mirror of
https://github.com/torvalds/linux.git
synced 2026-03-08 03:04:51 +01:00
641e021758
On mobile device high-load situations, permission check can happen more than 90,000/s (8 core system). With default 512 cache nodes configuration, avc cache miss happens more often and occasionally leads to long time (>2ms) irqs off on both big and little cores, which decreases system real-time capability. An actual call stack is as follows: => avc_compute_av => avc_perm_nonode => avc_has_perm_noaudit => selinux_capable => security_capable => capable => __sched_setscheduler => do_sched_setscheduler => __arm64_sys_sched_setscheduler => invoke_syscall => el0_svc_common => do_el0_svc => el0_svc => el0t_64_sync_handler => el0t_64_sync Although we can expand avc nodes through /sys/fs/selinux/cache_threshold to mitigate long time irqs off, hash conflicts make the bucket average length longer because of the fixed size of cache slots, leading to avc_search_node() latency increase. So introduce a new config to make avc cache slot size also configurable, and with fine tuning, we can mitigate long time irqs off with slightly avc_search_node() performance regression. Theoretically, the main overhead is memory consumption. Signed-off-by: Hongru Zhang <zhanghongru@xiaomi.com> Signed-off-by: Paul Moore <paul@paul-moore.com> |
||
|---|---|---|
| .. | ||
| apparmor | ||
| bpf | ||
| integrity | ||
| ipe | ||
| keys | ||
| landlock | ||
| loadpin | ||
| lockdown | ||
| safesetid | ||
| selinux | ||
| smack | ||
| tomoyo | ||
| yama | ||
| commoncap.c | ||
| device_cgroup.c | ||
| inode.c | ||
| Kconfig | ||
| Kconfig.hardening | ||
| lsm_audit.c | ||
| lsm_syscalls.c | ||
| Makefile | ||
| min_addr.c | ||
| security.c | ||