From: Paul Moore <paul@paul-moore.com>
To: Stephen Smalley <stephen.smalley.work@gmail.com>,
selinux@vger.kernel.org
Cc: omosnace@redhat.com, Stephen Smalley <stephen.smalley.work@gmail.com>
Subject: Re: [PATCH v2 2/2] selinux: optimize selinux_inode_getattr/permission() based on neveraudit|permissive
Date: Thu, 19 Jun 2025 17:23:03 -0400 [thread overview]
Message-ID: <b670321e362092044b87d8899dc9e9de@paul-moore.com> (raw)
In-Reply-To: <20250521144123.199370-4-stephen.smalley.work@gmail.com>
On May 21, 2025 Stephen Smalley <stephen.smalley.work@gmail.com> wrote:
>
> Extend the task avdcache to also cache whether the task SID is both
> permissive and neveraudit, and return immediately if so in both
> selinux_inode_getattr() and selinux_inode_permission().
>
> The same approach could be applied to many of the hook functions
> although the avdcache would need to be updated for more than directory
> search checks in order for this optimization to be beneficial for checks
> on objects other than directories.
>
> To test, apply https://github.com/SELinuxProject/selinux/pull/473 to
> your selinux userspace, build and install libsepol, and use the following
> CIL policy module:
> $ cat neverauditpermissive.cil
> (typeneveraudit unconfined_t)
> (typepermissive unconfined_t)
>
> Without this module inserted, running the following commands:
> perf record make -jN # on an already built allmodconfig tree
> perf report --sort=symbol,dso
> yields the following percentages (only showing __d_lookup_rcu for
> reference and only showing relevant SELinux functions):
> 1.65% [k] __d_lookup_rcu
> 0.53% [k] selinux_inode_permission
> 0.40% [k] selinux_inode_getattr
> 0.15% [k] avc_lookup
> 0.05% [k] avc_has_perm
> 0.05% [k] avc_has_perm_noaudit
> 0.02% [k] avc_policy_seqno
> 0.02% [k] selinux_file_permission
> 0.01% [k] selinux_inode_alloc_security
> 0.01% [k] selinux_file_alloc_security
> for a total of 1.24% for SELinux compared to 1.65% for
> __d_lookup_rcu().
>
> After running the following command to insert this module:
> semodule -i neverauditpermissive.cil
> and then re-running the same perf commands from above yields
> the following non-zero percentages:
> 1.74% [k] __d_lookup_rcu
> 0.31% [k] selinux_inode_permission
> 0.03% [k] selinux_inode_getattr
> 0.03% [k] avc_policy_seqno
> 0.01% [k] avc_lookup
> 0.01% [k] selinux_file_permission
> 0.01% [k] selinux_file_open
> for a total of 0.40% for SELinux compared to 1.74% for
> __d_lookup_rcu().
>
> Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
> ---
> v2 introduces a task_avdcache_permnoaudit() static inline function.
>
> security/selinux/hooks.c | 14 +++++++++++++-
> security/selinux/include/objsec.h | 8 ++++++++
> 2 files changed, 21 insertions(+), 1 deletion(-)
Merged into selinux/dev, thanks.
--
paul-moore.com
next prev parent reply other threads:[~2025-06-19 21:23 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-21 14:41 [PATCH v2 1/2] selinux: introduce neveraudit types Stephen Smalley
2025-05-21 14:41 ` [PATCH v2 2/2] selinux: optimize selinux_inode_getattr/permission() based on neveraudit|permissive Stephen Smalley
2025-06-10 13:06 ` Stephen Smalley
2025-06-19 21:23 ` Paul Moore [this message]
2025-06-19 21:23 ` [PATCH v2 1/2] selinux: introduce neveraudit types Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b670321e362092044b87d8899dc9e9de@paul-moore.com \
--to=paul@paul-moore.com \
--cc=omosnace@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).