XACE performance data, fixed XACE patch

Bryan Ericson bericson at trustedcs.com
Thu Mar 10 13:06:11 PST 2005 

Hi, All

I've run some performance tests using x11perf on the XACE security
framework.  The tests indicate that, in general, XACE does not
severely impact server performance.

Each run of the test was performed as follows:

Turn on/off security functionality in config/cf/X11.tmpl
make World
make install
unplug network cable from test machine
reboot
log in as a normal (non-root) user
run startx (NOTE: .xinitrc contained "xterm" as the only entry)
run x11perf -all > <file name>
try to avoid bumping the desk so as to avoid jiggling the mouse :-)

The tests were performed on a machine running stock Fedora Core 2,
with the exception (of course) of Xorg 6.8.2.

The names of the files containing the performance data are interpreted
as follows:

x11perf_[no]sec_[no]ace

Here, "nosec" means that the BuildXCSecurity and BuildAppGroup
variables were set to "NO" in X11.tmpl, whereas "sec" means they were
set to "YES".

"noace" means that the XACE patch had not been applied, while "ace"
means the patch had been applied that that the BuildXACE variable was
set to "YES".

Using x11perfcomp to compare runs, it seems that XACE does not have a
high impact on drawing or font-related operations (in a handful of
anomalous cases, XACE even slightly improved performance). The impact
is greater on the graphics context and window tests, particularly in
the tests involved with manipulating unmapped windows.

The test data may be found here:

http://dgoeddel.home.insightbb.com/x11perf_nosec_ace
http://dgoeddel.home.insightbb.com/x11perf_nosec_noace
http://dgoeddel.home.insightbb.com/x11perf_sec_ace
http://dgoeddel.home.insightbb.com/x11perf_sec_noace


Additionally, the test turned up a bug in the XACE patch involving a
few places where "#ifdef XCSECURITY" should have been replaced with
"#ifdef XACE".  The following patch corrects the problem, and
supersedes the previous XACE patch.  The XSELINUX patch is not
affected by the new XACE patch.

http://dgoeddel.home.insightbb.com/xorg-x11-6.8.2.xace.patch2

We welcome your questions or comments.

Thank you,

Bryan Ericson
Trusted Operating Systems Lab
Trusted Computer Solutions, Inc.
http://www.TrustedCS.com
bericson at trustedcs.com

More information about the xorg mailing list