On 9/23/23, KP Singh <kpsingh@xxxxxxxxxx> wrote: > On Fri, Sep 22, 2023 at 8:42 PM Mateusz Guzik <mjguzik@xxxxxxxxx> wrote: >> >> On Fri, Sep 22, 2023 at 04:55:00PM +0200, KP Singh wrote: >> > Since we know the address of the enabled LSM callbacks at compile time >> > and only >> > the order is determined at boot time, the LSM framework can allocate >> > static >> > calls for each of the possible LSM callbacks and these calls can be >> > updated once >> > the order is determined at boot. >> > >> >> Any plans to further depessimize the state by not calling into these >> modules if not configured? >> >> For example Debian has a milipede: >> CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" >> >> Everything is enabled (but not configured). > > If it's not configured, we won't generate static call slots and even > if they are in the CONFIG_LSM (or lsm=) they are simply ignored. > Maybe there is a terminology mismatch here, so let me be more specific with tomoyo as an example. In debian you have: CONFIG_SECURITY_TOMOYO=y CONFIG_LSM, as per above, includes it on the list. At the same time debian does not ship any tooling to configure tomoyo -- it is compiled into the kernel but not configured to enforce anything. On stock kernel this results in tons of calls to tomoyo_init_request_info, which are quite expensive due to an avoidable memset thrown in, and which always return tomoyo_init_request_info. Does not look like your patch whacks this problem. -- Mateusz Guzik <mjguzik gmail.com>
