XFS and SE Linux

XFS and SE Linux

[Russell Coker]

XFS defaults to an Inode size of 256 bytes and a block size of 4K on i386.

The "security.selinux" xattr name and the data stored in it can apparently be 
counted on to not fit into the <50 bytes left in a 256 byte Inode after all 
the other meta-data is stored.  This will mean that a new block is used for 
the XATTR (which in 99.99% of all cases will be the only XATTR on the file).

Using an extra 4K block per file is a significant waste of disk space, XFS 
apparently does not support block sharing so you have 4K of disk space for 50 
bytes of data.

If at mkfs time you make the Inode 512 bytes in size you will have enough 
space for the SE Linux xattr.  This will save huge amounts of space on a SE 
Linux system as there will effectively be 256 bytes of overhead per file 
instead of 4096.

Currently in SE Linux the contexts for files are of the form 
"system_u:object_r:file_t", why not express them on disk as 
"system_u:file_t"?  Saving 9 bytes in this manner could make some of them fit 
into a 256 byte Inode in XFS which would be a significant advantage.  Also 
for Ext2/Ext3 it will save some space as well.

I wonder what Hans Reiser will make of this, I wouldn't be surprised if he 
comes up with some stem compression scheme for XATTR's that makes all the SE 
Linux xattr's take up significantly less than half the space they do on 
Ext2/3 and packs them in with tails.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XFS and SE Linux

[Stephen Smalley]

On Tue, 2004-03-09 at 08:14, Russell Coker wrote:
> Currently in SE Linux the contexts for files are of the form 
> "system_u:object_r:file_t", why not express them on disk as 
> "system_u:file_t"?  Saving 9 bytes in this manner could make some of them fit 
> into a 256 byte Inode in XFS which would be a significant advantage.  Also 
> for Ext2/Ext3 it will save some space as well.

Why not just fix XFS to handle xattrs sanely?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XFS and SE Linux

[Russell Coker]

On Wed, 10 Mar 2004 01:00, Stephen Smalley <sds@epoch.ncsc.mil> wrote:
> On Tue, 2004-03-09 at 08:14, Russell Coker wrote:
> > Currently in SE Linux the contexts for files are of the form
> > "system_u:object_r:file_t", why not express them on disk as
> > "system_u:file_t"?  Saving 9 bytes in this manner could make some of them
> > fit into a 256 byte Inode in XFS which would be a significant advantage. 
> > Also for Ext2/Ext3 it will save some space as well.
>
> Why not just fix XFS to handle xattrs sanely?

I have sent an email to some SGI people with some ideas that I think would be 
beneficial.  However doing such changes would take some time.  They need to 
have some sort of compatibility flag in the on-disk structure, some new data 
structures on disk, and a new fsck that understands both old and new formats.  
This isn't going to happen overnight.  While a change to the way 
security.selinux is used by the kernel can be implemented much more easily.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: XFS and SE Linux

[Nathan Scott]

Hi Russell,

Thanks for sending this out.  Couple of additions...

On Wed, Mar 10, 2004 at 12:14:03AM +1100, Russell Coker wrote:
> XFS defaults to an Inode size of 256 bytes and a block size of 4K on i386.

These default values are platform independent.

> The "security.selinux" xattr name and the data stored in it can apparently be 
> counted on to not fit into the <50 bytes left in a 256 byte Inode after all 
> the other meta-data is stored.  This will mean that a new block is used for 
> the XATTR (which in 99.99% of all cases will be the only XATTR on the file).
> 
> Using an extra 4K block per file is a significant waste of disk space, XFS 
> apparently does not support block sharing so you have 4K of disk space for 50 
> bytes of data.

It also amounts to a fairly significant performance hit, since
there is additional I/O involved once the attributes are no longer
inline.  When we tweaked the ACL code to be more conscious of this
issue, speedups were of the order 10x-12x IIRC.

Heavy users of extended attributes should always use larger inode
sizes with XFS.

> If at mkfs time you make the Inode 512 bytes in size you will have enough 
> space for the SE Linux xattr.  This will save huge amounts of space on a SE 
> Linux system as there will effectively be 256 bytes of overhead per file 
> instead of 4096.

That extra inline space is also available for use by inline
directory entries (and of course other extended attributes),
so its not useless overhead either.

cheers.

-- 
Nathan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.