[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1175002823.3864.301.camel@moss-spartans.epoch.ncsc.mil>
Date: Tue, 27 Mar 2007 09:40:23 -0400
From: Stephen Smalley <sds@...ho.nsa.gov>
To: Sami Farin <safari-kernel@...ari.iki.fi>
Cc: linux-kernel Mailing List <linux-kernel@...r.kernel.org>,
James Morris <jmorris@...ei.org>,
Eric Paris <eparis@...isplace.org>
Subject: Re: oprofile / selinux / security_port_sid
On Tue, 2007-03-27 at 13:06 +0300, Sami Farin wrote:
> is there room for improvement in security_port_sid() ?
Yes, lots of room. Also, it won't get called per-packet if you enable
secmark (echo 0 > /selinux/compat_net or boot with selinux_compat_net=0
or build with SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT), although that
may require updating your policy.
> little test with dns queries (dnsfilter (the client) on local host
> using poll() and dnscache (the server) using epoll (at max 4000 concurrent
> queries):
> (stats for only vmlinux)
>
> CPU: P4 / Xeon, speed 2797.32 MHz (estimated)
> Counted GLOBAL_POWER_EVENTS events (time during which processor is not stopped) with a unit mask of 0x01 (mandatory) count 45000
> Counted FSB_DATA_ACTIVITY events (DRDY or DBSY events on the front side bus) with a unit mask of 0x03 (multiple flags) count 45000
> Counted BRANCH_RETIRED events (retired branches) with a unit mask of 0x05 (multiple flags) count 45000
> Counted BRANCH_RETIRED events (retired branches) with a unit mask of 0x0a (multiple flags) count 45000
> samples % samples % samples % samples % symbol name
> 220663 10.2181 6704 17.9737 5735 7.5171 27 1.1989 datagram_poll
> 140086 6.4869 3239 8.6839 3786 4.9624 24 1.0657 sock_poll
> 119636 5.5399 2172 5.8232 7168 9.3954 24 1.0657 do_poll
> 101512 4.7006 3987 10.6893 812 1.0643 14 0.6217 udp_get_port
> 71008 3.2881 1017 2.7266 2694 3.5311 397 17.6288 security_port_sid
> 64350 2.9798 144 0.3861 1912 2.5061 6 0.2664 add_wait_queue
> 60815 2.8161 187 0.5014 3246 4.2546 2 0.0888 remove_wait_queue
> 47456 2.1975 1823 4.8875 476 0.6239 31 1.3766 udp_v4_lookup_longway
>
> if dnsfilter had used epoll, security_port_sid would
> probably (?) be number one (or two or three) CPU user in kernel.
>
> also note that 17.6% of mispredicted branches occurr in security_port_sid.
>
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists