[PATCH v4 0/5] Reduce overhead of LSMs with static calls
Mateusz Guzik
mjguzik at gmail.com
Fri Sep 22 18:42:24 UTC 2023
On Fri, Sep 22, 2023 at 04:55:00PM +0200, KP Singh wrote:
> Since we know the address of the enabled LSM callbacks at compile time and only
> the order is determined at boot time, the LSM framework can allocate static
> calls for each of the possible LSM callbacks and these calls can be updated once
> the order is determined at boot.
>
Any plans to further depessimize the state by not calling into these
modules if not configured?
For example Debian has a milipede:
CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf"
Everything is enabled (but not configured).
In particular tomoyo is quite nasty, rolling with big memsets only to
find it is not even enabled.
More information about the Linux-security-module-archive
mailing list