"Anil B. Somayaji" wrote: > Karim Yaghmour <karymat_private> writes: > > But you'd be interested to know that adding the hooks within > > the kernel yields at most 1% overhead over very heavy load. > > With the case of a kernel compile, for example, the overhead > > is around 0.25%. > These results are quite good; however, I was wondering - was this for > micro-benchmarks, or only macro ones? In my own work, I've noticed > that doubling the time a fork and exec takes only results in a few > percent slowdown for kernel builds. Acutally, I think 1% overhead at the macro level is very poor. That's the overhead for SubDomain with the security checks running in the worst possible case. If the basic LSM infrastructure costs 1%, then that's way too much. > But if we are to get anything incorporated into > the main kernel tree, we have to show that our modifications have > minimal impact on system call and interrupt latency. Exactly. > My hunch is that the LTT represents a rough lower-bound for the > performance of a flexible security module interface. I was thinking of LTT as an upper bound :-) > I hope we can have a general interface (that would be very good for > me, definitely), but I bring this up because I'm not that optimistic. Instead of saying "lets do everything", why don't you specify what you need? And while you're at it, try to think about how to achieve what you want with less intrusion into the kernel, and see how many of your requirements can be lifted. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sun Apr 15 2001 - 11:19:51 PDT