Re: [RFC] [PATCH] [0/6] LSM Stacking

[Serge E. Hallyn]

Hi,

Quoting Chris Wright (chrisw@xxxxxxxx):
...
> I think, all in all, this needs more work and more justification (esp.
> w.r.t. overhead and impact on the current common use of a single
> module).

Would it help to make CONFIG_NUM_LSMS a boot time option, and default
to 1?

As for justification, the fact that many LSMS currently cannot be
used simultaneously seemed the most prominent.  It certainly seems viable
to use SELinux to protect audit logs and shadow files, use bsdjail to
offer certain services, and use securelevel for some generic hardening,
for instance.

> > 2. A 2.6.10-rc1-bk10 system with the stacking patches, and capabilities
> > and SELinux compiled into the kernel under the stacker LSM.  Other
> > than stacker being compiled in and the size of the LSM void* array
> > being set to 4, the exact same .config was used.
> 
> How many CPU's?

This was one cpu.  (All I have available at the moment)

> How did lmbench numbers look?  And other workloads, like network?

I will run lmbench tomorrow, and look for some network benchmark.

thanks,
-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/