The attached patch adds contrib/sepgsql a cache mechanism for access control decision of SELinux. It shall reduce the total number of system call invocations to improve the performance on its access controls.
In the current implementation, the sepgsql always raises a query to SELinux in-kernel. However, same answer shall be returned for some pair of security labels and object class, unless the security policy got reloaded. It is a situation caching mechanism works well. Of course, we don't assume the security policy is reloaded so frequently. I tried to measure the performance to run sepgsql_restorecon(NULL) that is used to assign initial labels of schemas, relations, columns and procedures. It also invokes massive number of "relabelfrom" and "relabelto" permission checks. $ time -p psql -c 'SELECT sepgsql_restorecon(NULL);' postgres without patch real 2.73 real 2.70 real 2.72 real 2.67 real 2.68 with patch real 0.67 real 0.61 real 0.63 real 0.63 real 0.63 The improvement is obvious. >From the viewpoint of implementation, this patch replaces sepgsql_check_perms() by sepgsql_avc_check_perms(), from non-cache interface to cached interface. Every cached items are hashed using a pair of security labels and object class, so, even if different objects have same security label, system call invocation shall happen only once for an identical combination. The only modification by this patch to the core routine is a new syscache for pg_seclabel system catalog. The SECLABELOID enables to reference security label of the object using syscache interface. Thanks, -- KaiGai Kohei <kai...@kaigai.gr.jp>
sepgsql-uavc.1.patch
Description: Binary data
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
