Re: [PATCH] remove sys_security

Greg KH (greg@kroah.com)
Thu, 17 Oct 2002 13:58:31 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Russell Coker: "Re: [PATCH] remove sys_security"
Previous message: James Antill: "Re: sendfile(2) behaviour has changed ?"
In reply to: David S. Miller: "Re: [PATCH] remove sys_security"
Next in thread: David S. Miller: "Re: [PATCH] remove sys_security"

On Thu, Oct 17, 2002 at 01:38:16PM -0700, David S. Miller wrote:
>
> How am I supposed to know what the things are being passed in
> via these opaque "unsigned long" parameters?
>
> Could they be pointers? If so, game over already, and this needs
> to be fixed NOW.

Agreed, I'll let a user of this function speak up on how they intend to
address the problem. I'm through arguing for this hook.

> And (ignoring the network hooks) there is not a measurable overhead for
> these hooks. We have documented this many times (OLS paper, USENIX
> paper, etc.) With the patch I'm about to submit, disabling the option
> makes them go away entirely.
>
> Look at the code that gets output, look at the 32K of kernel image
> I get even though I have no intention of _ever_ loading a security
> module.
>
> So if distribution makers enable CONFIG_SECURITY, EVERY USER eats
> this 32K. That _SUCKS_.

Note for the readers, this is 32K on Sparc, on i386 it's much smaller as
documented yesterday.

> And I severely contest your overhead argument, look at the assembler
> code being output, the kernel parts where the hooks are placed are
> different. Lots of places that used to be leaf functions are no
> longer leaf functions due to the security_ops invocation being there
> now. Register allocation is also going to be quite different
> different.

I've run the numbers myself on OSDL machines, and seen that there is no
measurable overhead for these functions. Sure, there is an extra
function call, and different assembler, I'll never contest that. It's
just that I could not measure it.

> In short, it's bloat, and if you refuse to realize that perhaps kernel
> development is not your true calling in life :-)

It is adding stuff to the kernel. Now if you want to call it bloat,
fine. I like calling the USB stack bloat too, and it is bloat for
people who don't use it. And now you can disable the option, so it will
not be bloat for you too, if you don't want it. Argue with your
favorite distro if they enable the option that they shouldn't do that,
if they do, don't try to convince me.

And I know what my true calling in life is, but unfortunately there isn't
much calling for a professional pan flute player :)

thanks,

greg k-h
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Russell Coker: "Re: [PATCH] remove sys_security"
Previous message: James Antill: "Re: sendfile(2) behaviour has changed ?"
In reply to: David S. Miller: "Re: [PATCH] remove sys_security"
Next in thread: David S. Miller: "Re: [PATCH] remove sys_security"