On Wed, Apr 6, 2016 at 5:37 PM, Casey Schaufler <ca...@schaufler-ca.com> wrote: > On 4/6/2016 2:51 AM, Paolo Abeni wrote: >> Currently, selinux always registers iptables POSTROUTING hooks regarless of >> the running policy needs for any action to be performed by them. >> >> Even the socket_sock_rcv_skb() is always registered, but it can result in a >> no-op >> depending on the current policy configuration. >> >> The above invocations in the kernel datapath are cause of measurable >> overhead in networking performance test. >> >> This patch series adds explicit notification for netlabel status change >> (other relevant status change, like xfrm and secmark, are already notified to >> LSM) and use this information in selinux to register the above hooks only >> when >> the current status makes them relevant, deregistering them when no-op >> >> Avoiding the LSM hooks overhead, in netperf UDP_STREAM test with small >> packets, >> gives about 5% performance improvement on rx and about 8% on tx. >> >> Paolo Abeni (2): >> security: add hook for netlabel status change notification >> selinux: implement support for dynamic net hook [de-]registration >> >> include/linux/lsm_hooks.h | 6 ++++ >> include/linux/security.h | 5 +++ >> net/netlabel/netlabel_cipso_v4.c | 8 +++-- >> net/netlabel/netlabel_unlabeled.c | 5 ++- >> security/security.c | 7 ++++ >> security/selinux/hooks.c | 72 >> +++++++++++++++++++++++++++++++------ >> security/selinux/include/security.h | 1 + >> security/selinux/ss/services.c | 1 + >> security/selinux/xfrm.c | 4 +++ >> 9 files changed, 96 insertions(+), 13 deletions(-) >> > > Is there a patch 1/2?
Yes, there was (it was the "security: add hook ..." patch), but for some reason it hasn't hit the archive that I normally use. Odd. I'll fwd the patch to you off-list so as not to spam everyone again. -- paul moore www.paul-moore.com