[RHEL-12439] backport "Reduce overhead of LSMs with static calls" from upstream - Red Hat Issue Tracker

Type: Story
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.6
Affects Version/s: rhel-9.3.0
Component/s: kernel / Security / SELinux
Labels:

Fixed in Build:
kernel-5.14.0-552.el9
Severity:
None
Epic Link:
SELINUX-3593
sprint_count:
4

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Dev Target Milestone:
17
Internal Target Milestone:
23
Story Points:
5
Status Summary:

Hide

[2025-01-10] Green: MR review acks recieved; waiting for QE pre-verification -> brew build -> QE verification.

Show
[2025-01-10] Green: MR review acks recieved; waiting for QE pre-verification -> brew build -> QE verification.
Target Version:

rhel-9.0.0.z
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
SELINUX 241016 - 241106, SELINUX 241106 - 241127, SELINUX 241127 - 241218, SELINUX 250129: 1

Preliminary Testing:
Pass
Testable Builds:

Hide
The following Merge Request has pipeline job artifacts available:

Title: lsm: Reduce overhead of LSMs with static calls
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/5772
MR Pipeline: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/pipelines/1568663505

The Repo URLs are *not* accessible from a web browser! They only function as a dnf or yum baseurl.

Artifacts expire six weeks after creation. If artifacts are needed after that time please rerun the pipeline by visiting the MR's 'Pipelines' tab and clicking the 'Run pipeline' button.

----------------------------------------

Downstream Pipeline Name: RHEL_COMPAT (c9s_rhel9_compat_merge_request)
DataWarehouse Checkout: https://datawarehouse.cki-project.org/kcidb/checkouts/redhat:1568663589

5.14.0-536.5772_1568663505.el9.s390x-debug:
Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_s390x_debug/8516484177/artifacts/repo/5.14.0-536.5772_1568663505.el9.s390x/
Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_s390x_debug/8516484177/artifacts/repo/5.14.0-536.5772_1568663505.el9.s390x/

5.14.0-536.5772_1568663505.el9.s390x:
Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_s390x/8516484154/artifacts/repo/5.14.0-536.5772_1568663505.el9.s390x/
Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_s390x/8516484154/artifacts/repo/5.14.0-536.5772_1568663505.el9.s390x/

5.14.0-536.5772_1568663505.el9.aarch64-debug:
Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_aarch64_debug/8516484145/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/
Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_aarch64_debug/8516484145/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/

5.14.0-536.5772_1568663505.el9.aarch64:
Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_aarch64/8516484137/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/
Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_aarch64/8516484137/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/

5.14.0-536.5772_1568663505.el9.ppc64le-debug:
Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_ppc64le_debug/8516484125/artifacts/repo/5.14.0-536.5772_1568663505.el9.ppc64le/
Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_ppc64le_debug/8516484125/artifacts/repo/5.14.0-536.5772_1568663505.el9.ppc64le/

5.14.0-536.5772_1568663505.el9.ppc64le:
Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_ppc64le/8516484113/artifacts/repo/5.14.0-536.5772_1568663505.el9.ppc64le/
Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_ppc64le/8516484113/artifacts/repo/5.14.0-536.5772_1568663505.el9.ppc64le/

5.14.0-536.5772_1568663505.el9.x86_64-debug:
Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_x86_64_debug/8516484097/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/
Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_x86_64_debug/8516484097/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/

5.14.0-536.5772_1568663505.el9.x86_64:
Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_x86_64/8516484081/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/
Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_x86_64/8516484081/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/

----------------------------------------

Downstream Pipeline Name: REALTIME (c9s_rt_merge_request)
DataWarehouse Checkout: https://datawarehouse.cki-project.org/kcidb/checkouts/redhat:1568663591

5.14.0-536.5772_1568663505.el9.x86_64-debug:
Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1568663591/publish_x86_64_debug/8516484015/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/
Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1568663591/publish_x86_64_debug/8516484015/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/

5.14.0-536.5772_1568663505.el9.x86_64:
Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1568663591/publish_x86_64/8516484008/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/
Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1568663591/publish_x86_64/8516484008/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/

----------------------------------------

Downstream Pipeline Name: 64K (c9s_64k_merge_request)
DataWarehouse Checkout: https://datawarehouse.cki-project.org/kcidb/checkouts/redhat:1568663619

5.14.0-536.5772_1568663505.el9.aarch64-debug:
Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1568663619/publish_aarch64_debug/8516484232/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/
Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1568663619/publish_aarch64_debug/8516484232/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/

5.14.0-536.5772_1568663505.el9.aarch64:
Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1568663619/publish_aarch64/8516484228/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/
Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1568663619/publish_aarch64/8516484228/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/

----------------------------------------

Updated 2024-12-03 15:58 UTC by buglinker:
- KWF FAQ: https://red.ht/kernel_workflow_doc
- Slack #team-kernel-workflow: https://redhat-internal.slack.com/archives/C04LRUPMJQ5
- Source: https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/buglinker.py
- Documentation: https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.buglinker.md
- Report an issue: https://gitlab.com/cki-project/kernel-workflow/-/issues/new?issue%5Btitle%5D=buglinker%20webhook%20issue

