[PATCH v4 0/5] Reduce overhead of LSMs with static calls
Mateusz Guzik
mjguzik at gmail.com
Sat Sep 23 17:13:14 UTC 2023
On 9/23/23, KP Singh <kpsingh at kernel.org> wrote:
> On Fri, Sep 22, 2023 at 8:42 PM Mateusz Guzik <mjguzik at gmail.com> wrote:
>>
>> On Fri, Sep 22, 2023 at 04:55:00PM +0200, KP Singh wrote:
>> > Since we know the address of the enabled LSM callbacks at compile time
>> > and only
>> > the order is determined at boot time, the LSM framework can allocate
>> > static
>> > calls for each of the possible LSM callbacks and these calls can be
>> > updated once
>> > the order is determined at boot.
>> >
>>
>> Any plans to further depessimize the state by not calling into these
>> modules if not configured?
>>
>> For example Debian has a milipede:
>> CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf"
>>
>> Everything is enabled (but not configured).
>
> If it's not configured, we won't generate static call slots and even
> if they are in the CONFIG_LSM (or lsm=) they are simply ignored.
>
Maybe there is a terminology mismatch here, so let me be more specific
with tomoyo as an example.
In debian you have:
CONFIG_SECURITY_TOMOYO=y
CONFIG_LSM, as per above, includes it on the list.
At the same time debian does not ship any tooling to configure tomoyo
-- it is compiled into the kernel but not configured to enforce
anything.
On stock kernel this results in tons of calls to
tomoyo_init_request_info, which are quite expensive due to an
avoidable memset thrown in, and which always return
tomoyo_init_request_info.
Does not look like your patch whacks this problem.
--
Mateusz Guzik <mjguzik gmail.com>
More information about the Linux-security-module-archive
mailing list