From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LQQC6-0000p2-UR for garchives@archives.gentoo.org; Fri, 23 Jan 2009 17:51:51 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CE376E074E; Fri, 23 Jan 2009 17:51:39 +0000 (UTC) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.187]) by pigeon.gentoo.org (Postfix) with ESMTP id 873FFE074E for ; Fri, 23 Jan 2009 17:51:39 +0000 (UTC) Received: by mu-out-0910.google.com with SMTP id i2so3250792mue.6 for ; Fri, 23 Jan 2009 09:51:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=y3TiNnDa4W/h17gHyUjrjxxiqNBD+LV3W0ynhcPsxvU=; b=tQnBwRNV5ks7OQ+g6jFNEgAoEiccJmSroVIIKs5hPjhUqOjyyBUQNqyd+HrbT7/2wi R+kMkZhlIGdrOOhGpENTzRaO8yCKB3Tmz4Kn4k78OJEgIQwOc5OMn26xYPfLO2hBHfTV KQLfYUdHJh7dNjOYtvis1SvLDphVgpzNkXXLA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=ZwhaEIIqVscqud8Vv/LVLpp+UyElyTz+AHyg/KTobp/Ikz3CtsTPoOGHd0fNGiRiXj 8WGtVcKQmWk/xDey0Lc7ara4YdWK6z49VVwewJxZV1t4Kwm0IlrQ4l/WtazH6aIgCHnX OXBTEoWFH6I5KWDQuw9DZVybxW8wWw7KlJzNg= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Received: by 10.180.213.14 with SMTP id l14mr361481bkg.107.1232733098719; Fri, 23 Jan 2009 09:51:38 -0800 (PST) In-Reply-To: <1232731334.25551.3.camel@hangover> References: <49bf44f10901222037x6efccacbqd428e5e7be0899f6@mail.gmail.com> <497985F1.25065.4B5BFE@pageexec.freemail.hu> <49bf44f10901230610y54cf1a67q76fddf7ee5dc19de@mail.gmail.com> <4979DECC.6678.1A67431@pageexec.freemail.hu> <49bf44f10901230845u4c34d6c7ia546fcda81542661@mail.gmail.com> <1232731334.25551.3.camel@hangover> Date: Fri, 23 Jan 2009 09:51:35 -0800 Message-ID: <49bf44f10901230951g2d687d87md8f7c629a72423d4@mail.gmail.com> Subject: Re: [gentoo-hardened] Grsecurity slows down a web server? From: Grant To: gentoo-hardened@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 481198d4-c19a-4081-90f7-28a7d3fb19f2 X-Archives-Hash: 0e8f20a01a5ecff70345b6436978c130 >> >> >> My website seems a bit slower since I enabled grsecurity on that >> >> >> system. Is that typical? Is it most likely due to MPROTECT, or >> >> >> something else? >> >> > >> >> > can you quantify this slowdown? and what grsec/pax features did you enable? >> >> >> >> I enabled the grsecurity "Gentoo (server)" profile in the hardened >> >> kernel. >> > >> > ok, is PAGEEXEC enabled (and SEGMEXEC isn't) and is your cpu some P4 variant >> > without NX support? that's about the only situation where you should see an >> > observable slowdown, otherwise i doubt you can percieve a few % without >> > actual measurements. so if neither is your case, it's definitely worth an >> > investigation. >> >> Very close. PAGEEXEC is enabled, but so is SEGMEXEC. My CPU is a >> P4-2.8, and I'm not sure about NX support but these are the flags: > > > Disable PAGEEXEC and switch to SEGMEXEC on the P4. That slowdown will go > away. No idea why on earth the (server) options would enable such a > thing on the x86 platform. menuconfig isn't letting me disable PAGEEXEC. Maybe it's tied to grsecurity "Gentoo (server)"? I don't want to disable that. Maybe I should live with the slowdown? - Grant