MAC kernel option
Christian S.J. Peron
csjp at FreeBSD.org
Sun Sep 18 16:56:00 GMT 2005
On Sun, Sep 18, 2005 at 01:21:17PM +0100, Robert Watson wrote:
>
> For the time being, I think leaving it off by default is the right thing
> to do. There are a few performance issues we'll want to consider
> carefully:
>
> (1) Right now, we automatically allocate label storage for four policies
> on most system objects if MAC is compiled in. This isn't a huge
> amount of memory (4 pointers plus one flags field), and it is zone
> allocated, but this is still a non-trivial overhead. We don't do this
> for mbufs unless requested by an active policy, but it's still
> measurable.
>
How about we introduce MPC_LOADTIME_FLAG_USELABELS which we can use for
MAC policies which require the use of labels. This way we conditionally
allocate label storage only if a policy which requires them is loaded.
Thoughts?
--
Christian S.J. Peron
csjp at FreeBSD.ORG
FreeBSD Committer
FreeBSD Security Team
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list