Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp992825pxu;
        Fri, 23 Oct 2020 19:57:33 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwmI/w+AQ4tQrkmjbLZOnpjb++ScoO9x3lRmiRVxw/FkeTtYsvOUoRmNBAowb28lkwQhBQ2
X-Received: by 2002:a05:6402:b8f:: with SMTP id cf15mr5347826edb.369.1603508253158;
        Fri, 23 Oct 2020 19:57:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1603508253; cv=none;
        d=google.com; s=arc-20160816;
        b=VsmV//wGvmMZXk9MJlkxpwQb1jC/Tul5xYoOjO9oghyDW7iZWUZcwDMOHbCU9Kiict
         HFpc83bXorrCyIHQzaPQSMTIl1H2mFaYtQTlCBdmiA6vwn8oVW9Mxr1aYTHuDE1oXdpH
         GsTo8FCpRKPpGGAForNdPnLWISISGXR/k3+kD3YdA3zy00o2PBT0Z4FcbY/hl+FyiRaA
         aN0CyUHKOdb94obAkCWvL9pGelH4C+IsB3PiMZ/+CAu231dMc8QhvHtB/F/YS69vlrKl
         5p4Or+7Y7SiyvliK3dIkOrfcqDHb8eENNAvJ8fB7X0BLvuqm4WI0juZtuBRIJLDWz4k2
         pgJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=exQNVvRWJFpZVay5bCbuF8Chc+K90S79cyDW4pCR96s=;
        b=NQcXC6KJ9AMTv3H3oJ9A/alnTQAkM6O/yle/uOf7uP+VZ46u8Iym2p/JE6ZGIy0+aC
         tTCfacxUQvhLxh6jVF386LUM7z68LSji4/EIOV3DPlmSl26EuLIzHYkx7A+m/vaQw71A
         LLBC43BzEb7VVTnQDqrzIystEdhdaNnlknwAsQ6MwFyeJFvEny2EHgGK/FgRZRPmB5Nr
         yoMTwke73lD55dfSbIsHAIbx2tvjB5GqI82MArMPHh8lwwADDLh9Wd3ZNUV+2DO/grzs
         Cy92O+7qkS8GQ2/agSYa5bN/azfYzC7flofCC6NLNTCN43EW0pyxyAw37MMVxHwgNuqH
         Ielw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=KV9CaDvJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id h8si2664607ejj.258.2020.10.23.19.57.10;
        Fri, 23 Oct 2020 19:57:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=KV9CaDvJ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1759177AbgJXCvn (ORCPT <rfc822;crosarcplusplustest@gmail.com>
        + 99 others); Fri, 23 Oct 2020 22:51:43 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60058 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1759143AbgJXCvm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 23 Oct 2020 22:51:42 -0400
Received: from mail-pg1-x543.google.com (mail-pg1-x543.google.com [IPv6:2607:f8b0:4864:20::543])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CFD45C0613D2
        for <linux-kernel@vger.kernel.org>; Fri, 23 Oct 2020 19:51:42 -0700 (PDT)
Received: by mail-pg1-x543.google.com with SMTP id l18so2751665pgg.0
        for <linux-kernel@vger.kernel.org>; Fri, 23 Oct 2020 19:51:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=exQNVvRWJFpZVay5bCbuF8Chc+K90S79cyDW4pCR96s=;
        b=KV9CaDvJWjMnPRerYDVMgQAXXWpZHin64zb+D/uzzh1jn14cp0unh77C/PFSi1YRzK
         RZfD1gMNw3MWr1O3MZFrAq4q3G7PSiATA+70iI9uAQA2HKgtdZPU5ZKeEhN0FxWII7A1
         PAl5jVvc7Gf5OQwDzQpiXkqTFQP3OLcIftsxw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=exQNVvRWJFpZVay5bCbuF8Chc+K90S79cyDW4pCR96s=;
        b=FaKJXLM2ToSDEbS2onjKolLb4ztP+f0Jzmbitp82bXqzZDmjOiJAvcae/kq/rIo9Nz
         lpTOt90TCmE5dxKTDtF/wESSTJOaJgsHddobFmTQfGJZaYeWL8DwvCk6j4xf3VQEXxRN
         ifvayLwSBDDQzC/k/c73jiO3laKLp24K05I4rBxAcWZCqn6fcrGyp2/1Jspb8I4+p+1b
         2I3IVsq+9by3xZxt4i1I/77mlKFA/WEfmfouBcoOwDMPfXNLnglp9m7KiRIDMasFPFZG
         UUFFOzPwW0MdJT6RvUxzhYA3vo7MyFmP+nKp8xwQ2fAHgkvPrxapJBkIP8vmEbAJwPsc
         DFLg==
X-Gm-Message-State: AOAM533H96a8mL42+AJKC9Aih67xjMtOKd4PPTaksCd3xoqw38EHyPit
        9gT/kHoHyJzV2eLydf8i+SNLiQ==
X-Received: by 2002:a63:f84c:: with SMTP id v12mr4442172pgj.125.1603507902217;
        Fri, 23 Oct 2020 19:51:42 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id s20sm3363159pfu.112.2020.10.23.19.51.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 23 Oct 2020 19:51:41 -0700 (PDT)
Date:   Fri, 23 Oct 2020 19:51:40 -0700
From:   Kees Cook <keescook@chromium.org>
