From: "J. Bruce Fields" <bfields@fieldses.org>
To: "Kasatkin, Dmitry" <dmitry.kasatkin@intel.com>
Cc: James Morris <jmorris@namei.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-fsdevel@vger.kernel.org,
linux-security-module <linux-security-module@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Mimi Zohar <zohar@linux.vnet.ibm.com>
Subject: Re: IMA policy search speedup
Date: Wed, 19 Sep 2012 16:07:59 -0400 [thread overview]
Message-ID: <20120919200759.GA2169@fieldses.org> (raw)
In-Reply-To: <CALLzPKaKoHkVx37FeOSTpRvFM_d6KifDYvywbMk4MOKiy2nQbQ@mail.gmail.com>
On Wed, Sep 19, 2012 at 01:25:26PM +0300, Kasatkin, Dmitry wrote:
> On Wed, Sep 19, 2012 at 7:21 AM, James Morris <jmorris@namei.org> wrote:
> > On Tue, 18 Sep 2012, Kasatkin, Dmitry wrote:
> >
> >> I looked to <linux/fs.h> and found that there is a possibility to to
> >> add additional flag for sb->s_flags.
> >> For example
> >>
> >> #define MS_NOT_IMA (1<<25) /* NOT_IMA */
> >> #define IS_I_NOT_IMA(inode) __IS_FLG(inode, MS_NOT_IMA)
> >>
> >>
> >> Another way is to add additional dedicated integrity related member to
> >> the sb structure.
> >> struct super_block {
> >> ...
> >> #ifdef CONFIG_INTEGRITY
> >> int s_integrity;
> >> #endif
> >> };
> >>
> >> Obviously there are only few super blocks in the system and few bytes
> >> will not harm.
> >
> > The flag seems better than adding a new struct member. Why would you need
> > an int for this?
> >
>
> int is not really needed. It may be char. I just thought that normally
> we have around 10 super blocks
> and it 10 or 40 bytes does not really mater...
Maybe not, but if you use something more generic
unsigned int s_feature_flags
#define SF_IMA_ENABLED
then there'd be more uses for that field.
(Two that nfsd would use:
- does this filesystem support a changeattribute? (currently a
mount flag but that doesn't really make sense in general)
- is this filesystem case-insensitive? (whatever that means)
)
--b.
>
> Actually there is more severe case. IMA cache objects "iint" per inode
> have following members:
> enum integrity_status ima_status;
> enum integrity_status evm_status;
>
> And it is only 5 values per each or 10 values per 8 bytes.
> 8 bytes can be easily replaced by 1 byte.
>
> Should we improve it?
>
> >
> >
> > - James
> > --
> > James Morris
> > <jmorris@namei.org>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2012-09-19 20:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-18 9:44 IMA policy search speedup Kasatkin, Dmitry
2012-09-19 4:21 ` James Morris
2012-09-19 4:46 ` Al Viro
2012-09-19 10:50 ` Kasatkin, Dmitry
2012-09-19 10:25 ` Kasatkin, Dmitry
2012-09-19 20:07 ` J. Bruce Fields [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120919200759.GA2169@fieldses.org \
--to=bfields@fieldses.org \
--cc=dmitry.kasatkin@intel.com \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.