lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 19 Sep 2012 13:25:26 +0300
From:	"Kasatkin, Dmitry" <dmitry.kasatkin@...el.com>
To:	James Morris <jmorris@...ei.org>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	linux-fsdevel@...r.kernel.org,
	linux-security-module <linux-security-module@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>,
	Al Viro <viro@...iv.linux.org.uk>,
	Mimi Zohar <zohar@...ux.vnet.ibm.com>
Subject: Re: IMA policy search speedup

On Wed, Sep 19, 2012 at 7:21 AM, James Morris <jmorris@...ei.org> wrote:
> On Tue, 18 Sep 2012, Kasatkin, Dmitry wrote:
>
>> I looked to <linux/fs.h> and found that there is a possibility to to
>> add additional flag for sb->s_flags.
>> For example
>>
>> #define MS_NOT_IMA              (1<<25) /* NOT_IMA */
>> #define IS_I_NOT_IMA(inode)   __IS_FLG(inode, MS_NOT_IMA)
>>
>>
>> Another way is to add additional dedicated integrity related member to
>> the sb structure.
>> struct super_block {
>> ...
>> #ifdef CONFIG_INTEGRITY
>>       int s_integrity;
>> #endif
>> };
>>
>> Obviously there are only few super blocks in the system and few bytes
>> will not harm.
>
> The flag seems better than adding a new struct member.  Why would you need
> an int for this?
>

int is not really needed. It may be char. I just thought that normally
we have around 10 super blocks
and it 10 or 40 bytes does not really mater...

Actually there is more severe case. IMA cache objects "iint" per inode
have following members:
  enum integrity_status ima_status;
  enum integrity_status evm_status;

And it is only 5 values per each or 10 values per 8 bytes.
8 bytes can be easily replaced by 1 byte.

Should we improve it?

>
>
> - James
> --
> James Morris
> <jmorris@...ei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