git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Hongru Zhang <zhanghongru@xiaomi.com>
	Thu, 23 Oct 2025 11:29:19 +0000 (19:29 +0800)
committer	Paul Moore <paul@paul-moore.com>
	Thu, 23 Oct 2025 22:24:30 +0000 (18:24 -0400)
commit	641e0217586193bbd6dbc16ae73d0c9ecda535f1
tree	8d1dd7af3c7d860a22b8404516a413e74c1c94e2	tree \| snapshot
parent	094e94d13b606b820e3d1383e3a361f680ff023a	commit \| diff

selinux: Introduce a new config to make avc cache slot size adjustable

On mobile device high-load situations, permission check can happen
more than 90,000/s (8 core system). With default 512 cache nodes
configuration, avc cache miss happens more often and occasionally
leads to long time (>2ms) irqs off on both big and little cores,
which decreases system real-time capability.

An actual call stack is as follows:
=> avc_compute_av
=> avc_perm_nonode
=> avc_has_perm_noaudit
=> selinux_capable
=> security_capable
=> capable
=> __sched_setscheduler
=> do_sched_setscheduler
=> __arm64_sys_sched_setscheduler
=> invoke_syscall
=> el0_svc_common
=> do_el0_svc
=> el0_svc
=> el0t_64_sync_handler
=> el0t_64_sync

Although we can expand avc nodes through /sys/fs/selinux/cache_threshold
to mitigate long time irqs off, hash conflicts make the bucket average
length longer because of the fixed size of cache slots, leading to
avc_search_node() latency increase.

So introduce a new config to make avc cache slot size also configurable,
and with fine tuning, we can mitigate long time irqs off with slightly
avc_search_node() performance regression.

Theoretically, the main overhead is memory consumption.

Signed-off-by: Hongru Zhang <zhanghongru@xiaomi.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

security/selinux/Kconfig		diff \| blob \| blame \| history
security/selinux/avc.c		diff \| blob \| blame \| history