"Kurt P. Hundeck" wrote:
> As an idea for actually reducing "the overhead of following a function
> pointer and immediately returning success", is it possible to create some
> sort of lookup table which would determine whether a pointer needs to be
> followed in the first place??
>
> I was thinking (depending on the amount of hooks) you could create a byte
> value which would tell you which hooks were actually implemented in the
> loaded LSM, and after you do a simple bit shift you would know if you have
> to context switch, or just return the LSM_NO_HOOK_IMPLEMENTED const. It
> is probably faster than calling a function, and could reduce the overhead
> to .0001%. (Of course I actually have no idea ;-))
No. Surprisingly, that approach actually makes performance worse on modern
processors. This is because heavily pipelined processors pay a large penalty
for a mis-predicted branch (which is what happens when you go check a byte
code and then branch) than they do for a function call/return.
Counter-intuitive but true; Crispie's Believe it or Not! :-)
> By the way: Are these hooks going to be calling functions in userspace?
Not if we can help it. Up-calls to user-space are very tricky, and I see no
need to introduce something that violent to support security modules.
Thanks,
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution: http://immunix.org
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sun Apr 15 2001 - 17:19:32 PDT