The results for the lmbench microbenchmarks are shown in Table 10. The null I/O benchmark measures the average of the times for a one-byte read from /dev/zero and a one-byte write to /dev/null. The SELinux overhead consists of revalidating permissions on each read and write.
The stat benchmarks measures the time to invoke the stat system call on a temporary file. The SELinux overhead consists of performing permission checks for searching the path and obtaining the file attributes. The open/close test measures the time to open a temporary file for reading and immediately close it. The SELinux overhead consists of performing permission checks for searching the path and opening the file with read access.
The 0K create and 0k delete benchmarks measure the time required to create and delete a zero-length file. For the 0K create, the SELinux overhead consists of computing the label for the new file and performing permission checks for searching the path, modifying the directory, and creating the file. The SELinux overhead for the 0K delete consists of performing permission checks for searching the path, modifying the directory, and unlinking the file.
The fork, execve, and sh benchmarks measure three increasingly expensive forms of process creation: fork and exit, fork and execve, and fork and execlp of the shell with the new program as a command to the shell. For the fork benchmark, the SELinux overhead consists of permission checks on fork and wait, as with the UnixBench process creation benchmark. For the execve benchmark, the SELinux overhead consists of the fork overhead plus the label computation and permission checks associated with program execution, as with the UnixBench execl benchmark. For the sh benchmark, this overhead is further increased by the additional layer of process creation, program execution, and path searching by the shell.
The remaining lmbench tests measure round-trip latency in microseconds for various forms of interprocess communication between a pair of processes. The lmbench bandwidth benchmark results are omitted since they did not show any significant difference between the base and selinux configurations, as expected.
The SELinux overhead on the pipe benchmark consists of revalidating permissions on each read and write, as with the UnixBench pipe switching benchmark. For the AF_UNIX benchmark, the SELinux overhead consists of checking permission to each socket and revalidating the permissions for the connection between the sockets on each send and receive. For each of the networking benchmarks, the SELinux overhead includes checking permission to each socket, host, and network interface for each packet. The overhead for the UDP and RPC/UDP benchmarks also includes checking permission between the socket pair on each send and receive. For the TCP and RPC/TCP benchmarks, SELinux revalidates the permissions granted during connection establishment between the socket pair on each send and receive. The SELinux overhead for the TCP connection benchmark includes the permission checks between the socket pair for the connection on connect and accept.