From: Russell Coker <russell@coker.com.au>
To: "Frank Mayer" <mayerf@tresys.com>
Cc: "'Chad Hanson'" <chanson@TrustedCS.com>,
"'Luke Kenneth Casson Leighton'" <lkcl@lkcl.net>,
"'SE-Linux'" <selinux@tycho.nsa.gov>
Subject: Re: dynamic context transitions - a seteuid parallel
Date: Wed, 3 Nov 2004 13:59:43 +1100 [thread overview]
Message-ID: <200411031359.43346.russell@coker.com.au> (raw)
In-Reply-To: <00aa01c4c0da$5acdd960$1e0c010a@columbia.tresys.com>
On Tue, 2 Nov 2004 23:49, "Frank Mayer" <mayerf@tresys.com> wrote:
> So if we were honest, the real reason we want to change security content is
> for performance reasons, not security assurance reason.
Which probably made a lot of sense for Xenix, an 80286 was not a particularly
fast CPU.
I've just done a quick test of exec time. For a process to exec itself it
takes an average of .9ms per exec on a P3-650. In the past we have discussed
at length issues related to modifying Samba for best operation under SE
Linux. It seems to me that any disk sub-system you might find attached to a
P3-650 class CPU is unlikely to support 1000 operations of the form of file
create/open/unlink per second. So therefore if we were to have a Samba
server process fork off a child for each file open we still probably wouldn't
have the exec be the bottleneck for Samba performance.
Now we have to keep in mind that doing a fork/exec for every file open isn't
the best way of doing such things. If we create a helper process when the
SMB authentication is performed and pass requests to it via a Unix domain
socket then performance should be better.
What is the trend in new CPUs? Are they getting worse or better for exec
performance? The only machine better than a P3-800 that I have for testing
is a pitiful P-M.
What programs have the greatest performance requirements in terms of launching
processes under a different context? I suspect that a Samba server with the
design changes we discussed could be near the top of the list, with the main
competitor being a busy web server that's launching cgi-bin scripts.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2004-11-03 2:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-01 22:37 dynamic context transitions - a seteuid parallel Chad Hanson
2004-11-02 0:43 ` James Morris
2004-11-02 16:31 ` Stephen Smalley
2004-11-02 1:12 ` Karl MacMillan
2004-11-02 12:49 ` Frank Mayer
2004-11-03 2:59 ` Russell Coker [this message]
2004-11-02 12:58 ` Frank Mayer
-- strict thread matches above, loose matches on Subject: below --
2004-11-01 19:28 Luke Kenneth Casson Leighton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200411031359.43346.russell@coker.com.au \
--to=russell@coker.com.au \
--cc=chanson@TrustedCS.com \
--cc=lkcl@lkcl.net \
--cc=mayerf@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.