SE-DBUS updates

Matthew Rickard mjricka at epoch.ncsc.mil
Thu Jul 22 12:08:08 PDT 2004 

I've made a few more updates to the SE-DBUS patch (diff/Changelog
attached).

Firstly, instead of calling is_selinux_enabled() at the start of each
SELinux related function, it is only called on startup.  The result is
stored and tested later rather than repeating this call.  This makes
things a bit faster.

I'm also actually storing the avc_entry_ref now so it will help to speed
up repeated permission checks.  Before it was being reinitialized on
each permission check.

There are a few more (mostly minor) changes and cleanups as noted in the
Changelog.

I did some very basic benchmarks just to give an idea of what kind of
overhead this causes right now.  The test I did was just timing the test
suite with a few different compile options.  No, this is not a very good
benchmark and it does not in any way reflect real world use...  Results
of this follow.

Built with --enable-verbose-mode --enable-tests
time ./bus-test ../test/data > /dev/null 2>&1

Latest CVS without my patches (standard D-BUS)
	Run 1 		Run 2
real    0m58.064s 	1m5.346s
user    0m20.087s 	0m24.115s
sys     0m15.181s 	0m16.011s

SE-DBUS 0.6 --enable-selinux (with SELinux kernel)
	Run 1 		Run 2
real    1m24.206s 	1m16.575s
user    0m24.093s 	0m27.296s
sys     0m22.847s 	0m24.894s

SE-DBUS 0.6 --enable-selinux (without SELinux kernel)
	Run 1		Run 2
real    0m56.251s	1m3.688s
user    0m16.848s	0m21.629s
sys     0m16.964s	0m17.713s

SE-DBUS 0.6 --disable-selinux
	Run 1 		Run 2
real    1m4.909s 	1m4.737s 
user    0m23.417s 	0m23.290s
sys     0m16.520s 	0m16.904s

SE-DBUS 0.5 --enable-selinux (with SELinux kernel)
	Run 1		Run 2
real    1m24.766s 	1m34.566s
user    0m25.624s 	0m31.180s
sys     0m41.257s 	0m43.263s

>From this you can see that 0.6 (either with --enable-selinux on a
non-SELinux kernel, or with --disable-selinux), performs nearly
identically to the standard unpatched D-BUS.  

With --enable-selinux and an SELinux kernel, there is a small overhead
in 0.6, but it has been reduced significantly compared to the 0.5
release.


Matt
-------------- next part --------------
SE-DBUS Changelog
Matthew Rickard <mjricka at epoch.ncsc.mil>

7/22/04 - 0.6
-New patch release.
-The avc_entry_ref was previously being reinitialized on each permission 
check, and was therefore not doing us any good.  Now store a bus wide
avc_entry_ref to speed repeated avc checks.
-We no longer do an is_selinux_enabled() check before every SELinux
function.  This was costly and slowed us down even when not running
a SELinux kernel.  Now do the is_selinux_enabled() check once on
bus startup and store its result.  We can just query this for the later
checks.
-Properly destroy the AVC on exit, and add some statistics reporting
for verbose mode.
-Don't always include SELinux headers.

7/1/04 - 0.5
-New patch release.  security.[ch] are now known as selinux.[ch].
WITH_SELINUX is now changed to HAVE_SELINUX.
-configure.in will now autodetect SELinux support at build time.
-Cleaned up to confine #ifdef HAVE_SELINUX to selinux.c.
-Various other cleanups.  Thanks to Havoc Pennington for all the
suggestions on how to fix this patch up.
-Added additional support for the case of SELinux support being built
in, but running a non-SELinux kernel.

6/24/04 - 0.4
-New patch release.  Note that sepolicy.conf is distributed separately
from the patch since it will be distributed with the SELinux policy 
and not D-BUS.
-Changed parsing to take selinux.conf file in XML format consistent
with the other D-BUS configs.  Don't do longest match on service
names.
-Service hash table is stored as part of the BusPolicy.  BusRegistry
holds a reference to this table.  This was done to keep the mappings
global and not per client.  However, it is kind of ugly and there is
probably a better way to do it.
-Fixed up some header problems.  Also fixed a few places not to assume
C99/gcc.
-Various SID handling fixes and cleanups.

2/23/04 - 0.3
-Changed code to store a SID for a service rather than a context.
This saves us from having to transition between context<->sid so much.
-Changed parsing code to store SIDs rather than contexts in the hash
table for the same reason as above.
-Changed bus_connection_avc_has_perm to take an optional SID now
instead of a context so it works appropriately with the above changes.
-Fixed a bug in the log callback struct.  Had an uninitialized pointer
there that could cause segfaults.
-Broke off part of the parsing function into bus_hash_service_sid() to do
the hashing separately.  Parse function still needs more cleanup.
-Various other cleanups.

2/19/04 - 0.2
-avc_context_to_sid() increments sid ref count.  We don't need to
increment it with sidget.  This caused ref leaks.
-bus_avc_store_service_context() shouldn't freecon -- we
aren't done with it until the service is released (it will be
freed by bus_service_unref() at that point).

2/19/04 - 0.1
-Initial Release

-------------- next part --------------
A non-text attachment was scrubbed...
Name: se-dbus-0.6.diff
Type: text/x-patch
Size: 45728 bytes
Desc: not available
Url : http://freedesktop.org/pipermail/dbus/attachments/20040722/a87dc82d/se-dbus-0.6-0001.bin

More information about the dbus mailing list