Embed Size (px)
Citation preview
SELinux as a Security Server (SaaSS)
PostgreSQL
User
Database
SELinux
SE-PgSQL
libselinux
SQL Query
Access Control decision
Userspace access vector cache
� System-call is expensive
� SE-PgSQL caches access control decision recently used� called as userspace access vector cache
� In heuristic, rate of hit overs 99.9%
� Events to invalidate the cache� Kernel policy reloaded
� Kernel mode switchedenforcing � permissive
Issue of cache invalidation
1. Check kernel status for each looking up the cache
� Needs a system-call invocation for each access control decision
2. A worker thread monitorsnetlink socket to receive notification
� Does PostgreSQL model allow plugin module to launch a worker process?
� We need a lightweight event notification mechanism
/selinux/status (1/2)
� This pseudo file allows to mmap(2) kernel status page in read-only mode
u32 version
u32 sequence
u32 enforcing
u32 policyload
u32 deny_unknown
Always zero
+0
+4
+8
+12
+16
Incremented for each kernel events
� No need to invoke a system call
� No need to launch a worker thread
/selinux/status (2/2)
� Current status
� Now the feature in linux-next tree
� It will be available on 2.6.27 kernel
� Performance measurement
� 10million iteration of avc_has_perms()
� with /selinux/status ... 4.71[s]
� without /selinux/status ... 65.44[s]
![IN HER MAJESTY’S COURT OF APPEAL IN NORTHERN IRELAND … · 2017. 9. 4. · KENNETH JOHN SCOTT _____ Before: Carswell LCJ, Nicholson LJ and Kerr J _____ 2 CARSWELL LCJ [1] The matters](https://img.pdfslide.us/doc/110x75/5ffaccb160f4705f32313357/in-her-majestyas-court-of-appeal-in-northern-ireland-2017-9-4-kenneth-john.jpg)
