Thread: [v9.2] sepgsql - userspace access vector cache (Re: [v9.1] sepgsql - userspace access vector cache)
[v9.2] sepgsql - userspace access vector cache (Re: [v9.1] sepgsql - userspace access vector cache)
From
Kohei KaiGai
Date:
Oops, subject was incorrect. It should be [v9.2], not [v9.1] 2011/6/9 Kohei KaiGai <kaigai@kaigai.gr.jp>: > The attached patch adds contrib/sepgsql a cache mechanism for access > control decision of SELinux. It shall reduce the total number of > system call invocations to improve the performance on its access > controls. > > In the current implementation, the sepgsql always raises a query to > SELinux in-kernel. However, same answer shall be returned for some > pair of security labels and object class, unless the security policy > got reloaded. > It is a situation caching mechanism works well. Of course, we don't > assume the security policy is reloaded so frequently. > > I tried to measure the performance to run sepgsql_restorecon(NULL) > that is used to assign initial labels of schemas, relations, columns > and procedures. It also invokes massive number of "relabelfrom" and > "relabelto" permission checks. > > $ time -p psql -c 'SELECT sepgsql_restorecon(NULL);' postgres > > without patch > real 2.73 > real 2.70 > real 2.72 > real 2.67 > real 2.68 > > with patch > real 0.67 > real 0.61 > real 0.63 > real 0.63 > real 0.63 > > The improvement is obvious. > > From the viewpoint of implementation, this patch replaces > sepgsql_check_perms() by sepgsql_avc_check_perms(), from non-cache > interface to cached interface. > Every cached items are hashed using a pair of security labels and > object class, so, even if different objects have same security label, > system call invocation shall happen only once for an identical > combination. > > The only modification by this patch to the core routine is a new > syscache for pg_seclabel system catalog. The SECLABELOID enables to > reference security label of the object using syscache interface. > > Thanks, > -- > KaiGai Kohei <kaigai@kaigai.gr.jp> > -- KaiGai Kohei <kaigai@kaigai.gr.jp>