On 10/20/2010 8:15 AM, Ingo Molnar wrote: > * Eric Paris <eparis@xxxxxxxxxx> wrote: > >> On Wed, 2010-10-20 at 16:38 +0200, Ingo Molnar wrote: >>> * Eric Paris <eparis@xxxxxxxxxx> wrote: >>> >>>> Executive summary of the day's work: >>>> Yesterday morning: 944 bytes per inode in core >>>> Yesterday night: 24 bytes per inode in core >>>> Tonight: 4 bytes per inode in core. >>>> >>>> That's a x236 time reduction in memory usage. No I didn't even start looking >>>> at a freezer. Which could bring that 4 down to 0, but would add a scalability >>>> penalty on all inodes when IMA was enabled. >>> Why not use inode->i_security intelligently? That already exists so that way >>> it's 0 bytes. >>> >>> Thanks, >> It still wouldn't be 0 bytes since there would be a 1-1 mapping from inode to >> i_security structs. [...] > Only for IMA-affected files, right? > > My point is to keep it 0 overhead for the _non IMA common case_. > >> The real reason I don't pursue this route is because of the litany of different >> ways this pointer is used in different LSMs (or not used at all.) And we all know >> that LSM authors aren't known for seeing the world the same way as each other. As >> a maintainer of one of those LSMs even I'm scared to try pushing that forward.... > Ugh. That's a perfect reason to do it exactly like i suggested. If you would like to make a proposal on LSM stacking other than the traditional "rip the LSM out" I am sure that everyone in the IMA, SELinux, TOMOYO, AppArmor and Smack communities would be happy to have a look. Short of having a viable mechanism for multiple LSMs to coexist IMA needs its separate space. Yes, people do use both IMA and LSMs on the same machine at the same time. > Thanks, > > Ingo > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
