Netdev Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: Florian Westphal <fw@strlen.de>
Cc: Paul Moore <paul@paul-moore.com>, Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
	Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: [PATCH RFC 0/9] sk_buff: optimize layout for GRO
Date: Mon, 26 Jul 2021 08:13:28 -0700	[thread overview]
Message-ID: <d0186e8f-41f8-7d4d-5c2c-706bfe3c30cc@schaufler-ca.com> (raw)
In-Reply-To: <20210725225200.GL9904@breakpoint.cc>

On 7/25/2021 3:52 PM, Florian Westphal wrote:
> Casey Schaufler <casey@schaufler-ca.com> wrote:
>> RedHat and android use SELinux and will want this. Ubuntu doesn't
>> yet, but netfilter in in the AppArmor task list. Tizen definitely
>> uses it with Smack. The notion that security modules are only used
>> in fringe cases is antiquated. 
> I was not talking about LSM in general, I was referring to the
> extended info that Paul mentioned.
>
> If thats indeed going to be used on every distro then skb extensions
> are not suitable for this, it would result in extr akmalloc for every
> skb.

I am explicitly talking about the use of secmarks. All my
references are uses of secmarks.

>>> It certainly makes more sense to me than doing lookups
>>> in a hashtable based on a ID
>> Agreed. The data burden required to support a hash scheme
>> for the security module stacking case is staggering.
> It depends on the type of data (and its lifetime).
>
> I suspect you have something that is more like skb->dev/dst,
> i.e. reference to object that persists after the skb is free'd.

Just so. Only to make it more complicated, SELinux and Smack,
the two LSMs currently using secmarks, use them differently.
SELinux uses u32 "secids" natively, but Smack suffers serious
performance degradation because it has to look up (efficiently,
but look up nonetheless) the real Smack value on every packet.
Please, I know about hash caches, cache hashes and all sorts
of clever tricks to reduce the impact. Nothing beats having the
end value up front.
 



  reply	other threads:[~2021-07-26 15:16 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-21 16:44 Paolo Abeni
2021-07-21 18:15 ` Casey Schaufler
2021-07-22  7:10   ` Paolo Abeni
2021-07-22 16:04     ` Casey Schaufler
2021-07-22 16:57       ` Paolo Abeni
2021-07-22 18:41         ` Paul Moore
2021-07-24 18:51           ` Florian Westphal
2021-07-25 14:57             ` Paul Moore
2021-07-25 16:25               ` Florian Westphal
2021-07-25 21:53                 ` Casey Schaufler
2021-07-25 22:52                   ` Florian Westphal
2021-07-26 15:13                     ` Casey Schaufler [this message]
2021-07-27  2:51                       ` Paul Moore
2021-07-28 16:21                         ` Paolo Abeni

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=d0186e8f-41f8-7d4d-5c2c-706bfe3c30cc@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=fw@strlen.de \
    --cc=kuba@kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    --subject='Re: [PATCH RFC 0/9] sk_buff: optimize layout for GRO' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).