Expanding the list of "Hardened Packages"
John Reiser
jreiser at bitwagon.com
Tue Apr 2 23:50:33 UTC 2013
> It does rather seem like we should consider just killing it [prelink], at least by default.
Prelinking shortens the time between execve() and first useful output.
A prelinked module reduces time spent in ld-linux, and increases sharing
of pages (which reduces time spent in kernel duplicating copy-on-write pages.)
The savings are *visible* when invoking an interactive GUI program that has
dozens of shared libraries, or when several hundred smaller executables
are invoked each second, such as some 'make' clouds, etc.
Some systems want those savings, and are willing to pay with slightly
less protection via reduced ASLR. Some administrators compensate
by running a full prelink daily, and a partial prelink of "hot" modules
(glibc, ...) a few times during the day, even as often as hourly;
and with parameters to reduce interference with modules which are
not being [re-]prelinked during the current run.
--
More information about the devel
mailing list