On 1/14/20 7:14 PM, Wenhui Zhang wrote:
Hi, Casey:
Nope, I did not test without CONFIG_SECURITY for v 5.3. (I could give it
a try later this week, please let me know if you need this data)
However I did this test for v4.18.20, afterwards i switched to v5.3 as
my base code.
I am attaching the three results to this email for your reference for
v4.18.20.
-- without_sec is without CONFIG_SECURITY
-- with_sec_disable_all is with CONFIG_SECURITY, however no submodule is
CONFIG
-- selinux is with CONFIG_SECURITY, and CONFIG integrity and selinux
only, however no policy enabled
Don't enable integrity if you want to evaluate just LSM/SELinux
overheads. Also not sure what kind of behavior you get from SELinux
with no policy loaded; it wasn't designed to be used that way beyond
early initialization up to the point where init/systemd loads policy.
Better comparisons would be running standard benchmarks on e.g. Fedora
with SELinux disabled versus enabled as well as with LSM completely
disabled. Then you'd be evaluating SELinux with a policy in enforcing
mode on a distro that actually supports it. Similarly, evaluating
AppArmor perf is best done on a distro that supports it and provides a
policy, e.g. Ubuntu or latest Debian.
One interesting fact generated from this test is that, selinux and
integrity CONFIG introduces about 20% performance downgrade for readdir.
Would have to see the actual benchmark code, complete kernel config, and
kernel version to evaluate that result meaningfully.
BTW, it would be interesting to evaluating the LSM overhead alone (i.e.
CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y but all other
CONFIG_SECURITY*=n) before and after the switch to LSM hook lists aka
stacking support. Don't think we ever saw micro benchmark data for that
change IIRC.
without_sec
<https://drive.google.com/drive/folders/1TuUB1JT5bijG-hNvN1Dti7DyFIXM3u_g>
with_sec_disable_all
<https://drive.google.com/drive/folders/1bWrQ-dTSn1p05hVyvIUIAE4hkKgUp6D->
selinux
<https://drive.google.com/drive/folders/1132zzrw42XH8tbNgYvd44LuocgIw4Wq6>
On Tue, Jan 14, 2020 at 6:59 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx
<mailto:casey@xxxxxxxxxxxxxxxx>> wrote:
On 1/14/2020 1:15 PM, Wenhui Zhang wrote:
>
> On Tue, Jan 14, 2020 at 4:08 PM Casey Schaufler
<casey@xxxxxxxxxxxxxxxx <mailto:casey@xxxxxxxxxxxxxxxx>
<mailto:casey@xxxxxxxxxxxxxxxx <mailto:casey@xxxxxxxxxxxxxxxx>>> wrote:
>
> On 1/14/2020 12:15 PM, Wenhui Zhang wrote:
> > Hi, Casey:
> >
> > I just performed a performance check on
> > 1. v5.3 with DAC only, and
> > 2. v5.3 with DAC and MAC framework, an empty-policy enabled
in sub-modules(e.g. selinux)
>
This is great. Do you have data for a system without CONFIG_SECURITY?
--
V/R,
Wenhui Zhang
Email: wenhui@xxxxxxxxxxxxxx <mailto:wenhui@xxxxxxxxxxxxxx>
Telephone: 1-(703) 424 3193
