Hi, Attached is a new implementation of the lsm stacking through chaining. This one is a little more intricate than the last, in that it is enabled when the stacker module is compiled in, but can otherwise be compiled out. The attached lmbench numbers show that the fedora setup of selinux + capabilities compiled in (and no stacker module) does not slow down at least this benchmark. Using the same modules but through stacker fares a bit worse. Attached are the following files: lsm-chain.patch: implements the CONFIG-dependent use of hlist_heads for kernel object security structs. selinux-stack.patch: patches selinux to make use of the new infrastructure. seclvl-stack.patch: patches seclvl to make use of the new infrastructure. nostack: lmbench output for an unpatched 2.6.10-rc1-bk12 kernel with selinux and capabilities compiled in. newchain-nostack: lmbench output for a patched 2.6.10-rc1-bk20 kernel with selinux and capabilities compiled in, and CONFIG_SECURITY_STACKER=n newchain-stacked: lmbench output for a patched 2.6.10-rc1-bk20 kernel with selinux and capabilities compiled in, and CONFIG_SECURITY_STACKER=y newchain-multstack: lmbench output for a patched 2.6.10-rc1-bk20 kernel with selinux and capabilities compiled in, seclvl and bsdjail loaded (bsdjail patch is not appended) and the lmbench process jailed. Note that the kernel versions are slightly different between patched and unpatched. If this is worrisome, I can try to get a new set of numbers. -serge
This archive was generated by hypermail 2.1.3 : Thu Nov 11 2004 - 23:42:56 PST