| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Sep 2013 22:13:16 -0500
From: Eric Sandeen <sandeen@...hat.com>
To: "Theodore Ts'o" <tytso@....edu>,
Andreas Dilger <adilger@...ger.ca>,
Thavatchai Makphaibulchoke <thavatchai.makpahibulchoke@...com>,
T Makphaibulchoke <tmac@...com>,
Al Viro <viro@...iv.linux.org.uk>,
"linux-ext4@...r.kernel.org List" <linux-ext4@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
"linux-fsdevel@...r.kernel.org Devel" <linux-fsdevel@...r.kernel.org>,
aswin@...com, Linus Torvalds <torvalds@...ux-foundation.org>,
aswin_proj@...ts.hp.com
Subject: Re: [PATCH v3 0/2] ext4: increase mbcache scalability
On 9/10/13 4:02 PM, Theodore Ts'o wrote:
> On Tue, Sep 10, 2013 at 02:47:33PM -0600, Andreas Dilger wrote:
>> I agree that SELinux is enabled on enterprise distributions by default,
>> but I'm also interested to know how much overhead this imposes. I would
>> expect that writing large external xattrs for each file would have quite
>> a significant performance overhead that should not be ignored. Reducing
>> the mbcache overhead is good, but eliminating it entirely is better.
>
> I was under the impression that using a 256 byte inode (which gives a
> bit over 100 bytes worth of xattr space) was plenty for SELinux. If
> it turns out that SELinux's use of xattrs have gotten especially
> piggy, then we may need to revisit the recommended inode size for
> those systems who insist on using SELinux... even if we eliminate the
> overhead associated with mbcache, the fact that files are requiring a
> separate xattr is going to seriously degrade performance.
On my RHEL6 system,
# find / -xdev -exec getfattr --only-values -m security.* {} 2>/dev/null \; | wc -c
11082179
bytes of names for:
# df -i /
Filesystem Inodes IUsed IFree IUse% Mounted on
/dev/mapper/vg_bp05-lv_root
3276800 280785 2996015 9% /
280785 inodes used,
so:
11082179/280785 = ~39.5 bytes per value on average, plus:
# echo -n "security.selinux" | wc -c
16
16 bytes for the name is only about 55-56 bytes per selinux attr on average.
So nope, not "especially piggy" on average.
Another way to do it is this; list all possible file contexts, and make
a histogram of sizes:
# for CONTEXT in `semanage fcontext -l | awk '{print $NF}' `; do echo -n $CONTEXT | wc -c; done | sort -n | uniq -c
1 7
33 8
356 26
14 27
14 28
37 29
75 30
237 31
295 32
425 33
324 34
445 35
548 36
229 37
193 38
181 39
259 40
81 41
108 42
96 43
55 44
55 45
16 46
41 47
23 48
28 49
36 50
10 51
10 52
5 54
2 57
so a 57 byte value is max, but there aren't many of the larger values.
Above doesn't tell us the prevalence of various contexts on the actual system,
but they are all under 100 bytes in any case.
-Eric
> - Ted
> --
> To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists