Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp5136545rwd; Tue, 23 May 2023 19:11:58 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5QYDAWB3Vu0M/AzI1bos5Ou6V+GTKLA+izDbKuh7+/tAVX1Nb6tsco1+c6qpgw0agKllUq X-Received: by 2002:a05:6a20:144e:b0:10b:a9ca:97bf with SMTP id a14-20020a056a20144e00b0010ba9ca97bfmr8889836pzi.24.1684894317924; Tue, 23 May 2023 19:11:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684894317; cv=none; d=google.com; s=arc-20160816; b=XS9fHJqQwnEXuu8vmc1/2kaK1uZ41HbpKdhi96MPIGw5H4B88PafGRhANLsAFN7xhg qNkDIQ9kZohc4/nPJcYzyS6InxSK09KL891kTY/XmgekcGba1hz32KE80i2ks0ormQHC ROlFyv6gedlPv7R6GLo1LDx/oXgE1g0YOr3XGwdn/bxZkB5WKfc6DG3+1itKe5ql6UNo otrRH9m5KQJw70f1neGO4mn+d6sCCrutxWdCR491E3dM8ZpcHerXGwzAbg3wHYlzgbxk r2Gg0LXQrNov4wpALB3QPY3RB5wW5sScKWV+GxAyxT0HYeJfXiV3JqftOEXggSW9Etvq l3sQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=XOon+WJOJI8+JwO5uO9f8iJb1ORFwlHFloJ3UvTpfgc=; b=OJE56gZ9GZjdY6ldREn8/u76y4AA8V5NXMljv3UQsQ1UCISpoXvbxoDxXXXfJmjIhq 3dXEFQMLwXZZcZzeLxJzJ3NEIxyO1dO8wDgKUZx21py9t/j51Cqk6l9AqVBpfg1FYml+ m04KARs48tLuYKzWJPy3JbkWCqcLk36FalZ6hf4Q8g8v4t9viVGk8LRcNujgSgpj1NNn 8KilBluU01cGjPPPcByqqPKIgpWxCSc9GtfkR5ITayqOIgFtzHxFW6070JtQIpt/W/Hj 5GriaKAqIIqEeYuyBoY6nMPg5E2iRUVAceA8NhtwqmL1It0LgGvQGD5DPyMZivAIFpTB ax9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=UFEAXGWk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h22-20020a170902f7d600b001ab18790b0fsi7347039plw.95.2023.05.23.19.11.42; Tue, 23 May 2023 19:11:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=UFEAXGWk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238712AbjEXCDv (ORCPT + 99 others); Tue, 23 May 2023 22:03:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45800 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233808AbjEXCDu (ORCPT ); Tue, 23 May 2023 22:03:50 -0400 Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8AF95185 for ; Tue, 23 May 2023 19:03:48 -0700 (PDT) Received: by mail-yb1-xb32.google.com with SMTP id 3f1490d57ef6-b9a7e639656so906014276.0 for ; Tue, 23 May 2023 19:03:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1684893828; x=1687485828; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=XOon+WJOJI8+JwO5uO9f8iJb1ORFwlHFloJ3UvTpfgc=; b=UFEAXGWkCrWSSfXmpcK4Hs6xsXEnrzSBJxTqWM4F7szWa9/aDVp1VjCZ+UKcK+xoHM PmAOLGT5LfEuMIEKnBZ4wabefUZ+LVmIUFHWn5xPd/bykUkGQPp9j+LZxAlUxONq5uk7 yRSm5vIBLRm+wpD08KvTiIaL4QxV9z3DUzne98cb8hqRzh8ZjvRvYreYH6IzQBrEz9eu 2UY4MdNfRRyWRFSHaJzQdppmy0L4PtosL8GWXlVCnaPSeXr+e1FJhuwhAiy12y8ENowQ 39b1yiQnYgOliG3KAI1y99BlfHwmgGwiStE3PaSK8nM90UWnO9Pg2d6fCU5FbkcPbjrL 8vkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684893828; x=1687485828; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XOon+WJOJI8+JwO5uO9f8iJb1ORFwlHFloJ3UvTpfgc=; b=C0f4Mn0zIdEtEKDzt+luej+NOTXnQnXpKQg97UFcuYglgrDDGcNMHaK6d9xdMkJde2 1rpWnsa8Vz3GjR0FbEN0IjMJ3YVakLLBfEnAibqLml19+uKRHs7hmV27MJF5M8+BHnSu rvKS8nMbCBeZdQX4lg9xdcSyB39hTMWcll//28vT20M3Tcpe/6aCFi1c/fIYi5myJ4JW 2llwQ5WfW8eB1Y9yXOiBd82uJWNMxqBeH08g4LXjrQPV9vBT3UJCyOKJJguXNOS1nMD7 qWZODqj524lawmz+rpENFc8fOAo/WvUVRW1u1dpt0sXdhNh+AOexfPK81XQDiS+lDWYk 8mMg== X-Gm-Message-State: AC+VfDxKkeJW17FS+2kdMlk3ZK3a43oCtCmPLfRh3ZFTnX7B8eEMORoW IaP+QCCYsliI74bdM6W/4Y42J/CDnae3bZq7cRcq X-Received: by 2002:a25:b120:0:b0:ba6:f32b:28e3 with SMTP id g32-20020a25b120000000b00ba6f32b28e3mr17242402ybj.6.1684893827701; Tue, 23 May 2023 19:03:47 -0700 (PDT) MIME-Version: 1.0 References: <20230523181624.19932-1-ivan@cloudflare.com> In-Reply-To: From: Paul Moore Date: Tue, 23 May 2023 22:03:36 -0400 Message-ID: Subject: Re: [PATCH] audit: check syscall bitmap on entry to avoid extra work To: Ivan Babrou Cc: audit@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@cloudflare.com, Eric Paris Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 23, 2023 at 5:50=E2=80=AFPM Ivan Babrou w= rote: > On Tue, May 23, 2023 at 12:59=E2=80=AFPM Paul Moore = wrote: > > Before seriously considering something like this, I would really like > > to see some time put into profiling the original overhead and some > > designs on how that could be improved. Without that, patches like > > this look like drive-by band-aids which have already caused enough > > headaches for audit maintenance. > > Hello Paul, > > Could you elaborate on what exactly you would like to see added? It's > not clear to me what is missing. I should have been more clear, let me try again ... From my perspective, this patch adds code and complexity to deal with the performance impact of auditing. In some cases that is the right thing to do, but I would much rather see a more in-depth analysis of where the audit hot spots are in this benchmark, and some thoughts on how we might improve that. In other words, don't just add additional processing to bypass (slower, more involved) processing; look at the processing that is currently being done and see if you can find a way to make it faster. It will likely take longer, but the results will be much more useful. Does that make sense? --=20 paul-moore.com