Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp6174210rwd; Wed, 24 May 2023 11:48:28 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ417hWNJv6tZW35Z3W9wJfdyN+ZoQ6JUDy9F3K7t1CY9cBqbHeggFRiKiNnkrxuMlzPQaXE X-Received: by 2002:a17:902:778c:b0:1ae:5bd0:d452 with SMTP id o12-20020a170902778c00b001ae5bd0d452mr17941917pll.26.1684954108261; Wed, 24 May 2023 11:48:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684954108; cv=none; d=google.com; s=arc-20160816; b=t9AcMFtRmPew2FRBx3TRCuE5ylae4cJ96V8G3MDfb5wdamVhR0YsEvOmWD8tPiNbWh hfP2pT88hA5doTyhAflAOVVJv396f1rfvkCjfET0UlIbrO0koI1ipLPQUoUtfevX9K7J LMAaSG1iLGgHmhn0At8VI5mM0YZVDNu4tXCDthCNOXVmXgch2nnZYLCZW8qxrPwBkTan 9tw+Hdqlvo6EoLJn3YzVp12Tm1MdwMN+fOD8TqV0x82sELDtTJ3cXeFVT/laWF194uhz bJuezF1AaTkj7KYc+faJheHnL9OyQghKrTwloVWuKFJW0+ggFrv83CHOniNLJxExmQic g3wA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=nGNgbJnX0tVJRsKgUg1OydGKxpSLVGxD0LmlnA5I/bM=; b=ln7hthL+rjSAkOXOPuWHA1O187WMzTkaQk+rqMZm1QWAnoycPIxRy7YeOmjDtEyfUw 07h3Rtu+mF1ITtHgOZdJ7Lz2BMD6HCxVyIBXMhyDiubnoA41ahdTgerzcOS0V0LR0DY2 ECXHanpYvZ8Ncva9hrkUC0IsNTFJqDIl76BQl3gdBrSX93KWvsj2cr4pYk2tJdjzGMzy xIwicmuGDZUtyF0kTxv9TRQHAJtN8goo7Qh39M1voiZQhqZnIllNqpm0ma4lcp7PIV+N 7y6nH1xnufWyjXfUyCKgsbIKQ5UAkua1sG3WWBRT1PEK3aD8jxqbOttet+wL1C+HzIZ9 L4fQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b=T3bmdGNX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jk14-20020a170903330e00b001a99ace3e76si1668444plb.554.2023.05.24.11.48.15; Wed, 24 May 2023 11:48:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b=T3bmdGNX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=cloudflare.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236640AbjEXSFO (ORCPT + 99 others); Wed, 24 May 2023 14:05:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42524 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235126AbjEXSFM (ORCPT ); Wed, 24 May 2023 14:05:12 -0400 Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 72FB8180 for ; Wed, 24 May 2023 11:05:08 -0700 (PDT) Received: by mail-wr1-x42e.google.com with SMTP id ffacd0b85a97d-30789a4c537so853929f8f.0 for ; Wed, 24 May 2023 11:05:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; t=1684951506; x=1687543506; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=nGNgbJnX0tVJRsKgUg1OydGKxpSLVGxD0LmlnA5I/bM=; b=T3bmdGNXzv6F/ZNJVh0QwRzqZQCki3KwhMEXYoFLZNVZ5sc0qmYH8Fw8Tzu+29lruu yEXlDnvHD/EQop4XIpBtPbjIHYvfCVyHtfiVhOtp22z5Nuk0mjwClPsGrymFR4Dlcz5i kC+uv1iA7XZSuF5J3ShKIQMHCCh4rd5bTUStI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684951506; x=1687543506; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nGNgbJnX0tVJRsKgUg1OydGKxpSLVGxD0LmlnA5I/bM=; b=b7//kkxz3HE1qg6vF2C+qtc+dpBMq+tp/mOXg2vM7JY4HdoYIv+xrM/GosNXK5l/bT InasHD6OliJAPdiIWVrWquRuXmwN3tuRh3nsDf7/yNMAX8HgLKBhi34qCmSQAz7Yr6Gb EWugJ0Py2fwVnMfLpftqqiSIWhHV4MMS96gOlD/VxBaiEVpRUnLJ53CCJlv4YJzBJHjm cIEFimLNz40k3n7sR0BFxGPmX52G4QDbGbi2Qf8uPsE+BUkIo+ldZZseXQUActkfQM+v m6S6kSiwMpxKNB6uju8jg7W/cLZzVl7t94cb7GjHVL3D09jLRvDxNfpXmSz9/RDAMMUA d8hw== X-Gm-Message-State: AC+VfDyVByTwuEhIDiMkPTX/sVtVf3jUGjrBR1ao7zD4Kxn5nO7RR1Ty 3Qfy1A77DHAeocu5XXIv2TIbQzLJBUsBfkFJHlLl6Q== X-Received: by 2002:adf:f58a:0:b0:307:a7af:402c with SMTP id f10-20020adff58a000000b00307a7af402cmr422705wro.41.1684951506392; Wed, 24 May 2023 11:05:06 -0700 (PDT) MIME-Version: 1.0 References: <20230523181624.19932-1-ivan@cloudflare.com> In-Reply-To: From: Ivan Babrou Date: Wed, 24 May 2023 11:04:55 -0700 Message-ID: Subject: Re: [PATCH] audit: check syscall bitmap on entry to avoid extra work To: Paul Moore Cc: audit@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@cloudflare.com, Eric Paris Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 23, 2023 at 7:03=E2=80=AFPM Paul Moore wr= ote: > > Could you elaborate on what exactly you would like to see added? It's > > not clear to me what is missing. > > I should have been more clear, let me try again ... > > From my perspective, this patch adds code and complexity to deal with > the performance impact of auditing. In some cases that is the right > thing to do, but I would much rather see a more in-depth analysis of > where the audit hot spots are in this benchmark, and some thoughts on > how we might improve that. In other words, don't just add additional > processing to bypass (slower, more involved) processing; look at the > processing that is currently being done and see if you can find a way > to make it faster. It will likely take longer, but the results will > be much more useful. The fastest way to do something is to not do it to begin with. The next best thing I could think of is checking a trivial condition (int equality + bit check) to bypass the work in the hot path, which is what this patch does. I'm not even adding a new condition for this, I'm using the existing context->dummy. It is also 100% transparent for end users, which get the benefits as long as they don't have any rules that target all syscalls. It's not very useful to see futex() and stat() syscalls being audited when we have no rules that target those. The processing of rules in exit is already fast for a reasonable set of rules, but we don't have to do it to begin with. List iteration is not going to be faster than a bit check. For VFS related things we also have to collect paths accessed during processing and it's just not useful when we know that there is no way these are going to be used. We started with a ruleset that was matching all syscalls and this was very expensive. We reduced it to targeting specific syscalls, which made it a lot cheaper, but it's still a very noticeable fraction of overall CPU usage (the benchmark in the commit is the evidence of that). Not enabling auditing on syscall entry is the next logical step in making audit cheap enough to not feel guilty about using it in the first place.