[PATCH v4 0/5] Reduce overhead of LSMs with static calls
KP Singh
kpsingh at kernel.org
Sat Sep 23 16:16:52 UTC 2023
On Fri, Sep 22, 2023 at 8:42 PM Mateusz Guzik <mjguzik at gmail.com> wrote:
>
> On Fri, Sep 22, 2023 at 04:55:00PM +0200, KP Singh wrote:
> > Since we know the address of the enabled LSM callbacks at compile time and only
> > the order is determined at boot time, the LSM framework can allocate static
> > calls for each of the possible LSM callbacks and these calls can be updated once
> > the order is determined at boot.
> >
>
> Any plans to further depessimize the state by not calling into these
> modules if not configured?
>
> For example Debian has a milipede:
> CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf"
>
> Everything is enabled (but not configured).
If it's not configured, we won't generate static call slots and even
if they are in the CONFIG_LSM (or lsm=) they are simply ignored.
- KP
>
> In particular tomoyo is quite nasty, rolling with big memsets only to
> find it is not even enabled.
More information about the Linux-security-module-archive
mailing list