Re: The price of SELinux (CPU)

[Valdis.Kletnieks@vt.edu]

On Tue, 04 Oct 2005 00:28:40 EDT, John Richard Moser said:

> At any rate, my personal end goal is a secure high-performance operating
> system, as user friendly as 

Step 0: Sooner or later, "secure" and "user friendly" *will* come into conflict.
At that point, you have to make a choice. Note that in many cases, we *made* the
choice years or even decades ago, and we've gotten used to the choices made.
For instance, you'd certainly get better performance and user friendliness if
you just stubbed out permission() in fs/namei.c and capable(), and just had them
return "let the guy do it".  But somehow, I don't think anybody would find that
very palatable.

Similarly, the stuff that comes out of Redmond, in general, has security issues
precisely because they chose "user friendly" when they got to Step 0.  Being
able to put Javascript and/or executable binaries in e-mail for automatic
execution is certainly user-friendly - but it's not secure.

In any case, the overhead isn't 7%.  If anything, it's probably closer to 0.7%,
and dropping with each kernel release as the code gets tuned and optimized even
more.  And beware the impact of micro-optimizations and macro-performance - there
was recently a code change to reduce the number and size of avtab entries.  That
slowed down the actual code path slightly, but overall was actually a performance
win, especially on smaller memory-constrained machines, due to the drastic drop
in overall slab consumption.

And remember - the first time that a security system prevents (for example) an
exploit against an Apache bug from being used to take over a system, it's paid
for itself.  When the FBI faxes you that "Hold Evidence" order, it means you may
not be seeing that server again for weeks, if ever.....

Attachment: pgpal76S39cyB.pgp
Description: PGP signature