[apparmor] [PATCH 08/16] apparmor: add parameter to control whether policy hashing is used

Christian Boltz apparmor at cboltz.de
Thu Apr 21 10:57:51 UTC 2016


Am Mittwoch, 20. April 2016, 23:52:50 CEST schrieb John Johansen:
> +       help
> +         This option selects whether sha1 hashing of loaded policy
> +	 is enabled by default. The generation of sha1 hashes for
> +	 loaded policy provide system administrators a quick way
> +	 to verify that policy in the kernel matches what is expected,
> +	 however it can slow down policy load on some devices. In
> +	 these cases policy hashing can be disabled by default and
> +	 enabled only if needed.

I'm surprised that calculating some sha1 hashes brings a noticable 
slowdown ;-)

Just curious - would it make sense to calculate the sha1 only when 
reading it from apparmorfs, instead of doing it at profile load time?
(I'd guess that loading a profile happens more often than reading a sha1 
from apparmorfs, and it would solve the "slow down load" part.)


Christian Boltz
TikiWiki ist eine sehr umfassende Sammlung von Sicherheitslücken,
konzeptuellen Problemen und Performancekillern, die alles kann und
nichts richtig.   [Kristian Köhntopp auf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160421/e33a7164/attachment.pgp>

More information about the AppArmor mailing list