[RFC] [PATCH] [0/6] LSM Stacking

From: Serge Hallyn
Date: Thu Nov 04 2004 - 16:59:58 EST

Next message: Patrick McHardy: "Re: [BK PATCH] Fix ip_conntrack_amanda data corruption bug that breaksamanda dumps"
Previous message: Paul Mackerras: "[PATCH] PPC64 iommu fixes, round 3"
Next in thread: Serge Hallyn: "Re: [RFC] [PATCH] [1/6] LSM Stacking: Replace LSM void* with arrays"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The following set of patches add support required to stack most
LSMs. The most important patch is the first, which provides a
method for more than one LSM to annotate information to kernel
objects. LSM's known to use the LSM fields include selinux, bsdjail,
seclvl, and digsig. Without this patch (or something like it),
none of these modules can be used together.

The rest of the patches add stacking support to the existing LSMs.
Another set of three patches will be sent containing a stackable
version of bsdjail.

I have run some performance tests on a Fedora Core Devel system
under three configurations:

1. A 2.6.10-rc1-bk10 system with capabilities and SELinux compiled
into the kernel as it was in the default Fedora kernel.

2. A 2.6.10-rc1-bk10 system with the stacking patches, and capabilities
and SELinux compiled into the kernel under the stacker LSM. Other
than stacker being compiled in and the size of the LSM void* array
being set to 4, the exact same .config was used.

3. The same kernel as in (2), but with bsdjail and seclvl also stacked.

On each of these configurations, I ran unixbench twice, and compiled
a kernel twice (with the same .config, and all files in the cached
each time).

The kernel compilation results are as follows:

No stacking (1) Stacking (2) More Stacking (3)
Run 1 real 9m51.647s real 9m48.045s real 9m53.292s
user 8m28.637s user 8m29.108s user 8m33.319s
sys 1m13.900s sys 1m14.993s sys 1m15.377s

Run 2 real 9m48.154s real 9m53.369s real 9m53.292s
user 8m28.983s user 8m29.101s user 8m34.407s
sys 1m13.981s sys 1m15.307s sys 1m15.611s

Run 3 real 9m51.105s real 9m51.840s real 9m58.840s
user 8m28.894s user 8m29.192s user 8m33.538s
sys 1m14.183s sys 1m15.345s sys 1m16.146s

Unixbench summaries are as follows. (I can send the full output if
anyone asks)

No stacking (1) Stacking (2) More Stacking (3)
Run 1 651.5 647.1 634.3
Run 2 648.2 642.8 632.7

-serge

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Patrick McHardy: "Re: [BK PATCH] Fix ip_conntrack_amanda data corruption bug that breaksamanda dumps"
Previous message: Paul Mackerras: "[PATCH] PPC64 iommu fixes, round 3"
Next in thread: Serge Hallyn: "Re: [RFC] [PATCH] [1/6] LSM Stacking: Replace LSM void* with arrays"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]