To:     YiFei Zhu <zhuyifei1999@gmail.com>
Cc:     Linux Containers <containers@lists.linux-foundation.org>,
        YiFei Zhu <yifeifz2@illinois.edu>, bpf <bpf@vger.kernel.org>,
        kernel list <linux-kernel@vger.kernel.org>,
        Aleksa Sarai <cyphar@cyphar.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Andy Lutomirski <luto@amacapital.net>,
        David Laight <David.Laight@aculab.com>,
        Dimitrios Skarlatos <dskarlat@cs.cmu.edu>,
        Giuseppe Scrivano <gscrivan@redhat.com>,
        Hubertus Franke <frankeh@us.ibm.com>,
        Jack Chen <jianyan2@illinois.edu>,
        Jann Horn <jannh@google.com>,
        Josep Torrellas <torrella@illinois.edu>,
        Tianyin Xu <tyxu@illinois.edu>,
        Tobin Feldman-Fitzthum <tobin@ibm.com>,
        Tycho Andersen <tycho@tycho.pizza>,
        Valentin Rothberg <vrothber@redhat.com>,
        Will Drewry <wad@chromium.org>
Subject: Re: [PATCH v4 seccomp 5/5] seccomp/cache: Report cache data through
 /proc/pid/seccomp_cache
Message-ID: <202010231945.90FA4A4AA@keescook>
References: <cover.1602263422.git.yifeifz2@illinois.edu>
 <c2077b8a86c6d82d611007d81ce81d32f718ec59.1602263422.git.yifeifz2@illinois.edu>
 <202010091613.B671C86@keescook>
 <CABqSeARZWBQrLkzd3ozF16ghkADQqcN4rUoJS2MKkd=73g4nVA@mail.gmail.com>
 <202010121556.1110776B83@keescook>
 <CABqSeAT2-vNVUrXSWiGp=cXCvz8LbOrTBo1GbSZP2Z+CKdegJA@mail.gmail.com>
 <CABqSeASc-3n_LXpYhb+PYkeAOsfSjih4qLMZ5t=q5yckv3w0nQ@mail.gmail.com>
 <202010221520.44C5A7833E@keescook>
 <CABqSeAT4L65_uS=45uxPZALKaDSDocMviMginLOV2N0h-e1AzA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CABqSeAT4L65_uS=45uxPZALKaDSDocMviMginLOV2N0h-e1AzA@mail.gmail.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Oct 22, 2020 at 06:40:08PM -0500, YiFei Zhu wrote:
> On Thu, Oct 22, 2020 at 5:32 PM Kees Cook <keescook@chromium.org> wrote:
> > I've been going back and forth on this, and I think what I've settled
> > on is I'd like to avoid new CONFIG dependencies just for this feature.
> > Instead, how about we just fill in SECCOMP_NATIVE and SECCOMP_COMPAT
> > for all the HAVE_ARCH_SECCOMP_FILTER architectures, and then the
> > cache reporting can be cleanly tied to CONFIG_SECCOMP_FILTER? It
> > should be relatively simple to extract those details and make
> > SECCOMP_ARCH_{NATIVE,COMPAT}_NAME part of the per-arch enabling patches?
> 
> Hmm. So I could enable the cache logic to every architecture (one
> patch per arch) that does not have the sparse syscall numbers, and
> then have the proc reporting after the arch patches? I could do that.
> I don't have test machines to run anything other than x86_64 or ia32,
> so they will need a closer look by people more familiar with those
> arches.

Cool, yes please. It looks like MIPS will need to be skipped for now. I
would have the debug cache reporting patch then depend on
!CONFIG_HAVE_SPARSE_SYSCALL_NR.

> > I'd still like to get more specific workload performance numbers too.
> > The microbenchmark is nice, but getting things like build times under
> > docker's default seccomp filter, etc would be lovely. I've almost gotten
> > there, but my benchmarks are still really noisy and CPU isolation
> > continues to frustrate me. :)
> 
> Ok, let me know if I can help.

Do you have a test environment where you can compare the before/after
of repeated kernel build times (or some other sufficiently
complex/interesting) workload under these conditions:

bare metal
docker w/ seccomp policy disabled
docker w/ default seccomp policy

This is what I've been trying to construct, but it's really noisy, so
I've been trying to pin CPUs and NUMA memory nodes, but it's not really
helping yet. :P

-- 
Kees Cook