richard offer wrote: >Take for example the case where a MAC check would deny access, and that the >time to perform DAC checks is long. It is rather difficult for me to imagine a reason why we should worry about optimizing for syscalls that are disallowed by policy, and that's putting it mildly. (Some have even suggested the exact opposite: namely, that, when you deny a request, you should delay for some extra-long period, to deter attacks.) Do you have any evidence that this affects the end-to-end performance of real, legitimate applications? I'm skeptical. Maybe it's just me, but I'd want to hear a technical justification for optimizing illegal syscalls before using this as a justification to change the architecture of LSM. I've complained about this on-list before (and I'm not the only one), and I haven't heard such a justification so far. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 11:47:17 PDT