor: try to avoid refing the label in apparmor_file_open
> >
> > If the label is not stale (which is the common case), the fact that the
> > passed file object holds a reference can be leverged to avoid the
>
> Minor: Typo 'leveraged'
>
> > ref/unref cycle. Doing so reduces performance impact of apparmor on
> > parallel open() invocations.
> >
> > When benchmarking on a 24-core vm using will-it-scale's open1_process
> > ("Separate file open"), the results are (ops/s):
> > before: 6092196
> > after:  8309726 (+36%)
> >
> > Signed-off-by: Mateusz Guzik <mjguzik at gmail.com>
> > ---
>
>
> Trying to understand the changes done here. So, while the file cred can be updated
> async to the task (referring to the comment from John here [1]), the file cred label
> cannot change during apparmor_file_open() execution?
>

Refing a label retains racy vs refing it.

On stock code you can test the flag, determine it's not stale, grab
the ref and have it become stale immediately after. My patch avoids
the atomic dance for the common case, does not alter anything
correctness-wise AFAICS.

I am assuming the race is tolerated and checking here is only done to
make sure the new label is seen eventually.

Not having the race is possible with a bunch of trickery like seqc,
but so far does not look like this is necessary.

>
> Reviewed-by: Neeraj upadhyay <Neeraj.Upadhyay at amd.com>
>
>
> Thanks
> Neeraj
>
> [1] https://lore.kernel.org/lkml/9bfaeec2-535d-4401-8244-7560f660a065@canonical.com/
>
>
> >
> > v2:
> > - reword the commit message
> >
> > If you want any changes made to it can you just do them on your own
> > accord? :) Will be faster for both of us than another mail trip.
> >
> >  security/apparmor/include/cred.h | 20 ++++++++++++++++++++
> >  security/apparmor/lsm.c          |  5 +++--
> >  2 files changed, 23 insertions(+), 2 deletions(-)
> >
> > diff --git a/security/apparmor/include/cred.h b/security/apparmor/include/cred.h
> > index 58fdc72af664..7265d2f81dd5 100644
> > --- a/security/apparmor/include/cred.h
> > +++ b/security/apparmor/include/cred.h
> > @@ -63,6 +63,26 @@ static inline struct aa_label *aa_get_newest_cred_label(const struct cred *cred)
> >       return aa_get_newest_label(aa_cred_raw_label(cred));
> >  }
> >
> > +static inline struct aa_label *aa_get_newest_cred_label_condref(const struct cred *cred,
> > +                                                             bool *needput)
> > +{
> > +     struct aa_label *l = aa_cred_raw_label(cred);
> > +
> > +     if (unlikely(label_is_stale(l))) {
> > +             *needput = true;
> > +             return aa_get_newest_label(l);
> > +     }
> > +
> > +     *needput = false;
> > +     return l;
> > +}
> > +
> > +static inline void aa_put_label_condref(struct aa_label *l, bool needput)
> > +{
> > +     if (unlikely(needput))
> > +             aa_put_label(l);
> > +}
> > +
> >  /**
> >   * aa_current_raw_label - find the current tasks confining label
> >   *
> > diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> > index 2cea34657a47..4bf87eac4a56 100644
> > --- a/security/apparmor/lsm.c
> > +++ b/security/apparmor/lsm.c
> > @@ -461,6 +461,7 @@ static int apparmor_file_open(struct file *file)
> >       struct aa_file_ctx *fctx = file_ctx(file);
> >       struct aa_label *label;
> >       int error = 0;
> > +     bool needput;
> >
> >       if (!path_mediated_fs(file->f_path.dentry))
> >               return 0;
> > @@ -477,7 +478,7 @@ static int apparmor_file_open(struct file *file)
> >               return 0;
> >       }
> >
> > -     label = aa_get_newest_cred_label(file->f_cred);
> > +     label = aa_get_newest_cred_label_condref(file->f_cred, &needput);
> >       if (!unconfined(label)) {
> >               struct mnt_idmap *idmap = file_mnt_idmap(file);
> >               struct inode *inode = file_inode(file);
> > @@ -494,7 +495,7 @@ static int apparmor_file_open(struct file *file)
> >               /* todo cache full allowed permissions set and state */
> >               fctx->allow = aa_map_file_to_perms(file);
> >       }
> > -     aa_put_label(label);
> > +     aa_put_label_condref(label, needput);
> >
> >       return error;
> >  }



-- 
Mateusz Guzik <mjguzik gmail.com>

More information about the Linux-security-module-archive mailing list