Re: [v9.1] sepgsql - userspace access vector cache
Kohei Kaigai <kohei.kaigai@emea.nec.com>
From: Kohei Kaigai <Kohei.Kaigai@EMEA.NEC.COM>
To: Yeb Havinga <yebhavinga@gmail.com>
Cc: Robert Haas <robertmhaas@gmail.com>, PgHacker <pgsql-hackers@postgresql.org>, Kohei KaiGai <kaigai@kaigai.gr.jp>
Date: 2011-07-22T09:55:37Z
Lists: pgsql-hackers
Commits
Same data as JSON:
GET /api/v1/messages/:b64id/commits
the thread's linked commits as JSON, with link sources.
API reference →
-
Remove the limit on the number of entries allowed in catcaches, and
- 8b9bc234ad43 8.2.0 cited
> -----Original Message----- > From: Yeb Havinga [mailto:yebhavinga@gmail.com] > Sent: 22. Juli 2011 10:23 > To: Kohei Kaigai > Cc: Robert Haas; PgHacker; Kohei KaiGai > Subject: Re: [HACKERS] [v9.1] sepgsql - userspace access vector cache > > On 2011-07-21 11:29, Kohei Kaigai wrote: > > The attached patch is revised userspace-avc patch. > > > > List of updates: > > - The GUC of sepgsql.avc_threshold was removed. > > - "char *ucontext" of avc_cache was replaced by "bool tcontext_is_valid". > > - Comments added onto static variables > > - Comments of sepgsql_avc_unlabeled() was revised. > > - Comments of sepgsql_avc_compute() was simplified. > > - Comments of sepgsql_avc_check_perms_label() also mention about > > permissive domain, that performs similar to system's permissive mode. > > - selinux_status_close() become invoked on on_proc_exit() hook. > Thank you for the update, I'm looking at it right now and with a new look have some more questions. > I took the liberty to supply a patch to be applied after your v5 uavc patch. > > 1) At a few call sites of sepgsql_avc_lookup, a null tcontext is detected, and then replaced by > "unlabeled". I moved this to sepgsql_avc_lookup itself. > Good improvement. > 2) Also I thought if it could work to not remember tcontext is valid, but instead remember the consequence, > which is that it is replaced by "unlabeled". It makes the avc_cache struct shorter and the code somewhat > simpler. > Here is a reason why we hold tcontext, even if it is not valid. The hash key of avc_cache is combination of scontext, tcontext and tclass. Thus, if we replaced an invalid tcontext by unlabeled context, it would always make cache mishit and performance loss. Thanks, -- NEC Europe Ltd, SAP Global Competence Center KaiGai Kohei <kohei.kaigai@emea.nec.com>