From: Eric Paris <eparis@redhat.com>
To: Christoph Hellwig <hch@infradead.org>
Cc: linux-kernel@vger.kenel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, zohar@us.ibm.com,
warthog9@kernel.org, david@fromorbit.com, jmorris@namei.org,
kyle@mcmartin.ca, hpa@zytor.com, akpm@linux-foundation.org,
torvalds@linux-foundation.org, mingo@elte.hu,
viro@zeniv.linux.org.uk
Subject: Re: [PATCH 1/3] IMA: move read/write counters into struct inode
Date: Mon, 18 Oct 2010 22:14:03 -0400 [thread overview]
Message-ID: <1287454443.2530.124.camel@localhost.localdomain> (raw)
In-Reply-To: <20101019013037.GA31393@infradead.org>
On Mon, 2010-10-18 at 21:30 -0400, Christoph Hellwig wrote:
> I do not like this at all. It bloats the inode with three unsigned
> long values for a feature no sane person would ever use. And given
> that distros are sweet-talked by IBM to enable it the world will pay
> a huge penality for those 0.5% of the userbase that use IMA.
>
> Please reorder your series to have patch to disable IMA unless
> explicitly enabled on the kernel command line first, and then second
> use the rbtree from your last patch.
More cryptic command line options and complexity is not the solution. I
have no plans to send (a fixed/"working" version of) Kyle's patch which
would cause a userspace regression since working machines would
magically stop working.
The right solution is to provide features without unreasonably impacting
those who do not want those features. At the moment my patch series
reduces memory usage by a factor of at least 40 and eliminates the
locking contention and serialization of bringing inodes into and out of
core. It does so without introducing ANY additional overhead or
complexity.
If there is a general consensus that 24 bytes per inode is too large we
can move forward from here and drop the 'opencount' and save 8 bytes
(while eliminating the debugging and verification this code has helped
to provide in the past)
If there is a general consensus that 16 bytes per inode is too large we
can travel down the much more complex route of attempting to collect
this information dynamically by freezing userspace, scanning every open
file, and calculating the information. We would then have a 2 stage
integrity structure, the first with just counters and the second would
contain integrity information if needed.
I'm willing to add those next 2 steps to my todo list if there is a
consensus that the situation at hand is untenable, but those cannot be
my highest priority. We are talking about a feature which has been
enabled without massive complaint (aside from having bugs fixed in the
kernel, in IMA, and in out of tree modules) in Fedora kernels for over a
year. Obviously I think Dave's report is a big deal. Things were
really really wrong, and I'm willing to fix it when things are wrong,
but eventually I hit the point of diminishing returns.
-Eric
next prev parent reply other threads:[~2010-10-19 2:41 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-19 1:16 [PATCH 1/3] IMA: move read/write counters into struct inode Eric Paris
2010-10-19 1:16 ` [PATCH 2/3] IMA: only allocate iint when needed Eric Paris
2010-10-19 1:17 ` [PATCH 3/3] IMA: use rbtree instead of radix tree for inode information cache Eric Paris
2010-10-19 1:30 ` [PATCH 1/3] IMA: move read/write counters into struct inode Christoph Hellwig
2010-10-19 2:14 ` Eric Paris [this message]
2010-10-19 7:39 ` Dave Chinner
2010-10-19 16:24 ` Eric Paris
2010-10-19 16:29 ` Christoph Hellwig
2010-10-19 8:39 ` Ingo Molnar
2010-10-19 2:46 ` Eric Paris
2010-10-19 15:52 ` Linus Torvalds
2010-10-19 16:36 ` Eric Paris
2010-10-19 16:55 ` Al Viro
2010-10-19 17:03 ` Linus Torvalds
2010-10-19 17:28 ` Al Viro
2010-10-19 18:16 ` Mimi Zohar
2010-10-20 13:10 ` John Stoffel
2010-10-20 13:36 ` Al Viro
2010-10-20 14:09 ` John Stoffel
2010-10-19 19:11 ` Matthew Wilcox
2010-10-20 3:15 ` Al Viro
2010-10-20 17:38 ` J. Bruce Fields
2010-10-19 22:49 ` Eric Paris
2010-10-20 14:38 ` Ingo Molnar
2010-10-20 14:46 ` Eric Paris
2010-10-20 15:15 ` Ingo Molnar
2010-10-20 15:25 ` Eric Paris
2010-10-21 16:15 ` Casey Schaufler
2010-10-22 8:48 ` Ingo Molnar
2010-10-22 17:50 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1287454443.2530.124.camel@localhost.localdomain \
--to=eparis@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=david@fromorbit.com \
--cc=hch@infradead.org \
--cc=hpa@zytor.com \
--cc=jmorris@namei.org \
--cc=kyle@mcmartin.ca \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kenel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=warthog9@kernel.org \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).