| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240816005943.1832694-1-ivanov.mikhail1@huawei-partners.com>
Date: Fri, 16 Aug 2024 08:59:39 +0800
From: Mikhail Ivanov <ivanov.mikhail1@...wei-partners.com>
To: <mic@...ikod.net>
CC: <willemdebruijn.kernel@...il.com>, <gnoack3000@...il.com>,
<linux-security-module@...r.kernel.org>, <netdev@...r.kernel.org>,
<netfilter-devel@...r.kernel.org>, <yusongping@...wei.com>,
<artem.kuzin@...wei.com>, <konstantin.meskhidze@...wei.com>
Subject: [RFC PATCH v1 0/4] Implement performance impact measurement tool
Hello! This is v1 RFC patch dedicated to Landlock performance measurement.
Landlock LSM hooks are executed with many operations on Linux internal
objects (files, sockets). This hooks can noticeably affect performance
of such operations as it was demonstrated in the filesystem caching
patchset [1]. Having ability to calculate Landlock performance overhead
allows to compare kernel changes and estimate the acceptability
of new features (e.g. [2], [3], [4]).
A syscall execution time was chosen as the measured metric.
Landlock performance overhead is defined as the difference between syscall
duration in sandboxed mode and default mode.
Initially, perf trace was chosen as tracer that measures syscalls
durations. I've figured out that it can show imprecise values.
It doesn't affect real overhead value, but it shows the wrong
proportion of overhead relative to syscall baseline duration. Moreover,
using perf trace caused some measurement noise.
AFAICS all this happens due to its implementation and perf event handlers.
Until someone figures out if it's possible to fix this issues somehow I
suggest using libbpf-based simple program provided in this patchset
that uses per-syscall tracepoints and calculates average durations for
specified syscalls. In fact it has simple implementation based on a small
BPF programs and provides more precise metrics.
This patchset implements Landlock sandboxer which provides the ability to
customize the ruleset in a variable way.
Currently, following workloads are implemented:
* Simple script for syscalls microbenchmarking with `openat` support.
* Script that executes find tool under Linux source files with various
depth and sandboxer configurations.
Microbenchmarks can have only simple rulesets with few number
of rules but in the next patches they should be extended with support of
large rulesets with different number of layers.
Here is an example of how this tool can be used to measure read access
Landlock overhead for workload that uses find tool on linux source files
(with depth 5):
# ./bench/run.sh -t fs:.topology:4 -e openat -s -b \
# $FIND $LINUX_SRC -mindepth 5 -maxdepth 5 -exec file '{}' \;
Tracing baseline workload...
376.294s elapsed
Tracing sandboxed workload...
381.298s elapsed
Tracing results
===============
cmd: /usr/bin/find /root/linux -mindepth 5 -maxdepth 5 -exec file '{}' \;
syscalls: openat
access: 4
overhead:
syscall bcalls scalls duration+overhead(us)
======= ====== ====== =====================
syscall-257 1498623 1770882 1.88+0.46(+24.0%)
Please, share your opinion on the design of the tool and your ideas for
improving measurement and workloads!
[1] https://lore.kernel.org/all/20210630224856.1313928-1-mic@digikod.net/
[2] https://github.com/landlock-lsm/linux/issues/10
[3] https://github.com/landlock-lsm/linux/issues/19
[4] https://github.com/landlock-lsm/linux/issues/1
Closes: https://github.com/landlock-lsm/linux/issues/24
Mikhail Ivanov (4):
selftests/landlock: Implement performance impact measurement tool
selftests/landlock: Implement per-syscall microbenchmarks
selftests/landlock: Implement custom libbpf-based tracer
selftests/landlock: Add realworld workload based on find tool
tools/testing/selftests/Makefile | 1 +
.../testing/selftests/landlock/bench/Makefile | 179 ++++++++
.../landlock/bench/bench_find_on_linux.sh | 84 ++++
.../testing/selftests/landlock/bench/common.c | 283 ++++++++++++
.../testing/selftests/landlock/bench/common.h | 18 +
tools/testing/selftests/landlock/bench/config | 10 +
.../selftests/landlock/bench/microbench.c | 192 ++++++++
.../selftests/landlock/bench/progs/tracer.c | 126 ++++++
tools/testing/selftests/landlock/bench/run.sh | 409 ++++++++++++++++++
.../selftests/landlock/bench/sandboxer.c | 117 +++++
.../testing/selftests/landlock/bench/tracer.c | 278 ++++++++++++
.../selftests/landlock/bench/tracer_common.h | 15 +
12 files changed, 1712 insertions(+)
create mode 100644 tools/testing/selftests/landlock/bench/Makefile
create mode 100755 tools/testing/selftests/landlock/bench/bench_find_on_linux.sh
create mode 100644 tools/testing/selftests/landlock/bench/common.c
create mode 100644 tools/testing/selftests/landlock/bench/common.h
create mode 100644 tools/testing/selftests/landlock/bench/config
create mode 100644 tools/testing/selftests/landlock/bench/microbench.c
create mode 100644 tools/testing/selftests/landlock/bench/progs/tracer.c
create mode 100755 tools/testing/selftests/landlock/bench/run.sh
create mode 100644 tools/testing/selftests/landlock/bench/sandboxer.c
create mode 100644 tools/testing/selftests/landlock/bench/tracer.c
create mode 100644 tools/testing/selftests/landlock/bench/tracer_common.h
base-commit: 8400291e289ee6b2bf9779ff1c83a291501f017b
--
2.34.1
Powered by blists - more mailing lists