Re: [PATCH] remove sys_security

From: Greg KH (gregat_private)
Date: Thu Oct 17 2002 - 13:58:31 PDT

  • Next message: Russell Coker: "Re: [PATCH] remove sys_security"

    On Thu, Oct 17, 2002 at 01:38:16PM -0700, David S. Miller wrote:
    >    
    > How am I supposed to know what the things are being passed in
    > via these opaque "unsigned long" parameters?
    > 
    > Could they be pointers?  If so, game over already, and this needs
    > to be fixed NOW.
    
    Agreed, I'll let a user of this function speak up on how they intend to
    address the problem.  I'm through arguing for this hook.
    
    >    And (ignoring the network hooks) there is not a measurable overhead for
    >    these hooks.  We have documented this many times (OLS paper, USENIX
    >    paper, etc.)  With the patch I'm about to submit, disabling the option
    >    makes them go away entirely.
    >    
    > Look at the code that gets output, look at the 32K of kernel image
    > I get even though I have no intention of _ever_ loading a security
    > module.
    > 
    > So if distribution makers enable CONFIG_SECURITY, EVERY USER eats
    > this 32K.  That _SUCKS_.
    
    Note for the readers, this is 32K on Sparc, on i386 it's much smaller as
    documented yesterday.
    
    > And I severely contest your overhead argument, look at the assembler
    > code being output, the kernel parts where the hooks are placed are
    > different.  Lots of places that used to be leaf functions are no
    > longer leaf functions due to the security_ops invocation being there
    > now.  Register allocation is also going to be quite different
    > different.
    
    I've run the numbers myself on OSDL machines, and seen that there is no
    measurable overhead for these functions.  Sure, there is an extra
    function call, and different assembler, I'll never contest that.  It's
    just that I could not measure it.
    
    > In short, it's bloat, and if you refuse to realize that perhaps kernel
    > development is not your true calling in life :-)
    
    It is adding stuff to the kernel.  Now if you want to call it bloat,
    fine.  I like calling the USB stack bloat too, and it is bloat for
    people who don't use it.  And now you can disable the option, so it will
    not be bloat for you too, if you don't want it.  Argue with your
    favorite distro if they enable the option that they shouldn't do that,
    if they do, don't try to convince me.
    
    And I know what my true calling in life is, but unfortunately there isn't
    much calling for a professional pan flute player :)
    
    thanks,
    
    greg k-h
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 13:59:25 PDT