From: Stephen Smalley <sds@tycho.nsa.gov>
To: Wenhui Zhang <wenhui@gwmail.gwu.edu>,
John Johansen <john.johansen@canonical.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Casey Schaufler <casey.schaufler@intel.com>,
James Morris <jmorris@namei.org>,
linux-security-module@vger.kernel.org,
SELinux <selinux@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
penguin-kernel@i-love.sakura.ne.jp,
Paul Moore <paul@paul-moore.com>
Subject: Re: Perf Data on LSM in v5.3
Date: Wed, 15 Jan 2020 08:40:19 -0500 [thread overview]
Message-ID: <e7cfc960-32fb-7712-b21c-37999cf29430@tycho.nsa.gov> (raw)
In-Reply-To: <CAOSEQ1rBu+wRzgk_Jh2RsZpf8Lv1+WUi-Pte-EsBMphnEr4SsQ@mail.gmail.com>
On 1/14/20 8:00 PM, Wenhui Zhang wrote:
> Hi, John:
>
> It seems like, the MAC hooks are default to*return 0 or empty void
> hooks* if CONFIG_SECURITY, CONFIG_SECURITY_NETWORK ,
> CONFIG_PAGE_TABLE_ISOLATION, CONFIG_SECURITY_INFINIBAND,
> CONFIG_SECURITY_PATH, CONFIG_INTEL_TXT,
> CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR,
> CONFIG_HARDENED_USERCOPY, CONFIG_HARDENED_USERCOPY_FALLBACK *are NOT set*.
>
> If HOOKs are "return 0 or empty void hooks", MAC is not enabled.
> In runtime of fs-benchmarks, if CONFIG_DEFAULT_SECURITY_DAC=y, then
> capability is enabled.
>
> Please correct me if I am wrong.
>
> For the first test, wo-sec is tested with:
> # CONFIG_SECURITY_DMESG_RESTRICT is not set
> # CONFIG_SECURITY is not set
> # CONFIG_SECURITYFS is not set
> # CONFIG_PAGE_TABLE_ISOLATION is not set
> # CONFIG_INTEL_TXT is not set
> CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
> # CONFIG_HARDENED_USERCOPY is not set
> CONFIG_FORTIFY_SOURCE=y
> # CONFIG_STATIC_USERMODEHELPER is not set
> CONFIG_DEFAULT_SECURITY_DAC=y
>
>
> For the second test, w-sec is tested with:
> # CONFIG_SECURITY_DMESG_RESTRICT is not set
> CONFIG_SECURITY=y
> CONFIG_SECURITYFS=y
> # CONFIG_SECURITY_NETWORK is not set
> CONFIG_PAGE_TABLE_ISOLATION=y
> CONFIG_SECURITY_INFINIBAND=y
> CONFIG_SECURITY_PATH=y
> CONFIG_INTEL_TXT=y
> CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
> CONFIG_HARDENED_USERCOPY=y
> CONFIG_HARDENED_USERCOPY_FALLBACK=y
> # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
> CONFIG_FORTIFY_SOURCE=y
> # CONFIG_STATIC_USERMODEHELPER is not set
> # CONFIG_SECURITY_SMACK is not set
> # CONFIG_SECURITY_TOMOYO is not set
> # CONFIG_SECURITY_APPARMOR is not set
> # CONFIG_SECURITY_LOADPIN is not set
> # CONFIG_SECURITY_YAMA is not set
> # CONFIG_SECURITY_SAFESETID is not set
> # CONFIG_INTEGRITY is not set
> CONFIG_DEFAULT_SECURITY_DAC=y
> #
> CONFIG_LSM="yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"
Your configs should only differ with respect to CONFIG_SECURITY* if you
want to evaluate LSM, SELinux, etc overheads. PAGE_TABLE_ISOLATION,
INTEL_TXT, and HARDENED_USERCOPY are not relevant to LSM itself.
Also, what benchmarks are you using? Your own home-grown ones, a set of
open source standard benchmarks (if so, which ones?). You should
include both micro and macro benchmarks in your suite.
How stable are your results? What kind of variance / standard deviation
are you seeing?
It is hard to get meaningful, reliable performance measurements so going
down this road is not to be done lightly.
next prev parent reply other threads:[~2020-01-15 13:39 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAOSEQ1poqrUQdRc+ZLNbEoPqgd4MMomeYmefjca_mj-2zxrdUA@mail.gmail.com>
2020-01-14 21:07 ` Perf Data on LSM in v5.3 Casey Schaufler
[not found] ` <CAOSEQ1p0q4gxVwN3MJkP=xxn4GUVaKsaArtQpxNy5rv7vYvVVw@mail.gmail.com>
2020-01-14 23:59 ` Casey Schaufler
[not found] ` <CAOSEQ1qipfe0Juz+4V9FgebAPDDXePd29s8=G1pFtHGqx4Sedg@mail.gmail.com>
2020-01-15 14:06 ` Stephen Smalley
2020-01-15 0:24 ` John Johansen
[not found] ` <CAOSEQ1rBu+wRzgk_Jh2RsZpf8Lv1+WUi-Pte-EsBMphnEr4SsQ@mail.gmail.com>
2020-01-15 13:40 ` Stephen Smalley [this message]
2020-01-15 14:09 ` Stephen Smalley
[not found] ` <CAOSEQ1o3nhY-svtsFSSv+M=V+NchxmBbhY-FvqoTzJgMnZ1ydw@mail.gmail.com>
2020-01-15 15:34 ` Stephen Smalley
2020-01-15 15:42 ` Stephen Smalley
[not found] ` <CAOSEQ1o6+uL-ATjQ_YXaJP9KxFTS3_b_bzeO7M8eiKbCB9dsyQ@mail.gmail.com>
2020-01-15 16:04 ` Stephen Smalley
2020-01-24 14:57 ` Stephen Smalley
[not found] ` <CAOSEQ1rOQ50WjvvUSeVpf0RREenP_59u34yx1YQE1YdigzOXcg@mail.gmail.com>
2020-01-31 19:15 ` Casey Schaufler
2020-01-31 19:50 ` Stephen Smalley
[not found] ` <CAOSEQ1qPCtdsaieuXtWDEBEZAyddvLTNn8VDAJ-JWKeAP5PYsA@mail.gmail.com>
2020-01-15 16:48 ` Stephen Smalley
2020-01-16 0:00 ` John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e7cfc960-32fb-7712-b21c-37999cf29430@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=selinux@vger.kernel.org \
--cc=wenhui@gwmail.gwu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox