1. Next Linux kernel boost
SE-PostgreSQL
KaiGai Kohei <kaigai@kaigai.gr.jp>
(@kkaigai)
2. SELinux as a Security Server (SaaSS)
SQL Query
SE-PgSQL
libselinux
PostgreSQL SELinux
User
Access
Control
decision
Database
3. Userspace access vector cache
System-call is expensive
SE-PgSQL caches access control
decision recently used
called as userspace access vector cache
In heuristic, rate of hit overs 99.9%
Events to invalidate the cache
Kernel policy reloaded
Kernel mode switched
enforcing permissive
4. Issue of cache invalidation
1. Check kernel status for each looking
up the cache
Needs a system-call invocation for each
access control decision
2. A worker thread monitors
netlink socket to receive notification
Does PostgreSQL model allow plugin
module to launch a worker process?
We need a lightweight event
notification mechanism
5. /selinux/status (1/2)
This pseudo file allows to mmap(2) kernel
status page in read-only mode
+0 u32 version
+4 u32 sequence
+8 u32 enforcing
Incremented for
+12 u32 policyload
each kernel events
+16 u32 deny_unknown
Always zero
No need to invoke a system call
No need to launch a worker thread
6. /selinux/status (2/2)
Current status
Now the feature in linux-next tree
It will be available on 2.6.27 kernel
Performance measurement
10million iteration of avc_has_perms()
with /selinux/status ... 4.71[s]
without /selinux/status ... 65.44[s]