[v9.1] sepgsql - userspace access vector cache

From: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>
To: PgHacker <pgsql-hackers(at)postgresql(dot)org>
Subject: [v9.1] sepgsql - userspace access vector cache
Date: 2011-06-09 07:59:18
Message-ID: BANLkTikqN7nGr3YC2whokwvNUnawHX==0g@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

The attached patch adds contrib/sepgsql a cache mechanism for access
control decision of SELinux. It shall reduce the total number of
system call invocations to improve the performance on its access
controls.

In the current implementation, the sepgsql always raises a query to
SELinux in-kernel. However, same answer shall be returned for some
pair of security labels and object class, unless the security policy
got reloaded.
It is a situation caching mechanism works well. Of course, we don't
assume the security policy is reloaded so frequently.

I tried to measure the performance to run sepgsql_restorecon(NULL)
that is used to assign initial labels of schemas, relations, columns
and procedures. It also invokes massive number of "relabelfrom" and
"relabelto" permission checks.

$ time -p psql -c 'SELECT sepgsql_restorecon(NULL);' postgres

without patch
real 2.73
real 2.70
real 2.72
real 2.67
real 2.68

with patch
real 0.67
real 0.61
real 0.63
real 0.63
real 0.63

The improvement is obvious.

From the viewpoint of implementation, this patch replaces
sepgsql_check_perms() by sepgsql_avc_check_perms(), from non-cache
interface to cached interface.
Every cached items are hashed using a pair of security labels and
object class, so, even if different objects have same security label,
system call invocation shall happen only once for an identical
combination.

The only modification by this patch to the core routine is a new
syscache for pg_seclabel system catalog. The SECLABELOID enables to
reference security label of the object using syscache interface.

Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>

Attachment Content-Type Size
sepgsql-uavc.1.patch application/octet-stream 40.5 KB

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Marti Raudsepp 2011-06-09 08:29:24 Re: [PATCH] Allow star syntax in GROUP BY, as a shorthand for all table columns
Previous Message Bhavin Kamani 2011-06-09 06:59:50 postgresql 9.0.4 source compilation issue on OSX