[apparmor] [PATCH 08/16] apparmor: add parameter to control whether policy hashing is used
Christian Boltz
apparmor at cboltz.de
Thu Apr 21 10:57:51 UTC 2016
Hello,
Am Mittwoch, 20. April 2016, 23:52:50 CEST schrieb John Johansen:
...
> + help
> + This option selects whether sha1 hashing of loaded policy
> + is enabled by default. The generation of sha1 hashes for
> + loaded policy provide system administrators a quick way
> + to verify that policy in the kernel matches what is expected,
> + however it can slow down policy load on some devices. In
> + these cases policy hashing can be disabled by default and
> + enabled only if needed.
I'm surprised that calculating some sha1 hashes brings a noticable
slowdown ;-)
Just curious - would it make sense to calculate the sha1 only when
reading it from apparmorfs, instead of doing it at profile load time?
(I'd guess that loading a profile happens more often than reading a sha1
from apparmorfs, and it would solve the "slow down load" part.)
Regards,
Christian Boltz
--
TikiWiki ist eine sehr umfassende Sammlung von Sicherheitslücken,
konzeptuellen Problemen und Performancekillern, die alles kann und
nichts richtig. [Kristian Köhntopp auf
http://blog.koehntopp.de/archives/2051-5-Jahre-Blogging.html]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160421/e33a7164/attachment.pgp>
More information about the AppArmor
mailing list