> > However, my main concern is to make sure that modules that don't > > want to mediate read()/write() won't have to pay the cost for > > those who do. In other words, if your module doesn't care about > > read()/write(), then I'd like it to be the case that reads and > > writes execute at full speed, with no noticeable performance impact. > > Would this do the trick? > > yes, we need the hooks, it is up to the module to implement them. i'm > afraid it won't be zero overhead...but whatever it takes to follow > function pointer and immediately return success ;-) Hi, I am *REALLY* new here, and am reading this group to try and understand how the Kernel works a bit better by seeing how a security system would be implemented. So, anyway... As an idea for actually reducing "the overhead of following a function pointer and immediately returning success", is it possible to create some sort of lookup table which would determine whether a pointer needs to be followed in the first place?? I was thinking (depending on the amount of hooks) you could create a byte value which would tell you which hooks were actually implemented in the loaded LSM, and after you do a simple bit shift you would know if you have to context switch, or just return the LSM_NO_HOOK_IMPLEMENTED const. It is probably faster than calling a function, and could reduce the overhead to .0001%. (Of course I actually have no idea ;-)) By the way: Are these hooks going to be calling functions in userspace? Hmmm. I hope I was being clear. Kurt P. Hundeck - no not THAT Kurt :-) _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sun Apr 15 2001 - 15:01:53 PDT