Perf Data on LSM in v5.3

Stephen Smalley sds at tycho.nsa.gov
Fri Jan 31 19:50:22 UTC 2020 

On 1/31/20 2:08 PM, Wenhui Zhang wrote:
> Hi, Smalley:
> DAC, MAC and SELinux's performance data is performed, and it seems like 
> our conclusion is consistent with our previous evaluation.
> Please see here (configuration files are included as well):
> 5.3.0-results 
> <https://drive.google.com/drive/folders/1NPkHYoffPnkvMlXIM5ytrqzBThLwXx86>
> I am trying to test other modules (SMACK, Apparmor, Integrity etc. )

Still looks like there are some unrelated differences in kernel configs 
among dac, mac, and selinux that aren't actually related to what you are 
testing.  Also, looks like there is a typo in your CONFIG_LSM for 
selinux-config.txt, not sure what effect that has if any.

Looks like you are only running micro benchmarks?

What did you use as your base distribution?  Fedora 31?  Is SELinux 
running enforcing with a policy loaded, and no denials during the 
benchmark runs (i.e. no avc:  denied messages in ausearch -m AVC -ts 
boot or journalctl -b output)?  Is the benchmark running in unconfined_t 
or some other context?

> However what confused me a lot is the Kconfig file in 
> ./linux/security/Kconfig:
> config LSM
>          string "Ordered list of enabled LSMs"
>          default 
> "newmodule,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor" 
> if DEFAULT_SECURITY_SMACK
>          default 
> "newmodule,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo" 
> if DEFAULT_SECURITY_APPARMOR
>          default "newmodule,yama,loadpin,safesetid,integrity,tomoyo" if 
> DEFAULT_SECURITY_TOMOYO
>          default "newmodule,yama,loadpin,safesetid,integrity" if 
> DEFAULT_SECURITY_DAC
>          default 
> "newmodule,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor"
> IMHO, it seems like it is a little confusing, changing it to below maybe 
> make it a lilttle more clear:
> config LSM
>          string "Ordered list of enabled LSMs"
>          default "newmodule,yama,loadpin,safesetid,integrity, tomoyo, 
> apparmor, selinux, smack" if DEFAULT_SECURITY_SMACK
>          default "newmodule,yama,loadpin,safesetid,integrity,tomoyo, 
> smack, selinux, apparmor" if DEFAULT_SECURITY_APPARMOR
>          default "newmodule,yama,loadpin,safesetid,integrity,tomoyo" if 
> DEFAULT_SECURITY_TOMOYO
>          default "" if DEFAULT_SECURITY_DAC *# could we leave this to 
> empty string*
>          default 
> "newmodule,yama,loadpin,safesetid,integrity,*selinux,smack,tomoyo,apparmor"  
> # on Ubuntu, apparmor be the the dedault, however on centos etc, maybe 
> selinux be the default, on andriod smack as default *
> Any suggestions on clean up the code on this part please?

I could be wrong but I think the ordering is to preserve the old 
behavior of DEFAULT_SECURITY_FOO while still allowing future stacking 
if/when it is supported by the respective modules.  So the default major 
module has to precede any other major modules in the list in order to 
win at registration time.

BTW Android uses SELinux [1], not Smack.

[1] http://selinuxproject.org/page/SEAndroid

More information about the Linux-security-module-archive mailing list