From: Paul Moore <paul@paul-moore.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Jaejyn Shin <flagon22bass@gmail.com>, selinux <selinux@tycho.nsa.gov>
Subject: Re: Fwd: Booting time is increased after applying kernel 3.10
Date: Fri, 27 Jun 2014 09:11:08 -0400 [thread overview]
Message-ID: <28082020.dkL42PyBCo@sifl> (raw)
In-Reply-To: <53AD6918.8090902@tycho.nsa.gov>
On Friday, June 27, 2014 08:52:40 AM Stephen Smalley wrote:
> On 06/27/2014 08:15 AM, Stephen Smalley wrote:
> >
> > Did you confirm that we need the synchronize_net() call at all?
I looked into a little more yesterday and it probably isn't needed for the
netport cache as that is only ever really used at the socket level so there is
no need to wait on any packet processing. We might be able to get away with
removing for the netif and netnode caches as well since we only check those
caches once for each packet so I don't believe there is a real worry about
consistency. However, I'm inclined to leave it in for now and just
consolidate the callbacks so we only call synchronize_net() once; it's still a
performance win and we preserve any safety benefits that may be there.
Also, in the interest of full disclosure, I've never been one of those folks
who are militant about reducing boot times, a few milliseconds here are there
aren't a big deal to me. At some point I may change my opinion on boot times,
but right now that's my thinking.
> Let me phrase this differently:
>
> 1) Does the synchronize_net() call guarantee that after the policy load
> completes (or more specifically, after the avc_ss_reset completes), all
> subsequent network permission checks will be based on the
> netif/node/port contexts defined by the new policy and not based on the
> old ones?
Essentially the synchronize_net() call is just a synchronize_rcu() call with a
little extra work if the routing table lock is taken, so no magic
synchronization here. Basically as soon as the network object cache is
flushed new lookups to the cache will start querying the policy again, the
synchronize_net() call really just ensures that existing RCU critical sections
will finish up before the callback complete.
> -and-
>
> 2) Does anyone currently rely on this behavior, i.e. they make a change
> to the netif/node/port contexts in policy, load the new policy, and need
> to know that the new context assignments are being applied on every
> network operation before they can proceed safely?
I don't believe so, at least I would advise against it as there are little
guarantees when it comes to network I/O.
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2014-06-27 13:11 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAEFn6A4mzF208e1s_OHEzJ-1Kq-DUGgzVNbQXrW6NbB0e8DSpQ@mail.gmail.com>
2014-06-25 19:14 ` Fwd: Booting time is increased after applying kernel 3.10 Stephen Smalley
2014-06-25 19:29 ` Paul Moore
2014-06-25 19:49 ` Stephen Smalley
2014-06-25 23:19 ` Jaejyn Shin
2014-06-26 13:57 ` Stephen Smalley
2014-06-26 14:17 ` Paul Moore
2014-06-27 12:15 ` Stephen Smalley
2014-06-27 12:52 ` Stephen Smalley
2014-06-27 13:11 ` Paul Moore [this message]
2015-04-01 18:58 Ravi Kumar
2015-04-01 19:20 ` Stephen Smalley
2015-04-01 19:24 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=28082020.dkL42PyBCo@sifl \
--to=paul@paul-moore.com \
--cc=flagon22bass@gmail.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.