Show
The following Merge Request has pipeline job artifacts available: Title: lsm: Reduce overhead of LSMs with static calls MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/5772 MR Pipeline: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/pipelines/1568663505 The Repo URLs are *not* accessible from a web browser! They only function as a dnf or yum baseurl. Artifacts expire six weeks after creation. If artifacts are needed after that time please rerun the pipeline by visiting the MR's 'Pipelines' tab and clicking the 'Run pipeline' button. ---------------------------------------- Downstream Pipeline Name: RHEL_COMPAT (c9s_rhel9_compat_merge_request) DataWarehouse Checkout: https://datawarehouse.cki-project.org/kcidb/checkouts/redhat:1568663589 5.14.0-536.5772_1568663505.el9.s390x-debug: Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_s390x_debug/8516484177/artifacts/repo/5.14.0-536.5772_1568663505.el9.s390x/ Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_s390x_debug/8516484177/artifacts/repo/5.14.0-536.5772_1568663505.el9.s390x/ 5.14.0-536.5772_1568663505.el9.s390x: Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_s390x/8516484154/artifacts/repo/5.14.0-536.5772_1568663505.el9.s390x/ Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_s390x/8516484154/artifacts/repo/5.14.0-536.5772_1568663505.el9.s390x/ 5.14.0-536.5772_1568663505.el9.aarch64-debug: Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_aarch64_debug/8516484145/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/ Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_aarch64_debug/8516484145/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/ 5.14.0-536.5772_1568663505.el9.aarch64: Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_aarch64/8516484137/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/ Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_aarch64/8516484137/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/ 5.14.0-536.5772_1568663505.el9.ppc64le-debug: Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_ppc64le_debug/8516484125/artifacts/repo/5.14.0-536.5772_1568663505.el9.ppc64le/ Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_ppc64le_debug/8516484125/artifacts/repo/5.14.0-536.5772_1568663505.el9.ppc64le/ 5.14.0-536.5772_1568663505.el9.ppc64le: Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_ppc64le/8516484113/artifacts/repo/5.14.0-536.5772_1568663505.el9.ppc64le/ Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_ppc64le/8516484113/artifacts/repo/5.14.0-536.5772_1568663505.el9.ppc64le/ 5.14.0-536.5772_1568663505.el9.x86_64-debug: Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_x86_64_debug/8516484097/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/ Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_x86_64_debug/8516484097/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/ 5.14.0-536.5772_1568663505.el9.x86_64: Artifacts (RPMs): https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/index.html?prefix=internal-artifacts/1568663589/publish_x86_64/8516484081/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/ Repo URL: https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1568663589/publish_x86_64/8516484081/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/ ---------------------------------------- Downstream Pipeline Name: REALTIME (c9s_rt_merge_request) DataWarehouse Checkout: https://datawarehouse.cki-project.org/kcidb/checkouts/redhat:1568663591 5.14.0-536.5772_1568663505.el9.x86_64-debug: Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1568663591/publish_x86_64_debug/8516484015/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/ Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1568663591/publish_x86_64_debug/8516484015/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/ 5.14.0-536.5772_1568663505.el9.x86_64: Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1568663591/publish_x86_64/8516484008/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/ Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1568663591/publish_x86_64/8516484008/artifacts/repo/5.14.0-536.5772_1568663505.el9.x86_64/ ---------------------------------------- Downstream Pipeline Name: 64K (c9s_64k_merge_request) DataWarehouse Checkout: https://datawarehouse.cki-project.org/kcidb/checkouts/redhat:1568663619 5.14.0-536.5772_1568663505.el9.aarch64-debug: Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1568663619/publish_aarch64_debug/8516484232/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/ Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1568663619/publish_aarch64_debug/8516484232/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/ 5.14.0-536.5772_1568663505.el9.aarch64: Artifacts (RPMs): https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/index.html?prefix=trusted-artifacts/1568663619/publish_aarch64/8516484228/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/ Repo URL: https://s3.amazonaws.com/arr-cki-prod-trusted-artifacts/trusted-artifacts/1568663619/publish_aarch64/8516484228/artifacts/repo/5.14.0-536.5772_1568663505.el9.aarch64/ ---------------------------------------- Updated 2024-12-03 15:58 UTC by buglinker: - KWF FAQ: https://red.ht/kernel_workflow_doc - Slack #team-kernel-workflow: https://redhat-internal.slack.com/archives/C04LRUPMJQ5 - Source: https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/buglinker.py - Documentation: https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.buglinker.md - Report an issue: https://gitlab.com/cki-project/kernel-workflow/-/issues/new?issue%5Btitle%5D=buglinker%20webhook%20issue
Errata Link:
https://errata.engineering.redhat.com/advisory/138410
Test Coverage:

Automated

Release Note Type:
Unspecified Release Note Type - Unknown

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

This upstream series:

https://lore.kernel.org/linux-security-module/20231006204701.549230-1-kpsingh@kernel.org/T/#t

reduces the LSM hooks overhead in a relevant way, giving measurable performance gain in network-related workload and likely for other subsystem. We want to backport it to rhel.

links to

Merge Request: lsm: Reduce overhead of LSMs with static calls

RHSA-2024:138410 kernel bug fix and enhancement update

TCMS Test Case 338955

Test Requirement (RHSEC-7157)

mentioned in: Page No Confluence page found with the given URL.

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates