MAC kernel option
Scott Long
scottl at samsco.org
Sun Sep 18 16:58:12 GMT 2005
Christian S.J. Peron wrote:
> On Sun, Sep 18, 2005 at 01:21:17PM +0100, Robert Watson wrote:
>
>>For the time being, I think leaving it off by default is the right thing
>>to do. There are a few performance issues we'll want to consider
>>carefully:
>>
>>(1) Right now, we automatically allocate label storage for four policies
>> on most system objects if MAC is compiled in. This isn't a huge
>> amount of memory (4 pointers plus one flags field), and it is zone
>> allocated, but this is still a non-trivial overhead. We don't do this
>> for mbufs unless requested by an active policy, but it's still
>> measurable.
>>
>
>
> How about we introduce MPC_LOADTIME_FLAG_USELABELS which we can use for
> MAC policies which require the use of labels. This way we conditionally
> allocate label storage only if a policy which requires them is loaded.
>
> Thoughts?
>
I think that it would be very good to take a _very_ close look at the
experience that Fedora has had with enabling the linux framework by
default.
Scott
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list