From: KP Singh <kpsingh@google.com>
To: James Morris <jmorris@namei.org>
Cc: Brendan Jackman <jackmanb@chromium.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
bpf@vger.kernel.org, linux-security-module@vger.kernel.org,
Paul Renauld <renauld@google.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Paul Turner <pjt@google.com>, Jann Horn <jannh@google.com>,
peterz@infradead.org, rafael.j.wysocki@intel.com,
keescook@chromium.org, thgarnie@chromium.org,
paul.renauld.epfl@gmail.com,
Brendan Jackman <jackmanb@google.com>
Subject: Re: [RFC] security: replace indirect calls with static calls
Date: Thu, 20 Aug 2020 21:04:32 +0200 [thread overview]
Message-ID: <CAFLU3KsS40ANOS=t1gPo7_iL=xzHGAbqyXCjHpVZGM5vLYwEZg@mail.gmail.com> (raw)
In-Reply-To: <alpine.LRH.2.21.2008210439190.29407@namei.org>
On Thu, Aug 20, 2020 at 8:43 PM James Morris <jmorris@namei.org> wrote:
>
> On Thu, 20 Aug 2020, Brendan Jackman wrote:
>
> > With this implementation, any overhead of the indirect call in the LSM
> > framework is completely mitigated (performance results: [7]). This
> > facilitates the adoption of "bpf" LSM on production machines and also
> > benefits all other LSMs.
>
> This looks like a potentially useful improvement, although I wonder if it
> would be overshadowed by an LSM hook doing real work.
>
Thanks for taking a look!
We can surely look at other examples, but the real goal is to
optimize the case where the "bpf" LSM adds callbacks to every LSM hook
which don't do any real work and cause an avoidable overhead.
This makes it not very practical for data center environments where
one would want a framework that adds a zero base case overhead and
allows the user to decide where to hook / add performance penalties.
(at boot time for other LSMs and at runtime for bpf)
I also think this would be beneficial for LSMs which use a cache for
a faster policy decision (e.g. access vector caching in SELinux).
- KP
> Do you have any more benchmarking beyond eventfd_write() ?
>
>
>
> >
> > [1]: https://lwn.net/ml/linux-kernel/20200710133831.943894387@infradead.org/
[...]
> >
> > /* Security operations */
> >
>
> --
> James Morris
> <jmorris@namei.org>
>
next prev parent reply other threads:[~2020-08-20 19:05 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-20 16:47 [RFC] security: replace indirect calls with static calls Brendan Jackman
2020-08-20 18:43 ` James Morris
2020-08-20 19:04 ` KP Singh [this message]
2020-08-20 21:45 ` Kees Cook
2020-08-24 14:09 ` Brendan Jackman
2020-08-24 14:33 ` Peter Zijlstra
2020-08-24 15:05 ` Brendan Jackman
2020-08-20 22:46 ` Casey Schaufler
2020-08-24 15:20 ` Brendan Jackman
2020-08-24 16:42 ` Casey Schaufler
2020-08-24 17:04 ` Brendan Jackman
2020-08-24 17:54 ` Casey Schaufler
2021-02-05 15:09 ` Mathieu Desnoyers
2021-02-05 15:40 ` Peter Zijlstra
2021-02-05 15:47 ` Mathieu Desnoyers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFLU3KsS40ANOS=t1gPo7_iL=xzHGAbqyXCjHpVZGM5vLYwEZg@mail.gmail.com' \
--to=kpsingh@google.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=jackmanb@chromium.org \
--cc=jackmanb@google.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul.renauld.epfl@gmail.com \
--cc=peterz@infradead.org \
--cc=pjt@google.com \
--cc=rafael.j.wysocki@intel.com \
--cc=renauld@google.com \
--cc=thgarnie@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).