Hello.
I would like to propose patch that reduces overhead in read/write by SELinux.
I sent RFC in previous thread.
http://lkml.org/lkml/2007/9/6/14
As a result of discussion in previous thread,
quality of code has improved, so I would like to submit patch here.
1. Background
Look at benchmark result below.
lmbench simple read/write(average of 5 run).
Big overhead exists especially on SH(SuperH) arch.
1) Result for x86(Pentium 4 2.6Ghz), kernel 2.6.22
Base SELinux Overhead(%)
Simple read 1.10 1.24 12.3
Simple write 1.02 1.14 14.0
* Base: kernel compiled without SELinux support
2) Result for SH(SH4, SH7751R), kernel 2.6.22
Base SELinux Overhead(%)
Simple read 2.39 5.49 130.5
Simple write 2.07 5.10 146.6
2. About patch
It reduces the selinux overhead on read/write by only revalidating
permissions in selinux_file_permission if the task or inode labels have
changed or the policy has changed since the open-time check.
A new LSM hook, security_dentry_open, is added to capture
the necessary state at open time to allow this optimization.
3. Result of benchmark after applying patch
1) Result for x86(Pentium 4 2.6Ghz), kernel 2.6.22
Base SELinux Overhead(%)
Simple read 1.10 1.13 2.3(Before 12.3)
Simple write 1.02 1.024 0.6(Before 14.0)
* Base: kernel compiled without SELinux support
2) Result for SH(SH4, SH7751R), kernel 2.6.22
Base SELinux Overhead(%)
Simple read 2.39 2.63 10.4(Before 130.5)
Simple write 2.07 2.34 13.1(Before 146.6)
Overhead in read/write is reduced a lot.
This patch adds permission check at open time(in __dentry_open),
but open/close performance does not get worse as shown below.
* Lmbench simple open/close
Pentium 4(before patch):
Base SELinux Overhead(%)
open/close 5.97 7.45 24.9
after patch:
open/close 5.97 7.48 25.3
SH(before patch):
...
