diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2025-05-28 08:28:58 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2025-05-28 08:28:58 -0700 |
| commit | b5628b81bd19fa52d6a35e49336c58d7188eaf1b (patch) | |
| tree | d6b497fc8e5b11f1a6bd1bd893f69f140d48936d /scripts/bpf_doc.py | |
| parent | 1bc8c83af962a7f0e52c1ee254acbcb1d9204a5e (diff) | |
| parent | 05f1a939225ec895a97a6b2f1cf64e329b6474f5 (diff) | |
Merge tag 'selinux-pr-20250527' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinux updates from Paul Moore:
- Reduce the SELinux impact on path walks.
Add a small directory access cache to the per-task SELinux state.
This cache allows SELinux to cache the most recently used directory
access decisions in order to avoid repeatedly querying the AVC on
path walks where the majority of the directories have similar
security contexts/labels.
My performance measurements are crude, but prior to this patch the
time spent in SELinux code on a 'make allmodconfig' run was 103% that
of __d_lookup_rcu(), and with this patch the time spent in SELinux
code dropped to 63% of __d_lookup_rcu(), a ~40% improvement.
Additional improvments can be expected in the future, but those will
require additional SELinux policy/toolchain support.
- Add support for wildcards in genfscon policy statements.
This patch allows for wildcards in the genfscon patch matching logic
as opposed to the prefix matching that was used prior to this change.
Adding wilcard support allows for more expressive and efficient path
matching in the policy which is especially helpful for sysfs, and has
resulted in a ~15% boot time reduction in Android.
SELinux policies can opt into wilcard matching by using the
"genfs_seclabel_wildcard" policy capability.
- Unify the error/OOM handling of the SELinux network caches.
A failure to allocate memory for the SELinux network caches isn't
fatal as the object label can still be safely returned to the caller,
it simply means that we cannot add the new data to the cache, at
least temporarily. This patch corrects this behavior for the
InfiniBand cache and does some minor cleanup.
- Minor improvements around constification, 'likely' annotations, and
removal of bogus comments.
* tag 'selinux-pr-20250527' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux:
selinux: fix the kdoc header for task_avdcache_update
selinux: remove a duplicated include
selinux: reduce path walk overhead
selinux: support wildcard match in genfscon
selinux: drop copy-paste comment
selinux: unify OOM handling in network hashtables
selinux: add likely hints for fast paths
selinux: contify network namespace pointer
selinux: constify network address pointer
Diffstat (limited to 'scripts/bpf_doc.py')
0 files changed, 0 insertions, 0 deletions