Re: [SE/Linux] status / progress report 13jun2004
On Mon, 14 Jun 2004, Russell Coker wrote:
> On Mon, 14 Jun 2004 03:01, Christoph Hellwig <firstname.lastname@example.org> wrote:
> > It's actually disabled again (compiled in but disabled) in SuSE because
> > the performance hit was much much worse. And I remember benchmark
> > numbers where the lsm hooks alone decreased the SpecWeb numbers on ia64
> > by more than 10%. I'd vote strongy against enabling LSM in the Debian
> > kernel images.
When did you see these figures? They are not consistent with the
performance data I've seen.
When I ran Webstone tests on x86 for the Usenix paper, there was a 5-7%
performance hit for LSM, which dropped to 1-2% once the Netfilter hooks
were disabled. LSM was reworked considerably before submission to the
upstream kernel, which included dropping the Netfilter hooks, as well as
many other hooks in the networking, and the hooking mechanism itself was
redesigned for efficiency. LSM should have significantly less overhead
than the 1-2% figure for web performance.