[PATCH] Reduce SELinux kernel memory use on 64-bit systems

The patch below reduces kernel memory used by SELinux policy rules by about 37% on 64-bit systems. This is because the size of struct avtab_node is 40 bytes on 64-bit, and defaults to a size-64 slab. Creating a slab cache specifically for these structs saves considerable amounts of kernel memory on 64-bit systems with large rulesets. 'Strict' policy has over 300k rules, while 'targeted' policy has around 3k rules. Here's the slabtop output with 64 and 40 byte sized slabs to show the memory savings, for strict policy: 303475 303447 99% 0.06K 4975 61 19900K avtab_node 303456 303447 99% 0.04K 3161 96 12644K avtab_node Also, there are 57% more objects per slab. Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] Reduce SELinux kernel memory use on 64-bit systems
The patch below reduces kernel memory used by SELinux policy rules by about 37% on 64-bit systems. This is because the size of struct avtab_node is 40 bytes on 64-bit, and defaults to a size-64 slab. Creating a slab cache specifically for these structs saves considerable amounts of kernel memory on 64-bit systems with large rulesets. 'Strict' policy has over 300k rules, while 'targeted' policy has around 3k rules. Here's the slabtop output with 64 and 40 byte sized slabs to show the memory savings, for strict policy: 303475 303447 99% 0.06K 4975 61 19900K avtab_node 303456 303447 99% 0.04K 3161 96 12644K avtab_node Also, there are 57% more objects per slab. Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
7c830b4a · James Morris · Linus Torvalds · 0f1af7ba · 7c830b4a · 7c830b4a
Commit 7c830b4a authored Aug 23, 2004 by James Morris Committed by Linus Torvalds Aug 23, 2004
Showing with 13 additions and 2 deletions

security/selinux/ss/avtab.c security/selinux/ss/avtab.c +10 -2

security/selinux/ss/avtab.h security/selinux/ss/avtab.h +2 -0

security/selinux/ss/services.c security/selinux/ss/services.c +1 -0

No files found.
--- a/security/selinux/ss/avtab.c
+++ b/security/selinux/ss/avtab.c
@@ -28,12 +28,14 @@
 (keyp->source_type << 9)) & \
 AVTAB_HASH_MASK)

+static kmem_cache_t *avtab_node_cachep;
+
 static struct avtab_node*
 avtab_insert_node(struct avtab *h, int hvalue, struct avtab_node * prev, struct avtab_node * cur,
 		  struct avtab_key *key, struct avtab_datum *datum)
 {
 	struct avtab_node * newnode;
-	newnode = (struct avtab_node *) kmalloc(sizeof(struct avtab_node),GFP_KERNEL);
+	newnode = kmem_cache_alloc(avtab_node_cachep, SLAB_KERNEL);
 	if (newnode == NULL)
 		return NULL;
 	memset(newnode, 0, sizeof(struct avtab_node));
@@ -226,7 +228,7 @@ void avtab_destroy(struct avtab *h)
 		while (cur != NULL) {
 			temp = cur;
 			cur = cur->next;
-			kfree(temp);
+			kmem_cache_free(avtab_node_cachep, temp);
 		}
 		h->htable[i] = NULL;
 	}
@@ -399,3 +401,9 @@ int avtab_read(struct avtab *a, void *fp, u32 config)
 	goto out;
 }

+void avtab_cache_init(void)
+{
+	avtab_node_cachep = kmem_cache_create("avtab_node",
+					      sizeof(struct avtab_node),
+					      0, SLAB_PANIC, NULL, NULL);
+}
--- a/security/selinux/ss/avtab.h
+++ b/security/selinux/ss/avtab.h
@@ -78,6 +78,8 @@ struct avtab_node *avtab_search_node(struct avtab *h, struct avtab_key *key, int

 struct avtab_node *avtab_search_node_next(struct avtab_node *node, int specified);

+void avtab_cache_init(void);
+
 #define AVTAB_HASH_BITS 15
 #define AVTAB_HASH_BUCKETS (1 << AVTAB_HASH_BITS)
 #define AVTAB_HASH_MASK (AVTAB_HASH_BUCKETS-1)

--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1034,6 +1034,7 @@ int security_load_policy(void *data, size_t len)
 	LOAD_LOCK;

 	if (!ss_initialized) {
+		avtab_cache_init();
 		if (policydb_read(&policydb, fp)) {
 			LOAD_UNLOCK;
 			return -EINVAL;