Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp335024rwd; Wed, 24 May 2023 19:24:18 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4LeuI8MQxc0rYMs4AJFOU+ACBhey/LWW+Wir632HhLk5zo0P3TuF5eAZFdqX9PFk8a1DY7 X-Received: by 2002:a05:6a20:549f:b0:10b:8a3b:1680 with SMTP id i31-20020a056a20549f00b0010b8a3b1680mr14807353pzk.29.1684981458195; Wed, 24 May 2023 19:24:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684981458; cv=none; d=google.com; s=arc-20160816; b=glfbQoyztzEDhQbeXHB/pkbNFMx7LBGZUDWlaWOMam3C1c8Gqf+/RIKxfsTHPPmMPV NQRuLbMRtLT9V3NwCbAfpQUjzJY4cU8yTT/ppaSYFfRVRV7am/5jaieRSwfFcZU8aXoa h8nzEnCPCae16obsy2Ks57VMgMtOcQC4j9N4Q/6gTSyUnbuF96eiBQl6COf6vVyNqYBY Dvvavuw5Xkn889iJFe6/Sx8yLRIQWjduhS1f6YdovaUFMksqbQQCOMeveuF7SzIhPp6m uXRp9JLbS5bSdVGW16r0uuPYiFhHuuJZrIWouLK6j6K4CGLKSwtUrgYf3B5KHNOiPPYJ RqUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=f+ykmbunbSMTavDYm2cC5wCQ70/w+yrfqKokU2pUa/E=; b=NsuOVxyZYDq55bWy6LF9jeylnmUNEYif5O4GRs9ll+ycbOYMmCPHovSxzSIW0x805X zwCdcjfufcxcX/1HXyeoYm0Zz+BDQ6vGJVb4gfQ5147RMe/ygvyFT1CMNVUsNkgXjZoX UqpiGgcr4LegtUsr2ENebIWBExKoSpn/nCFbGJADHZ/m49tMIM/CIin0GXN4FZTJMGpL ibQmpLbhL4fGBuvOhzkGZJyed8hoMVbKmdaE/J4WWYd7j03D391dJ84iCCLeiSz1vyir 1uc20XffW+n8DBvunO8PWqeCmDYla2B+uFlYm4qqVDQoo6NmqtGpC9aQnwONoNjxKXPE GmfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=ZQPTv5nv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h14-20020aa79f4e000000b0064d5b6864d0si342212pfr.76.2023.05.24.19.24.03; Wed, 24 May 2023 19:24:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=ZQPTv5nv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229680AbjEYCQT (ORCPT + 99 others); Wed, 24 May 2023 22:16:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37372 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237470AbjEYCQM (ORCPT ); Wed, 24 May 2023 22:16:12 -0400 Received: from mail-yw1-x112d.google.com (mail-yw1-x112d.google.com [IPv6:2607:f8b0:4864:20::112d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A7BF71B0 for ; Wed, 24 May 2023 19:15:50 -0700 (PDT) Received: by mail-yw1-x112d.google.com with SMTP id 00721157ae682-561bd0d31c1so341657b3.0 for ; Wed, 24 May 2023 19:15:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1684980944; x=1687572944; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=f+ykmbunbSMTavDYm2cC5wCQ70/w+yrfqKokU2pUa/E=; b=ZQPTv5nvfUy0tCUe+PyijpeyjNtyS3t+oE375SI9VbLxJTzUtZpvxT6GmIulV45OaJ PgQC/pMRoePHBFKps1iaVohDrCxsU8JB02eBZXGzQ0gM0xRR80OuDBX+yFu9sacRwhwP oSLuU0L5IeSwu4JUbV3atF8Soje0Fo0VrGvqpX86Fw/I1kkzbFiZk/uuTehU0BXftsjW EiCRWkJWN65/Me1pgLNoHu/EXQs8RGc1f3uVqLDaJ24EozLuP75f3r2O7MNl7ExsyzEd KqxfJjMC09sYG0+froE8i35zKiyqug9kr4xIEEsiPbQ61FxN6gz6DpjDRaNG1AatejKD mFLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684980944; x=1687572944; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=f+ykmbunbSMTavDYm2cC5wCQ70/w+yrfqKokU2pUa/E=; b=SGNizCbEgr3LjnQzymjHL+OES24cx0LUH87a7LXm4HifD+X83KqkBwBvgTGsao7xFM FQRfbaNKpy1/BhLd6O6mCGU7ltFt36kerzMTMWVNv+m8+5mE+ouPPwMZOdxbW/SUyKZx IfmKvICVczhqLLynLVZeq1tl37CF/5uZysr1tmlEX9R8iw5upKi5oDrEhIXLYy+NM2vb BZG051P2oMeW+h2Lf+9ntCqEb+lROOZRhtRyKx2WM+tYLKGyEMZIRD+q3Nz+EUYBwwwc y952q+xlNfh8U5P/P+MRCkl5aRSCTfRAddedLtaXxk0oATNbZ/BIV/E5YUru39m21Bn8 2T0g== X-Gm-Message-State: AC+VfDz3IDaVfwW/pksRaGBd2MWRMMhzVSdYndAKxLZlNktlJ5psKO6r wtHCDnZF36sK/yfiswiifoMBN2AGfuv5hay4nOsn X-Received: by 2002:a0d:cc92:0:b0:561:c184:6568 with SMTP id o140-20020a0dcc92000000b00561c1846568mr21324234ywd.18.1684980944143; Wed, 24 May 2023 19:15:44 -0700 (PDT) MIME-Version: 1.0 References: <20230523181624.19932-1-ivan@cloudflare.com> In-Reply-To: From: Paul Moore Date: Wed, 24 May 2023 22:15:33 -0400 Message-ID: Subject: Re: [PATCH] audit: check syscall bitmap on entry to avoid extra work To: Ivan Babrou Cc: audit@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-team@cloudflare.com, Eric Paris Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 24, 2023 at 2:05=E2=80=AFPM Ivan Babrou w= rote: > > On Tue, May 23, 2023 at 7:03=E2=80=AFPM Paul Moore = wrote: > > > Could you elaborate on what exactly you would like to see added? It's > > > not clear to me what is missing. > > > > I should have been more clear, let me try again ... > > > > From my perspective, this patch adds code and complexity to deal with > > the performance impact of auditing. In some cases that is the right > > thing to do, but I would much rather see a more in-depth analysis of > > where the audit hot spots are in this benchmark, and some thoughts on > > how we might improve that. In other words, don't just add additional > > processing to bypass (slower, more involved) processing; look at the > > processing that is currently being done and see if you can find a way > > to make it faster. It will likely take longer, but the results will > > be much more useful. > > The fastest way to do something is to not do it to begin with. While you are not wrong, I believe you and I are focusing on different things. From my perspective, you appear primarily concerned with improving performance by reducing the overhead of auditing. I too am interested in reducing the audit overhead, but I also place a very high value on maintainable code, perhaps more than performance simply because the current audit code quality is so very poor. Unfortunately, the patch you posted appears to me as yet another bolt-on performance tweak that doesn't make an attempt at analyzing the current hot spots of syscall auditing, and ideally offering solutions. Perhaps ultimately this approach is the only sane thing that can be done, but I'd like to see some analysis first of the syscall auditing path. --=20 paul-moore.com