Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1348175imm; Thu, 6 Sep 2018 21:35:37 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbRwPxGCR8JECYN95w2Z0hv+RtP5d3nH+rwDx/xsVTmfC16hC7d8LfYAjPE8mFbJOcwMKFm X-Received: by 2002:a63:c807:: with SMTP id z7-v6mr6065380pgg.77.1536294937327; Thu, 06 Sep 2018 21:35:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536294937; cv=none; d=google.com; s=arc-20160816; b=tt3AD/CvnN60SD5HO9CoBm9jinh9HywQx1Bl9APeJrV5R2s+q1DmPz0AMXwmoGH1WF 3gGXw/pHCJnoUOvZGSRBr8p+1toJnoe5YcVhgQVE57Dp1oPd3vAALceBuixCxlGLnc95 FVSvUm4sN3BsMmpdxFbqO//dynWQKM0zl/EwtRmh4XifPgoSnLEMNItGL1JzKjNRQZ0u iAp+kF9bR3NiclxBwEZQL2iLUCnhcEm8qz7ea1dRX0ip1InU/7s+mCPZg5bQMPpXfMhd 77f0oAXmrd90xDQ4DGONigsJGph787cDIEFeAGnPC8vAvVIH1cxEM+LGQ9GL086wcmqZ jwEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=tWX6wiMaZ0NSfkWp7dfJPj0UrFyaGf6WWZ9OUtxHeVQ=; b=k1lrS1GTlOI0uVSXTWc2OvskSkhfg7qWpvfzqUCelQgVShTH2eAMyZLm3lpedZmYJn x7u5vjJteYHn2uOWl8bhWxwVrDHY++80WzjPXefqlf7Wc8VC2oior0xEzsJJ+C2IiIYD 9Fra5csM3VBVUjRbpm+dPS6Yvm2ouQnQ0MkM41K8aXQBo1IRwntuUScqJwgHER+ojwHw mknLEKZmMofUnHLoP4YbqQ6h8l5DG2xTJuRr1ZnvgWIqPJS22tSxe5rVdyg553+5Sgzf dNRHMMVqBT/E6tmDw/jqIKN1UqaBt/t+OfHqYd/n/5o51UOkfvrSdx1PM3mIOzm/cQz6 ApqQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 32-v6si7070791plg.390.2018.09.06.21.35.20; Thu, 06 Sep 2018 21:35:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726147AbeIGJNE (ORCPT + 99 others); Fri, 7 Sep 2018 05:13:04 -0400 Received: from mx2.suse.de ([195.135.220.15]:52696 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725933AbeIGJNE (ORCPT ); Fri, 7 Sep 2018 05:13:04 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id C8852AD75; Fri, 7 Sep 2018 04:33:59 +0000 (UTC) From: Tony Jones To: john.johansen@canonical.com Cc: seth.arnold@canonical.com, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH] apparmor: Fix network performance issue in aa_label_sk_perm Date: Thu, 6 Sep 2018 21:33:57 -0700 Message-Id: <20180907043357.4638-1-tonyj@suse.de> X-Mailer: git-send-email 2.18.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The netperf benchmark shows a 5.73% reduction in throughput for small (64 byte) transfers by unconfined tasks. DEFINE_AUDIT_SK() in aa_label_sk_perm() should not be performed unconditionally, rather only when the label is confined. netperf-tcp 56974a6fc^ 56974a6fc Min 64 563.48 ( 0.00%) 531.17 ( -5.73%) Min 128 1056.92 ( 0.00%) 999.44 ( -5.44%) Min 256 1945.95 ( 0.00%) 1867.97 ( -4.01%) Min 1024 6761.40 ( 0.00%) 6364.23 ( -5.87%) Min 2048 11110.53 ( 0.00%) 10606.20 ( -4.54%) Min 3312 13692.67 ( 0.00%) 13158.41 ( -3.90%) Min 4096 14926.29 ( 0.00%) 14457.46 ( -3.14%) Min 8192 18399.34 ( 0.00%) 18091.65 ( -1.67%) Min 16384 21384.13 ( 0.00%) 21158.05 ( -1.06%) Hmean 64 564.96 ( 0.00%) 534.38 ( -5.41%) Hmean 128 1064.42 ( 0.00%) 1010.12 ( -5.10%) Hmean 256 1965.85 ( 0.00%) 1879.16 ( -4.41%) Hmean 1024 6839.77 ( 0.00%) 6478.70 ( -5.28%) Hmean 2048 11154.80 ( 0.00%) 10671.13 ( -4.34%) Hmean 3312 13838.12 ( 0.00%) 13249.01 ( -4.26%) Hmean 4096 15009.99 ( 0.00%) 14561.36 ( -2.99%) Hmean 8192 18975.57 ( 0.00%) 18326.54 ( -3.42%) Hmean 16384 21440.44 ( 0.00%) 21324.59 ( -0.54%) Stddev 64 1.24 ( 0.00%) 2.85 (-130.64%) Stddev 128 4.51 ( 0.00%) 6.53 ( -44.84%) Stddev 256 11.67 ( 0.00%) 8.50 ( 27.16%) Stddev 1024 48.33 ( 0.00%) 75.07 ( -55.34%) Stddev 2048 54.82 ( 0.00%) 65.16 ( -18.86%) Stddev 3312 153.57 ( 0.00%) 56.29 ( 63.35%) Stddev 4096 100.25 ( 0.00%) 88.50 ( 11.72%) Stddev 8192 358.13 ( 0.00%) 169.99 ( 52.54%) Stddev 16384 43.99 ( 0.00%) 141.82 (-222.39%) Signed-off-by: Tony Jones Fixes: 56974a6fcfef ("apparmor: add base infastructure for socket mediation") --- security/apparmor/net.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/security/apparmor/net.c b/security/apparmor/net.c index bb24cfa0a164..d5d72dd1ca1f 100644 --- a/security/apparmor/net.c +++ b/security/apparmor/net.c @@ -146,17 +146,20 @@ int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family, static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request, struct sock *sk) { - struct aa_profile *profile; - DEFINE_AUDIT_SK(sa, op, sk); + int error = 0; AA_BUG(!label); AA_BUG(!sk); - if (unconfined(label)) - return 0; + if (!unconfined(label)) { + struct aa_profile *profile; + DEFINE_AUDIT_SK(sa, op, sk); - return fn_for_each_confined(label, profile, - aa_profile_af_sk_perm(profile, &sa, request, sk)); + error = fn_for_each_confined(label, profile, + aa_profile_af_sk_perm(profile, &sa, request, sk)); + } + + return error; } int aa_sk_perm(const char *op, u32 request, struct sock *sk) -- 2.18.0