Date: Fri, 22 Aug 2003 11:52:55 +0200 From: Pawel Jakub Dawidek <nick@garage.freebsd.pl> To: Peter Jeremy <PeterJeremy@optushome.com.au> Cc: ari <edelkind-freebsd-hackers@episec.com> Subject: Re: [future patch] dropping user privileges on demand Message-ID: <20030822095255.GO47959@garage.freebsd.pl> In-Reply-To: <20030822074023.GA85534@cirb503493.alcatel.com.au> References: <20030817181315.GL55671@episec.com> <20030821065854.GA11586@dan.emsphone.com> <20030821125028.GY55671@episec.com> <20030821162156.GL47959@garage.freebsd.pl> <20030821170915.GZ55671@episec.com> <20030821204403.GN47959@garage.freebsd.pl> <20030822074023.GA85534@cirb503493.alcatel.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
--FrxVhwK/bNRjN48l Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 22, 2003 at 05:40:23PM +1000, Peter Jeremy wrote: +> Unless 'syscall' can be evaluated at compile time, this approach adds +> overhead whereever it is used - and the overhead gets worse as the +> number of system calls in the set increases. A particular problem is +> that the overhead is worst for system calls that aren't caught (in the +> above, the overhead for open() is trivial but write() would need to go +> through each of the tests). A bit-vector provides constant overhead +> but it's still fairly expensive unless the relevant parts of the vector +> are already cached. You are wrong. In CerbNG, you decide in rules which syscalls should be catched and which n= ot. And syscalls like read(2) and write(2) are never catched, because it is just useless. The most expensive policy in syscalls catching is openssh - it is monitoring 21 syscalls, but most of policies use only few syscalls. Of course there is overhead, but I haven't heard about security feature that speeds up system. The only thing we can do, is to decrease overhead. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --FrxVhwK/bNRjN48l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBP0Xn9z/PhmMH/Mf1AQFVywP/bn9yXjZBhKFFrEQJgtyyUqypF/PWJrx6 BWUBfv6VYeE6N40vuI8k4rq/1lUCdtmhrhi8aGOGwrBuGWs2SsziocquB3SI5N9M kpCPGOejbGaDInlSEgtLg6VanmR+51BCsDiFZvtw6ewz2j/zCTddV4Zglwv80a1+ QBvhEJn4Xkk= =6LMW -----END PGP SIGNATURE----- --FrxVhwK/bNRjN48l--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030822095255.GO47959>