Using Webstone [33] we benchmarked the overhead imposed on a typical server application -- a webserver. We collected data showing the overhead of both a basic LSM kernel and an LSM kernel with the SELinux module loaded. The SELinux module uses the Netfilter based hooks, so all three kernels have Netfilter support compiled in, and are based on the 2.5.7 Linux kernel.
The standard kernel was compiled with Netfilter support. The LSM kernel was compiled with support for the Netfilter based hooks and used the default superuser logic. The SELinux kernel was compiled with support for SELinux and the Netfilter based hooks. The SELinux module was also stacked with the capabilities module, a typical SELinux configuration. We ran these tests on a dual 550MHz Celeron with 384MB RAM. The NIC was a Gigabit Netgear GA302T on a 32-bit 33MHz PCI bus. The webserver was Apache 1.3.22-0.6 (Red Hat 6.2 update).
Netfilter is a critical issue here. The 5-7% overhead observed in the LSM benchmarks in Tables 5 and 6 is greater than we would like. A separate experiment configured with LSM and Netfilter but without the Netfilter LSM hooks showed the more desirable 1-2% performance overhead. This is consistent with the worst case 5% overhead in TCP select observed in Section 5.2.1, and identifies the Netfilter LSM hooks as critical for optimization.
|
|
|
|
The UP benchmark data in Table 7 shows that SELinux imposes about 16% overhead on connection rate, and we found similar overhead in throughput. The SMP benchmark data in Table 8 shows about 21% overhead on connection rate, and we found similar overhead in throughput. The greater overhead for the SMP test is likely due to locking issues. Note that these overhead rates are specific to the SELinux module (a particularly popular module) and that performance costs for other modules will vary.