• Stephen Smalley's avatar
    [PATCH] selinux: Reduce memory use by avtab · 782ebb99
    Stephen Smalley authored
    This patch improves memory use by SELinux by both reducing the avtab node
    size and reducing the number of avtab nodes.  The memory savings are
    substantial, e.g.  on a 64-bit system after boot, James Morris reported the
    following data for the targeted and strict policies:
    
                #objs  objsize   kernmem
    Targeted:
      Before:  237888       40     9.1MB
      After:    19968       24     468KB
    
    Strict:
      Before:  571680       40   21.81MB
      After:   221052       24    5.06MB
    
    The improvement in memory use comes at a cost in the speed of security
    server computations of access vectors, but these computations are only
    required on AVC cache misses, and performance measurements by James Morris
    using a number of benchmarks have shown that the change does not cause any
    significant degradation.
    
    Note that a rebuilt policy via an updated policy toolchain
    (libsepol/checkpolicy) is required in order to gain the full benefits of
    this patch, although some memory savings benefits are immediately applied
    even to older policies (in particular, the reduction in avtab node size).
    Sources for the updated toolchain are presently available from the
    sourceforge CVS tree (http://sourceforge.net/cvs/?group_id=21266), and
    tarballs are available from http://www.flux.utah.edu/~sds.
    Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    782ebb99
policydb.c 38 KB