[PATCH v4 0/5] Reduce overhead of LSMs with static calls

Mateusz Guzik mjguzik at gmail.com
Fri Sep 22 18:42:24 UTC 2023


On Fri, Sep 22, 2023 at 04:55:00PM +0200, KP Singh wrote:
> Since we know the address of the enabled LSM callbacks at compile time and only
> the order is determined at boot time, the LSM framework can allocate static
> calls for each of the possible LSM callbacks and these calls can be updated once
> the order is determined at boot.
> 

Any plans to further depessimize the state by not calling into these
modules if not configured?

For example Debian has a milipede:
CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf"

Everything is enabled (but not configured).

In particular tomoyo is quite nasty, rolling with big memsets only to
find it is not even enabled.



More information about the Linux-security-module-archive mailing list