[v9.2] sepgsql - userspace access vector cache (Re: [v9.1] sepgsql - userspace access vector cache)

Oops, subject was incorrect. It should be [v9.2], not [v9.1]

2011/6/9 Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>:
> The attached patch adds contrib/sepgsql a cache mechanism for access
> control decision of SELinux. It shall reduce the total number of
> system call invocations to improve the performance on its access
> controls.
>
> In the current implementation, the sepgsql always raises a query to
> SELinux in-kernel. However, same answer shall be returned for some
> pair of security labels and object class, unless the security policy
> got reloaded.
> It is a situation caching mechanism works well. Of course, we don't
> assume the security policy is reloaded so frequently.
>
> I tried to measure the performance to run sepgsql_restorecon(NULL)
> that is used to assign initial labels of schemas, relations, columns
> and procedures. It also invokes massive number of "relabelfrom" and
> "relabelto" permission checks.
>
> $ time -p psql -c 'SELECT sepgsql_restorecon(NULL);' postgres
>
> without patch
> real 2.73
> real 2.70
> real 2.72
> real 2.67
> real 2.68
>
> with patch
> real 0.67
> real 0.61
> real 0.63
> real 0.63
> real 0.63
>
> The improvement is obvious.
>
> From the viewpoint of implementation, this patch replaces
> sepgsql_check_perms() by sepgsql_avc_check_perms(), from non-cache
> interface to cached interface.
> Every cached items are hashed using a pair of security labels and
> object class, so, even if different objects have same security label,
> system call invocation shall happen only once for an identical
> combination.
>
> The only modification by this patch to the core routine is a new
> syscache for pg_seclabel system catalog. The SECLABELOID enables to
> reference security label of the object using syscache interface.
>
> Thanks,
> --
> KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
>

--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>