Message-Id: <200510041539.j94FdJmO028772@turing-police.cc.vt.edu>
To: John Richard Moser <nigelenki@comcast.net>
Cc: linux-kernel@vger.kernel.org
Subject: Re: The price of SELinux (CPU) 
In-Reply-To: Your message of "Tue, 04 Oct 2005 00:28:40 EDT."
             <434204F8.2030209@comcast.net> 
From: Valdis.Kletnieks@vt.edu
References: <434204F8.2030209@comcast.net>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_1128440359_2862P";
	 micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Tue, 04 Oct 2005 11:39:19 -0400
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 2404
Lines: 52

--==_Exmh_1128440359_2862P
Content-Type: text/plain; charset=us-ascii

On Tue, 04 Oct 2005 00:28:40 EDT, John Richard Moser said:

> At any rate, my personal end goal is a secure high-performance operating
> system, as user friendly as 

Step 0: Sooner or later, "secure" and "user friendly" *will* come into conflict.
At that point, you have to make a choice. Note that in many cases, we *made* the
choice years or even decades ago, and we've gotten used to the choices made.
For instance, you'd certainly get better performance and user friendliness if
you just stubbed out permission() in fs/namei.c and capable(), and just had them
return "let the guy do it".  But somehow, I don't think anybody would find that
very palatable.

Similarly, the stuff that comes out of Redmond, in general, has security issues
precisely because they chose "user friendly" when they got to Step 0.  Being
able to put Javascript and/or executable binaries in e-mail for automatic
execution is certainly user-friendly - but it's not secure.

In any case, the overhead isn't 7%.  If anything, it's probably closer to 0.7%,
and dropping with each kernel release as the code gets tuned and optimized even
more.  And beware the impact of micro-optimizations and macro-performance - there
was recently a code change to reduce the number and size of avtab entries.  That
slowed down the actual code path slightly, but overall was actually a performance
win, especially on smaller memory-constrained machines, due to the drastic drop
in overall slab consumption.

And remember - the first time that a security system prevents (for example) an
exploit against an Apache bug from being used to take over a system, it's paid
for itself.  When the FBI faxes you that "Hold Evidence" order, it means you may
not be seeing that server again for weeks, if ever.....

--==_Exmh_1128440359_2862P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFDQqIncC3lWbTT17ARAsUqAKDXOYxL1PWsFFPnuBtpv/dBYZ7iqwCg6u1B
JpK5u42qBpJjdA0alwcxxpI=
=iZNh
-----END PGP SIGNATURE-----

--==_Exmh_1128440359_2862P--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/