Antony Edwards wrote: >>I agree with that, but now that you've done the implementation, I'm >>eager to see the evidence either way. >> >I ran LMBench and the traditional kernel compile. Obviously the performance >depends completely on which policy module you have loaded so simple % >performance reduction is meaningless. Therefore I measured the cost of the >basic "lookup function pointer, jump, return, if error", and counted the >number of file_ops->permission validations. > >The first run was on vanilla 2.5.2-lsm, the second run added a hook at the >top >of handle_pte_fault. > >LMBench - 0.6% slowdown due to call - went from 5237 calls-per-second to >permission to 7334 (40% increase). > I'd like to understand this a bit better, and I'm kinda confused. Could you post the full raw data that LMBench spit out? >Kernel-build - 0.1% slowdown due to call -- went from 307 calls-per-second >to >permission to 2473 (706% increase). > That metric of "permission() calls per second" is interesting. An overall slowdown of 0.1% is small enough to be in the noise. Some kernel-build benchmarks that Greg KH did recently on LSM 2.5.2 actually showed a speedup in the LSM case, which we definitely think is experimental noise :-) >(I meant to run over the dte module to get some example numbers -- but it >kernel panicked on me when it didn't find dte.conf -- waiting for fschk). > I'm not at all concerned about the cost of this hook for modules that choose to use it. The critical issue is that the hook should be nearly free, so that the whole world doesn't pay for it. >>* Some parts of my process get access to stuff, while other parts do >> not. >> >Protection domains within processes? Ouch! (though reading the paper the >basic idea seems pretty simple and effective). > We think so. Permission barriers in general within processes is very hard; we just wanted an effective way to confine mod_perl and mod_php scripts, which run inside the Apache process. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html The Olympic Games: A Century of Corruption and Graft The FIS: Crushing the soul of snowboarding _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 14:46:25 PST