From: Neeraj Upadhyay <Neeraj.Upadhyay@amd.com>
To: Mateusz Guzik <mjguzik@gmail.com>, john.johansen@canonical.com
Cc: paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
linux-kernel@vger.kernel.org, apparmor@lists.ubuntu.com,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v2] apparmor: try to avoid refing the label in apparmor_file_open
Date: Thu, 20 Jun 2024 23:53:12 +0530 [thread overview]
Message-ID: <155a24f7-8059-49b0-93fa-94bcdc058621@amd.com> (raw)
In-Reply-To: <20240620171528.167997-1-mjguzik@gmail.com>
On 6/20/2024 10:45 PM, Mateusz Guzik wrote:
> apparmor: try to avoid refing the label in apparmor_file_open
>
> If the label is not stale (which is the common case), the fact that the
> passed file object holds a reference can be leverged to avoid the
Minor: Typo 'leveraged'
> ref/unref cycle. Doing so reduces performance impact of apparmor on
> parallel open() invocations.
>
> When benchmarking on a 24-core vm using will-it-scale's open1_process
> ("Separate file open"), the results are (ops/s):
> before: 6092196
> after: 8309726 (+36%)
>
> Signed-off-by: Mateusz Guzik <mjguzik@gmail.com>
> ---
Trying to understand the changes done here. So, while the file cred can be updated
async to the task (referring to the comment from John here [1]), the file cred label
cannot change during apparmor_file_open() execution?
Reviewed-by: Neeraj upadhyay <Neeraj.Upadhyay@amd.com>
Thanks
Neeraj
[1] https://lore.kernel.org/lkml/9bfaeec2-535d-4401-8244-7560f660a065@canonical.com/
>
> v2:
> - reword the commit message
>
> If you want any changes made to it can you just do them on your own
> accord? :) Will be faster for both of us than another mail trip.
>
> security/apparmor/include/cred.h | 20 ++++++++++++++++++++
> security/apparmor/lsm.c | 5 +++--
> 2 files changed, 23 insertions(+), 2 deletions(-)
>
> diff --git a/security/apparmor/include/cred.h b/security/apparmor/include/cred.h
> index 58fdc72af664..7265d2f81dd5 100644
> --- a/security/apparmor/include/cred.h
> +++ b/security/apparmor/include/cred.h
> @@ -63,6 +63,26 @@ static inline struct aa_label *aa_get_newest_cred_label(const struct cred *cred)
> return aa_get_newest_label(aa_cred_raw_label(cred));
> }
>
> +static inline struct aa_label *aa_get_newest_cred_label_condref(const struct cred *cred,
> + bool *needput)
> +{
> + struct aa_label *l = aa_cred_raw_label(cred);
> +
> + if (unlikely(label_is_stale(l))) {
> + *needput = true;
> + return aa_get_newest_label(l);
> + }
> +
> + *needput = false;
> + return l;
> +}
> +
> +static inline void aa_put_label_condref(struct aa_label *l, bool needput)
> +{
> + if (unlikely(needput))
> + aa_put_label(l);
> +}
> +
> /**
> * aa_current_raw_label - find the current tasks confining label
> *
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index 2cea34657a47..4bf87eac4a56 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -461,6 +461,7 @@ static int apparmor_file_open(struct file *file)
> struct aa_file_ctx *fctx = file_ctx(file);
> struct aa_label *label;
> int error = 0;
> + bool needput;
>
> if (!path_mediated_fs(file->f_path.dentry))
> return 0;
> @@ -477,7 +478,7 @@ static int apparmor_file_open(struct file *file)
> return 0;
> }
>
> - label = aa_get_newest_cred_label(file->f_cred);
> + label = aa_get_newest_cred_label_condref(file->f_cred, &needput);
> if (!unconfined(label)) {
> struct mnt_idmap *idmap = file_mnt_idmap(file);
> struct inode *inode = file_inode(file);
> @@ -494,7 +495,7 @@ static int apparmor_file_open(struct file *file)
> /* todo cache full allowed permissions set and state */
> fctx->allow = aa_map_file_to_perms(file);
> }
> - aa_put_label(label);
> + aa_put_label_condref(label, needput);
>
> return error;
> }
next prev parent reply other threads:[~2024-06-20 18:23 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-20 17:15 [PATCH v2] apparmor: try to avoid refing the label in apparmor_file_open Mateusz Guzik
2024-06-20 18:23 ` Neeraj Upadhyay [this message]
2024-06-20 18:30 ` Mateusz Guzik
2024-06-20 19:03 ` John Johansen
2024-06-21 4:12 ` Neeraj Upadhyay
2024-07-05 6:30 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=155a24f7-8059-49b0-93fa-94bcdc058621@amd.com \
--to=neeraj.upadhyay@amd.com \
--cc=apparmor@lists.ubuntu.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjguzik@gmail.com \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).