Performance overhead of sysmask ------------------------------------------- With respect to an unpatched kernel, the sysmask patch adds a function at the entrance of int80. The performance overhead of this function is at the most of the time imperceptible or negligeable. Besides this, the performance overhead of sysmask on a process depends on the sysmask configuration for that process. For processes with no token, no further performance overhead is added. When a process is running under a token, the performance overhead depends on the definition of the token. If there is no selective access control (exec, ropen, wopen, path, socket), there is no further performance overhead. As a general rule, each file access verification based on pathname takes a few microseconds on a modern PC. The exec mask only affects execve(). As execve() usually takes much more time, and it is not called all the time, the effect of this mask to the global performance is negligeable. Of course, whenever possible you should use the execve mask, which has no performance overhead, and the rule is simpler therefore more secure. The same thing is true for socket control implemented via the mask "sockop". On the other hand, ropen and wopen checks without path mask may add up to a dozen of percentages to the execution time for processes that perform many file openings, such as httpd. Here care should be taken to limit the complicatedness of the "open" configuration of the token. If for the majority of programs path mask does not add significantly more performance overhead beyond that of ropen and wopen, it may significantly slow down a process if it makes repetitive calls to stat() and access() which are otherwise very fast on local filesystems. In the worst case this would add up to 50% or more to the execution time. If this is the case and if the protection of path mask is important, the program can often be optimized to significantly reduce this effect. Repetitive calls to stat() can be suppressed by a fast cache, and sometimes files can be first open()ed then fstat()ed. ----------------------------------------------- For the general public, the worst performance degradation occurs with httpd, with ropen, wopen and path masks all set, and with detailed access control definitions. In this case, the performance overhead would in general be up to around 30%. With respect to the huge security benefit offered by the complete access control, this should be an acceptable trade-off.