On 1/14/20 8:00 PM, Wenhui Zhang wrote:
Hi, John:
It seems like, the MAC hooks are default to*return 0 or empty void
hooks* if CONFIG_SECURITY, CONFIG_SECURITY_NETWORK ,
CONFIG_PAGE_TABLE_ISOLATION, CONFIG_SECURITY_INFINIBAND,
CONFIG_SECURITY_PATH, CONFIG_INTEL_TXT,
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR,
CONFIG_HARDENED_USERCOPY, CONFIG_HARDENED_USERCOPY_FALLBACK *are NOT set*.
If HOOKs are "return 0 or empty void hooks", MAC is not enabled.
In runtime of fs-benchmarks, if CONFIG_DEFAULT_SECURITY_DAC=y, then
capability is enabled.
Please correct me if I am wrong.
For the first test, wo-sec is tested with:
# CONFIG_SECURITY_DMESG_RESTRICT is not set
# CONFIG_SECURITY is not set
# CONFIG_SECURITYFS is not set
# CONFIG_PAGE_TABLE_ISOLATION is not set
# CONFIG_INTEL_TXT is not set
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
# CONFIG_HARDENED_USERCOPY is not set
CONFIG_FORTIFY_SOURCE=y
# CONFIG_STATIC_USERMODEHELPER is not set
CONFIG_DEFAULT_SECURITY_DAC=y
For the second test, w-sec is tested with:
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
# CONFIG_SECURITY_NETWORK is not set
CONFIG_PAGE_TABLE_ISOLATION=y
CONFIG_SECURITY_INFINIBAND=y
CONFIG_SECURITY_PATH=y
CONFIG_INTEL_TXT=y
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_HARDENED_USERCOPY_FALLBACK=y
# CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
CONFIG_FORTIFY_SOURCE=y
# CONFIG_STATIC_USERMODEHELPER is not set
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
# CONFIG_SECURITY_LOADPIN is not set
# CONFIG_SECURITY_YAMA is not set
# CONFIG_SECURITY_SAFESETID is not set
# CONFIG_INTEGRITY is not set
CONFIG_DEFAULT_SECURITY_DAC=y
#
CONFIG_LSM="yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"
Your configs should only differ with respect to CONFIG_SECURITY* if you
want to evaluate LSM, SELinux, etc overheads. PAGE_TABLE_ISOLATION,
INTEL_TXT, and HARDENED_USERCOPY are not relevant to LSM itself.
Also, what benchmarks are you using? Your own home-grown ones, a set of
open source standard benchmarks (if so, which ones?). You should
include both micro and macro benchmarks in your suite.
How stable are your results? What kind of variance / standard deviation
are you seeing?
It is hard to get meaningful, reliable performance measurements so going
down this road is not to be done lightly.