lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <522FDFCC.1070007@redhat.com> Date: Tue, 10 Sep 2013 22:13:16 -0500 From: Eric Sandeen <sandeen@...hat.com> To: "Theodore Ts'o" <tytso@....edu>, Andreas Dilger <adilger@...ger.ca>, Thavatchai Makphaibulchoke <thavatchai.makpahibulchoke@...com>, T Makphaibulchoke <tmac@...com>, Al Viro <viro@...iv.linux.org.uk>, "linux-ext4@...r.kernel.org List" <linux-ext4@...r.kernel.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, "linux-fsdevel@...r.kernel.org Devel" <linux-fsdevel@...r.kernel.org>, aswin@...com, Linus Torvalds <torvalds@...ux-foundation.org>, aswin_proj@...ts.hp.com Subject: Re: [PATCH v3 0/2] ext4: increase mbcache scalability On 9/10/13 4:02 PM, Theodore Ts'o wrote: > On Tue, Sep 10, 2013 at 02:47:33PM -0600, Andreas Dilger wrote: >> I agree that SELinux is enabled on enterprise distributions by default, >> but I'm also interested to know how much overhead this imposes. I would >> expect that writing large external xattrs for each file would have quite >> a significant performance overhead that should not be ignored. Reducing >> the mbcache overhead is good, but eliminating it entirely is better. > > I was under the impression that using a 256 byte inode (which gives a > bit over 100 bytes worth of xattr space) was plenty for SELinux. If > it turns out that SELinux's use of xattrs have gotten especially > piggy, then we may need to revisit the recommended inode size for > those systems who insist on using SELinux... even if we eliminate the > overhead associated with mbcache, the fact that files are requiring a > separate xattr is going to seriously degrade performance. On my RHEL6 system, # find / -xdev -exec getfattr --only-values -m security.* {} 2>/dev/null \; | wc -c 11082179 bytes of names for: # df -i / Filesystem Inodes IUsed IFree IUse% Mounted on /dev/mapper/vg_bp05-lv_root 3276800 280785 2996015 9% / 280785 inodes used, so: 11082179/280785 = ~39.5 bytes per value on average, plus: # echo -n "security.selinux" | wc -c 16 16 bytes for the name is only about 55-56 bytes per selinux attr on average. So nope, not "especially piggy" on average. Another way to do it is this; list all possible file contexts, and make a histogram of sizes: # for CONTEXT in `semanage fcontext -l | awk '{print $NF}' `; do echo -n $CONTEXT | wc -c; done | sort -n | uniq -c 1 7 33 8 356 26 14 27 14 28 37 29 75 30 237 31 295 32 425 33 324 34 445 35 548 36 229 37 193 38 181 39 259 40 81 41 108 42 96 43 55 44 55 45 16 46 41 47 23 48 28 49 36 50 10 51 10 52 5 54 2 57 so a 57 byte value is max, but there aren't many of the larger values. Above doesn't tell us the prevalence of various contexts on the actual system, but they are all under 100 bytes in any case. -Eric > - Ted > -- > To unsubscribe from this list: send the line "unsubscribe linux-ext4" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists