LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The causes of bloat?

The causes of bloat?

Posted Oct 4, 2009 17:26 UTC (Sun) by nevets (subscriber, #11875)
In reply to: The causes of bloat? by alex
Parent article: LinuxCon: Kernel roundtable covers more than just bloat

I've seen this with ftrace traces. Running the function graph tracer, a good amount of time is spent in the selinux code. The price you pay for security.

One might argue that we've become 12% slower, but > 12% more secure.

(Log in to post comments)

How much checking do you need to do?

Posted Oct 5, 2009 10:43 UTC (Mon) by alex (subscriber, #1355) [Link]

I'm all for increasing the security of the kernel. However I feel the ideal* case the kernel should be striving for is a compare/branch for the check. Does SELinux do any caching of it's authentication results?

For example once you have validated a process can read a given file descriptor do you need to re-run the whole capability checking logic for every sys_read()?

Of course any such caching probably introduces another attack vector so care would have to be taken with the implementation?

*ideal being a target even if you may never actually reach that goal.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds