Crispin Cowan wrote:
>
> Acutally, I think 1% overhead at the macro level is very poor. That's
> the overhead for SubDomain with the security checks running in the worst
> possible case. If the basic LSM infrastructure costs 1%, then that's way
> too much.
That was actually what I was saying, 1% is the worts possible case.
(see my previous posting to see what impact is found for "most" cases").
>
> > My hunch is that the LTT represents a rough lower-bound for the
> > performance of a flexible security module interface.
>
> I was thinking of LTT as an upper bound :-)
I beg to differ and would even go as far as to challenge you to do
better (something I rarely do, by the way). I don't think you can
get any lower of impact with the broad coverage of events provided
by LTT. Remember what this maximum 1% is. It is the cost of inserting
the hooks in the kernel, nothing else. There's no inclusion of any
tracing code in this. The 1% represents an upper bound of how much
it costs to call the trace_event() function at key places in the
kernel. I have a hard time seing how you could reduce this cost
to anything less. Especially since what is being measured is the
time taken to call a single function, that only does a "return",
at key places in the kernel.
Keep in mind that, in most cases, the impact is lower than 0.25%.
Cheers,
Karim
===================================================
Karim Yaghmour
karymat_private
Embedded and Real-Time Linux Expert
===================================================
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Sun Apr 15 2001 - 18:51:56 PDT