Re: oprofile / selinux / security_port_sid

From: Stephen Smalley
Date: Tue Mar 27 2007 - 09:46:39 EST

Next message: Eric W. Biederman: "Re: 2.6.21-rc1 and 2.6.21-rc2 kwin dies silently"
Previous message: Eric W. Biederman: "Re: [4/5] 2.6.21-rc5: known regressions"
In reply to: Sami Farin: "oprofile / selinux / security_port_sid"
Next in thread: Sami Farin: "Re: oprofile / selinux / security_port_sid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2007-03-27 at 13:06 +0300, Sami Farin wrote:
> is there room for improvement in security_port_sid() ?

Yes, lots of room. Also, it won't get called per-packet if you enable
secmark (echo 0 > /selinux/compat_net or boot with selinux_compat_net=0
or build with SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT), although that
may require updating your policy.

> little test with dns queries (dnsfilter (the client) on local host
> using poll() and dnscache (the server) using epoll (at max 4000 concurrent
> queries):
> (stats for only vmlinux)
>
> CPU: P4 / Xeon, speed 2797.32 MHz (estimated)
> Counted GLOBAL_POWER_EVENTS events (time during which processor is not stopped) with a unit mask of 0x01 (mandatory) count 45000
> Counted FSB_DATA_ACTIVITY events (DRDY or DBSY events on the front side bus) with a unit mask of 0x03 (multiple flags) count 45000
> Counted BRANCH_RETIRED events (retired branches) with a unit mask of 0x05 (multiple flags) count 45000
> Counted BRANCH_RETIRED events (retired branches) with a unit mask of 0x0a (multiple flags) count 45000
> samples % samples % samples % samples % symbol name
> 220663 10.2181 6704 17.9737 5735 7.5171 27 1.1989 datagram_poll
> 140086 6.4869 3239 8.6839 3786 4.9624 24 1.0657 sock_poll
> 119636 5.5399 2172 5.8232 7168 9.3954 24 1.0657 do_poll
> 101512 4.7006 3987 10.6893 812 1.0643 14 0.6217 udp_get_port
> 71008 3.2881 1017 2.7266 2694 3.5311 397 17.6288 security_port_sid
> 64350 2.9798 144 0.3861 1912 2.5061 6 0.2664 add_wait_queue
> 60815 2.8161 187 0.5014 3246 4.2546 2 0.0888 remove_wait_queue
> 47456 2.1975 1823 4.8875 476 0.6239 31 1.3766 udp_v4_lookup_longway
>
> if dnsfilter had used epoll, security_port_sid would
> probably (?) be number one (or two or three) CPU user in kernel.
>
> also note that 17.6% of mispredicted branches occurr in security_port_sid.
>
--
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric W. Biederman: "Re: 2.6.21-rc1 and 2.6.21-rc2 kwin dies silently"
Previous message: Eric W. Biederman: "Re: [4/5] 2.6.21-rc5: known regressions"
In reply to: Sami Farin: "oprofile / selinux / security_port_sid"
Next in thread: Sami Farin: "Re: oprofile / selinux / security_port_sid"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]