From: Paul Moore <paul@paul-moore.com>
To: Hongru Zhang <zhanghongru06@gmail.com>,
stephen.smalley.work@gmail.com, omosnace@redhat.com
Cc: linux-kernel@vger.kernel.org, selinux@vger.kernel.org,
zhanghongru@xiaomi.com
Subject: Re: [PATCH v3 1/2] selinux: Make avc cache slot size configurable during boot
Date: Thu, 16 Oct 2025 17:18:57 -0400 [thread overview]
Message-ID: <b30e8d56703dfd84778fa73845eaa1ec@paul-moore.com> (raw)
In-Reply-To: <d849e8a98bf88bd12fd13a8f6b6e84290dcaaf6e.1758859391.git.zhanghongru@xiaomi.com>
On Sep 26, 2025 Hongru Zhang <zhanghongru06@gmail.com> wrote:
>
> On mobile device high-load situations, permission check can happen
> more than 90,000/s (8 core system). With default 512 cache nodes
> configuration, avc cache miss happens more often and occasionally
> leads to long time (>2ms) irqs off on both big and little cores,
> which decreases system real-time capability.
>
> An actual call stack is as follows:
> => avc_compute_av
> => avc_perm_nonode
> => avc_has_perm_noaudit
> => selinux_capable
> => security_capable
> => capable
> => __sched_setscheduler
> => do_sched_setscheduler
> => __arm64_sys_sched_setscheduler
> => invoke_syscall
> => el0_svc_common
> => do_el0_svc
> => el0_svc
> => el0t_64_sync_handler
> => el0t_64_sync
>
> Although we can expand avc nodes through /sys/fs/selinux/cache_threshold
> to mitigate long time irqs off, hash conflicts make the bucket average
> length longer because of the fixed size of cache slots, leading to
> avc_search_node latency increase.
>
> Make avc cache slot size also configurable, and with fine tuning, we can
> mitigate long time irqs off with slightly avc_search_node performance
> regression.
>
> Theoretically, the main overhead is memory consumption.
>
> avc_search_node avg latency test results (about 100,000,000 times) on
> Qcom SM8750, 6.6.30-android15-8:
>
> Case 1:
> +---------+---------------------+------------------------+
> | | no-patch (512/512) | with-patch (512/512) |
> +---------+---------------------+------------------------+
> | latency | 85 ns | 87 ns |
> +---------+---------------------+------------------------+
>
> Case 2:
> +---------+---------------------+------------------------+
> | | no-patch (8192/512) | with-patch (8192/8192) |
> +---------+---------------------+------------------------+
> | latency | 277 ns | 106 ns |
> +---------+---------------------+------------------------+
>
> Case 1 shows 512 nodes configuration has ~2% performance regression
> with patch.
> Case 2 shows 8192 nodes configuration has ~61% latency benifit with
> patch.
>
> Signed-off-by: Hongru Zhang <zhanghongru@xiaomi.com>
> Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> ---
> .../admin-guide/kernel-parameters.txt | 4 ++
> security/selinux/avc.c | 68 +++++++++++++------
> 2 files changed, 50 insertions(+), 22 deletions(-)
I would expect the number of active AVC nodes, and AVC churn in general,
to be very policy dependent; some policies and use cases simply result in
more AVC nodes than others. With that in mind, I'm wondering if instead
of using a kernel command line parameter to specify the number of AVC
buckets, we should instead include an AVC size "hint" in the policy that
we can use to size the AVC when loading a new policy.
Thoughts?
I think it would be important to consider it strictly as a "hint" as
that would make life easier, e.g. if the previous policy hinted at a
larger AVC we may not want to bother with reducing the number of buckets.
I would suggest starting with an implementation that uses the hint as a
power of two for the number of AVC slots/buckets, with a value of '0'
indicating a default value (512 slots, e.g. '2^9').
--
paul-moore.com
next prev parent reply other threads:[~2025-10-16 21:19 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-26 6:23 [PATCH v3 0/2] selinux: speed up avc_search_node() with large number of avc nodes Hongru Zhang
2025-09-26 6:23 ` [PATCH v3 1/2] selinux: Make avc cache slot size configurable during boot Hongru Zhang
2025-09-26 12:19 ` Stephen Smalley
2025-10-16 21:18 ` Paul Moore [this message]
2025-10-17 8:10 ` Hongru Zhang
2025-10-20 19:12 ` Paul Moore
2025-10-21 12:38 ` Hongru Zhang
2025-10-21 15:44 ` Paul Moore
2025-10-22 2:49 ` Hongru Zhang
2025-10-17 11:59 ` Stephen Smalley
2025-10-20 19:22 ` Paul Moore
2025-09-26 6:23 ` [PATCH v3 2/2] selinux: improve bucket distribution uniformity of avc_hash() Hongru Zhang
2025-09-26 12:26 ` Stephen Smalley
2025-10-16 21:18 ` Paul Moore
2025-10-17 9:53 ` Hongru Zhang
2025-10-20 19:44 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b30e8d56703dfd84778fa73845eaa1ec@paul-moore.com \
--to=paul@paul-moore.com \
--cc=linux-kernel@vger.kernel.org \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
--cc=zhanghongru06@gmail.com \
--cc=zhanghongru@xiaomi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.