Re: oprofile / selinux / security_port_sid
On Tue, Mar 27, 2007 at 09:40:23 -0400, Stephen Smalley wrote: > On Tue, 2007-03-27 at 13:06 +0300, Sami Farin wrote: > > is there room for improvement in security_port_sid() ? > > Yes, lots of room. Also, it won't get called per-packet if you enable > secmark (echo 0 > /selinux/compat_net or boot with selinux_compat_net=0 > or build with SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT), although that > may require updating your policy. Hmm, test was done with CONFIG_NETWORK_SECMARK=y CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y and /selinux/compat_net = 0 -- Do what you love because life is too short for anything else. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: oprofile / selinux / security_port_sid
On Tue, 27 Mar 2007, Sami Farin wrote: > On Tue, Mar 27, 2007 at 09:40:23 -0400, Stephen Smalley wrote: > > On Tue, 2007-03-27 at 13:06 +0300, Sami Farin wrote: > > > is there room for improvement in security_port_sid() ? > > > > Yes, lots of room. Also, it won't get called per-packet if you enable > > secmark (echo 0 > /selinux/compat_net or boot with selinux_compat_net=0 > > or build with SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT), although that > > may require updating your policy. > > Hmm, test was done with > CONFIG_NETWORK_SECMARK=y > CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y > and /selinux/compat_net = 0 Even with this setting, you'll be hitting security_port_sid() via connect(2) and bind(2). We need to fix it. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: oprofile / selinux / security_port_sid
On Tue, 2007-03-27 at 13:06 +0300, Sami Farin wrote: > is there room for improvement in security_port_sid() ? Yes, lots of room. Also, it won't get called per-packet if you enable secmark (echo 0 > /selinux/compat_net or boot with selinux_compat_net=0 or build with SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT), although that may require updating your policy. > little test with dns queries (dnsfilter (the client) on local host > using poll() and dnscache (the server) using epoll (at max 4000 concurrent > queries): > (stats for only vmlinux) > > CPU: P4 / Xeon, speed 2797.32 MHz (estimated) > Counted GLOBAL_POWER_EVENTS events (time during which processor is not > stopped) with a unit mask of 0x01 (mandatory) count 45000 > Counted FSB_DATA_ACTIVITY events (DRDY or DBSY events on the front side bus) > with a unit mask of 0x03 (multiple flags) count 45000 > Counted BRANCH_RETIRED events (retired branches) with a unit mask of 0x05 > (multiple flags) count 45000 > Counted BRANCH_RETIRED events (retired branches) with a unit mask of 0x0a > (multiple flags) count 45000 > samples %samples %samples %samples % > symbol name > 220663 10.2181 6704 17.9737 5735 7.5171 271.1989 > datagram_poll > 1400866.4869 3239 8.6839 3786 4.9624 241.0657 > sock_poll > 1196365.5399 2172 5.8232 7168 9.3954 241.0657 > do_poll > 1015124.7006 3987 10.6893 812 1.0643 140.6217 > udp_get_port > 71008 3.2881 1017 2.7266 2694 3.5311 397 17.6288 > security_port_sid > 64350 2.9798 144 0.3861 1912 2.5061 6 0.2664 > add_wait_queue > 60815 2.8161 187 0.5014 3246 4.2546 2 0.0888 > remove_wait_queue > 47456 2.1975 1823 4.8875 476 0.6239 311.3766 > udp_v4_lookup_longway > > if dnsfilter had used epoll, security_port_sid would > probably (?) be number one (or two or three) CPU user in kernel. > > also note that 17.6% of mispredicted branches occurr in security_port_sid. > -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
oprofile / selinux / security_port_sid
is there room for improvement in security_port_sid() ? little test with dns queries (dnsfilter (the client) on local host using poll() and dnscache (the server) using epoll (at max 4000 concurrent queries): (stats for only vmlinux) CPU: P4 / Xeon, speed 2797.32 MHz (estimated) Counted GLOBAL_POWER_EVENTS events (time during which processor is not stopped) with a unit mask of 0x01 (mandatory) count 45000 Counted FSB_DATA_ACTIVITY events (DRDY or DBSY events on the front side bus) with a unit mask of 0x03 (multiple flags) count 45000 Counted BRANCH_RETIRED events (retired branches) with a unit mask of 0x05 (multiple flags) count 45000 Counted BRANCH_RETIRED events (retired branches) with a unit mask of 0x0a (multiple flags) count 45000 samples %samples %samples %samples %symbol name 220663 10.2181 6704 17.9737 5735 7.5171 271.1989 datagram_poll 1400866.4869 3239 8.6839 3786 4.9624 241.0657 sock_poll 1196365.5399 2172 5.8232 7168 9.3954 241.0657 do_poll 1015124.7006 3987 10.6893 812 1.0643 140.6217 udp_get_port 71008 3.2881 1017 2.7266 2694 3.5311 397 17.6288 security_port_sid 64350 2.9798 144 0.3861 1912 2.5061 6 0.2664 add_wait_queue 60815 2.8161 187 0.5014 3246 4.2546 2 0.0888 remove_wait_queue 47456 2.1975 1823 4.8875 476 0.6239 311.3766 udp_v4_lookup_longway if dnsfilter had used epoll, security_port_sid would probably (?) be number one (or two or three) CPU user in kernel. also note that 17.6% of mispredicted branches occurr in security_port_sid. -- Do what you love because life is too short for anything else. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
