• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Lcj pg sql-lt-kaigai
 

Lcj pg sql-lt-kaigai

on

  • 863 views

 

Statistics

Views

Total Views
863
Views on SlideShare
863
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Lcj pg sql-lt-kaigai Lcj pg sql-lt-kaigai Presentation Transcript

    • Next Linux kernel boost SE-PostgreSQL KaiGai Kohei <kaigai@kaigai.gr.jp> (@kkaigai)
    • SELinux as a Security Server (SaaSS) SQL Query SE-PgSQL libselinux PostgreSQL SELinux User Access Control decision Database
    • Userspace access vector cache System-call is expensive SE-PgSQL caches access control decision recently used called as userspace access vector cache In heuristic, rate of hit overs 99.9% Events to invalidate the cache Kernel policy reloaded Kernel mode switched enforcing permissive
    • Issue of cache invalidation 1. Check kernel status for each looking up the cache Needs a system-call invocation for each access control decision 2. A worker thread monitors netlink socket to receive notification Does PostgreSQL model allow plugin module to launch a worker process? We need a lightweight event notification mechanism
    • /selinux/status (1/2) This pseudo file allows to mmap(2) kernel status page in read-only mode +0 u32 version +4 u32 sequence +8 u32 enforcing Incremented for +12 u32 policyload each kernel events +16 u32 deny_unknown Always zero No need to invoke a system call No need to launch a worker thread
    • /selinux/status (2/2) Current status Now the feature in linux-next tree It will be available on 2.6.27 kernel Performance measurement 10million iteration of avc_has_perms() with /selinux/status ... 4.71[s] without /selinux/status ... 65.44[s]