Re: IMA policy search speedup

[Kasatkin, Dmitry]

On Wed, Sep 19, 2012 at 7:21 AM, James Morris <jmorris@xxxxxxxxx> wrote:
> On Tue, 18 Sep 2012, Kasatkin, Dmitry wrote:
>
>> I looked to <linux/fs.h> and found that there is a possibility to to
>> add additional flag for sb->s_flags.
>> For example
>>
>> #define MS_NOT_IMA              (1<<25) /* NOT_IMA */
>> #define IS_I_NOT_IMA(inode)   __IS_FLG(inode, MS_NOT_IMA)
>>
>>
>> Another way is to add additional dedicated integrity related member to
>> the sb structure.
>> struct super_block {
>> ...
>> #ifdef CONFIG_INTEGRITY
>>       int s_integrity;
>> #endif
>> };
>>
>> Obviously there are only few super blocks in the system and few bytes
>> will not harm.
>
> The flag seems better than adding a new struct member.  Why would you need
> an int for this?
>

int is not really needed. It may be char. I just thought that normally
we have around 10 super blocks
and it 10 or 40 bytes does not really mater...

Actually there is more severe case. IMA cache objects "iint" per inode
have following members:
  enum integrity_status ima_status;
  enum integrity_status evm_status;

And it is only 5 values per each or 10 values per 8 bytes.
8 bytes can be easily replaced by 1 byte.

Should we improve it?

>
>
> - James
> --
> James Morris
> <jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/