oprofile / selinux / security_port_sid
is there room for improvement in security_port_sid() ? little test with dns queries (dnsfilter (the client) on local host using poll() and dnscache (the server) using epoll (at max 4000 concurrent queries): (stats for only vmlinux) CPU: P4 / Xeon, speed 2797.32 MHz (estimated) Counted GLOBAL_POWER_EVENTS events (time during which processor is not stopped) with a unit mask of 0x01 (mandatory) count 45000 Counted FSB_DATA_ACTIVITY events (DRDY or DBSY events on the front side bus) with a unit mask of 0x03 (multiple flags) count 45000 Counted BRANCH_RETIRED events (retired branches) with a unit mask of 0x05 (multiple flags) count 45000 Counted BRANCH_RETIRED events (retired branches) with a unit mask of 0x0a (multiple flags) count 45000 samples %samples %samples %samples %symbol name 220663 10.2181 6704 17.9737 5735 7.5171 271.1989 datagram_poll 1400866.4869 3239 8.6839 3786 4.9624 241.0657 sock_poll 1196365.5399 2172 5.8232 7168 9.3954 241.0657 do_poll 1015124.7006 3987 10.6893 812 1.0643 140.6217 udp_get_port 71008 3.2881 1017 2.7266 2694 3.5311 397 17.6288 security_port_sid 64350 2.9798 144 0.3861 1912 2.5061 6 0.2664 add_wait_queue 60815 2.8161 187 0.5014 3246 4.2546 2 0.0888 remove_wait_queue 47456 2.1975 1823 4.8875 476 0.6239 311.3766 udp_v4_lookup_longway if dnsfilter had used epoll, security_port_sid would probably (?) be number one (or two or three) CPU user in kernel. also note that 17.6% of mispredicted branches occurr in security_port_sid. -- Do what you love because life is too short for anything else. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: oprofile / selinux / security_port_sid
On Tue, 2007-03-27 at 13:06 +0300, Sami Farin wrote: is there room for improvement in security_port_sid() ? Yes, lots of room. Also, it won't get called per-packet if you enable secmark (echo 0 /selinux/compat_net or boot with selinux_compat_net=0 or build with SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT), although that may require updating your policy. little test with dns queries (dnsfilter (the client) on local host using poll() and dnscache (the server) using epoll (at max 4000 concurrent queries): (stats for only vmlinux) CPU: P4 / Xeon, speed 2797.32 MHz (estimated) Counted GLOBAL_POWER_EVENTS events (time during which processor is not stopped) with a unit mask of 0x01 (mandatory) count 45000 Counted FSB_DATA_ACTIVITY events (DRDY or DBSY events on the front side bus) with a unit mask of 0x03 (multiple flags) count 45000 Counted BRANCH_RETIRED events (retired branches) with a unit mask of 0x05 (multiple flags) count 45000 Counted BRANCH_RETIRED events (retired branches) with a unit mask of 0x0a (multiple flags) count 45000 samples %samples %samples %samples % symbol name 220663 10.2181 6704 17.9737 5735 7.5171 271.1989 datagram_poll 1400866.4869 3239 8.6839 3786 4.9624 241.0657 sock_poll 1196365.5399 2172 5.8232 7168 9.3954 241.0657 do_poll 1015124.7006 3987 10.6893 812 1.0643 140.6217 udp_get_port 71008 3.2881 1017 2.7266 2694 3.5311 397 17.6288 security_port_sid 64350 2.9798 144 0.3861 1912 2.5061 6 0.2664 add_wait_queue 60815 2.8161 187 0.5014 3246 4.2546 2 0.0888 remove_wait_queue 47456 2.1975 1823 4.8875 476 0.6239 311.3766 udp_v4_lookup_longway if dnsfilter had used epoll, security_port_sid would probably (?) be number one (or two or three) CPU user in kernel. also note that 17.6% of mispredicted branches occurr in security_port_sid. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: oprofile / selinux / security_port_sid
On Tue, 27 Mar 2007, Sami Farin wrote: On Tue, Mar 27, 2007 at 09:40:23 -0400, Stephen Smalley wrote: On Tue, 2007-03-27 at 13:06 +0300, Sami Farin wrote: is there room for improvement in security_port_sid() ? Yes, lots of room. Also, it won't get called per-packet if you enable secmark (echo 0 /selinux/compat_net or boot with selinux_compat_net=0 or build with SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT), although that may require updating your policy. Hmm, test was done with CONFIG_NETWORK_SECMARK=y CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y and /selinux/compat_net = 0 Even with this setting, you'll be hitting security_port_sid() via connect(2) and bind(2). We need to fix it. - James -- James Morris [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: oprofile / selinux / security_port_sid
On Tue, Mar 27, 2007 at 09:40:23 -0400, Stephen Smalley wrote: On Tue, 2007-03-27 at 13:06 +0300, Sami Farin wrote: is there room for improvement in security_port_sid() ? Yes, lots of room. Also, it won't get called per-packet if you enable secmark (echo 0 /selinux/compat_net or boot with selinux_compat_net=0 or build with SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT), although that may require updating your policy. Hmm, test was done with CONFIG_NETWORK_SECMARK=y CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT=y and /selinux/compat_net = 0 -- Do what you love because life is too short for anything else. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/