Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

From: Casey Schaufler <casey@schaufler-ca•com>
To: Paolo Abeni <pabeni@redhat•com>, linux-security-module@vger•kernel.org
Cc: "David S. Miller" <davem@davemloft•net>,
	James Morris <james.l.morris@oracle•com>,
	Paul Moore <paul@paul-moore•com>,
	Andreas Gruenbacher <agruenba@redhat•com>,
	Stephen Smalley <sds@tycho•nsa.gov>,
	Florian Westphal <fw@strlen•de>,
	netdev@vger•kernel.org
Subject: Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed
Date: Wed, 6 Apr 2016 14:37:30 -0700	[thread overview]
Message-ID: <5705819A.3030809@schaufler-ca.com> (raw)
In-Reply-To: <cover.1459934322.git.pabeni@redhat.com>

On 4/6/2016 2:51 AM, Paolo Abeni wrote:
> Currently, selinux always registers iptables POSTROUTING hooks regarless of
> the running policy needs for any action to be performed by them.
>
> Even the socket_sock_rcv_skb() is always registered, but it can result in a no-op
> depending on the current policy configuration.
>
> The above invocations in the kernel datapath are cause of measurable
> overhead in networking performance test.
>
> This patch series adds explicit notification for netlabel status change 
> (other relevant status change, like xfrm and secmark, are already notified to
> LSM) and use this information in selinux to register the above hooks only when
> the current status makes them relevant, deregistering them when no-op
>
> Avoiding the LSM hooks overhead, in netperf UDP_STREAM test with small packets,
> gives about 5% performance improvement on rx and about 8% on tx.
>
> Paolo Abeni (2):
>   security: add hook for netlabel status change notification
>   selinux: implement support for dynamic net hook [de-]registration
>
>  include/linux/lsm_hooks.h           |  6 ++++
>  include/linux/security.h            |  5 +++
>  net/netlabel/netlabel_cipso_v4.c    |  8 +++--
>  net/netlabel/netlabel_unlabeled.c   |  5 ++-
>  security/security.c                 |  7 ++++
>  security/selinux/hooks.c            | 72 +++++++++++++++++++++++++++++++------
>  security/selinux/include/security.h |  1 +
>  security/selinux/ss/services.c      |  1 +
>  security/selinux/xfrm.c             |  4 +++
>  9 files changed, 96 insertions(+), 13 deletions(-)
>
Is there a patch 1/2?

next prev parent reply	other threads:[~2016-04-06 21:37 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-06  9:51 [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed Paolo Abeni
2016-04-06  9:51 ` [RFC PATCH 1/2] security: add hook for netlabel status change notification Paolo Abeni
2016-04-06  9:51 ` [RFC PATCH 2/2] selinux: implement support for dynamic net hook [de-]registration Paolo Abeni
2016-04-06 22:32   ` Casey Schaufler
2016-04-06 12:33 ` [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed Paul Moore
2016-04-06 14:03   ` Paolo Abeni
2016-04-06 14:07     ` Paul Moore
2016-04-06 18:23       ` David Miller
2016-04-06 18:36         ` Paul Moore
2016-04-06 19:39           ` David Miller
2016-04-06 20:07             ` Paul Moore
2016-04-06 22:14   ` Florian Westphal
2016-04-06 23:15     ` Paul Moore
2016-04-06 23:45       ` Florian Westphal
2016-04-07 18:55         ` Paul Moore
2016-04-12  8:52           ` Paolo Abeni
2016-04-12 13:57             ` Casey Schaufler
2016-04-13 11:57               ` Paolo Abeni
2016-04-13 15:06                 ` Casey Schaufler
2016-04-14 22:53             ` Paul Moore
2016-04-15  9:38               ` Paolo Abeni
2016-04-15 15:54                 ` Casey Schaufler
2016-04-06 21:37 ` Casey Schaufler [this message]
2016-04-06 21:43   ` Paul Moore
2016-04-06 21:43 ` Casey Schaufler
2016-04-07  7:59   ` Paolo Abeni

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5705819A.3030809@schaufler-ca.com \
    --to=casey@schaufler-ca$(echo .)com \
    --cc=agruenba@redhat$(echo .)com \
    --cc=davem@davemloft$(echo .)net \
    --cc=fw@strlen$(echo .)de \
    --cc=james.l.morris@oracle$(echo .)com \
    --cc=linux-security-module@vger$(echo .)kernel.org \
    --cc=netdev@vger$(echo .)kernel.org \
    --cc=pabeni@redhat$(echo .)com \
    --cc=paul@paul-moore$(echo .)com \
    --cc=sds@tycho$(echo .)nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox