Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp1746079rdh; Tue, 26 Sep 2023 02:09:36 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFkSbNTECNDdL9ppDJ5lILxUHRKT5jBOJYOgo33wxDpL990WtZ1ZfgT9zuDPIGkHxITz9uq X-Received: by 2002:a17:90b:4f4a:b0:268:c569:f2af with SMTP id pj10-20020a17090b4f4a00b00268c569f2afmr5944116pjb.7.1695719376097; Tue, 26 Sep 2023 02:09:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695719376; cv=none; d=google.com; s=arc-20160816; b=nl013Le8avPIyGnxRzu+jgUTOrdJD/Y3Dfk07NxZb0ennuWPpxcK3ZujNv6CsQhaqI /vZgKS8nCluTGYuvw//WTxNU/hkjP814vgu3/rt9sVWWhVzRXtefA4WEqZ+Q1AYED60x ab1Q25sW5NHx+w0XydSWKVVw6Se9/O8+yFJji2eBwqxf6H3sCxQrRnk1Oj5zUkPcKPno DNmIwFDqcXlxcUO9xhOhYku+vRazZQsoMfsEoYjkhKC/kssWrLKhW7XV0VVPasH7LmMx f/u0wEFkgyIcaWo7V16gZtytxDzUzPv2JeCGL4W9qj2ej0w6JMZFYN5et6acT+Yu4KXc 0Cyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=xOK6OfHsH5UzXX07PzrwQsARRjCcdnyHQS4dDua03nw=; fh=6l/j8S/IOSSuU/FDPIivP6mQHx+esXyBAeWoFcn7fcE=; b=zosArNiaYaK0LNXyH533ktkPpzwSjk37c0+cIiyjpdRi6FPLIUKcjY+Z9MS1AspDQx 5LC6HYs1NSeRWcLqaPdf52sSl0HBQGUWKPFCiSz6YcW8MKJk6ECHVUJSiuRTOmWhrIf6 zj+3Q3m+x7/1mG4VWx8hTQobSYr91X+2z2/d1XDtQa+r7/kzOsYxQleYPrLqSNX9ipGK r4vPBkNLYi81qWXQTgA6kgrd1ci97zM2KGUIB8qKje/t3ObWFWuqnfrpOf+aBOQLkNLr LeeBG0Px849PXWIG7z4Xy9ZSu/NaObSMlkjvwJo/GZPwdXKUAmMeo5JuMxHZ7YnE9goV b4qA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="eVBYK/fZ"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id mg24-20020a17090b371800b0025c219a68e3si11830125pjb.45.2023.09.26.02.09.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Sep 2023 02:09:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="eVBYK/fZ"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 5858081FAD97; Mon, 25 Sep 2023 23:39:12 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233819AbjIZGjL (ORCPT + 99 others); Tue, 26 Sep 2023 02:39:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49504 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233757AbjIZGjJ (ORCPT ); Tue, 26 Sep 2023 02:39:09 -0400 Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 61F8B116; Mon, 25 Sep 2023 23:39:02 -0700 (PDT) Received: by mail-lj1-x235.google.com with SMTP id 38308e7fff4ca-2bfed7c4e6dso135128941fa.1; Mon, 25 Sep 2023 23:39:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695710340; x=1696315140; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=xOK6OfHsH5UzXX07PzrwQsARRjCcdnyHQS4dDua03nw=; b=eVBYK/fZZ8sArYAzt80NlSEYz5YueAeTBmFrv1BxvFdVsIuLC4Plueq9E4SW7V8rhp s0dZhrb1JdrjoCvTmSTdp2ls3R+6aM39VBwALow+xq5vA8+RRcOm6Imv8gBuqb7guN8V 1gP4qqiy/lCJbysGtH1PypTLuJJ+QJupGB26gyo0hcthkRkTtOR1CpJFTo8gW9tHlyZC CJF47ol8t5pS0yo47UKX94fsrKP7hdwj/oy4H53ngC+xgXPoBgFjVA2MiEP/xaLReqQ6 ATTpzkY2ji093g6ulAkz/uiZlfgUiE5oPhNi5FhiiKw36ornbV7f1jxVeFuZ0WrLmDzC LDYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695710340; x=1696315140; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=xOK6OfHsH5UzXX07PzrwQsARRjCcdnyHQS4dDua03nw=; b=HiBM1U6+j7skFecrjJqGdh2k2btq/9VzXwzu4c7j9imRN0GVwP3KzVUhk957ThpJRu yKOZdjzkxwrJ/4Dzd3OHQWV3o5h/EfOcHmnncxu8eyOq5mB/rV7xKmZpnMl/o64RWFov KoA3OaZVIs/38b5yiAOuZZON+FeGPOzsWbjNQ2b3SAzV5/yrG5POBAi2LrIvCgmkYFjo W42e951IsjObh78peF7uO/sAT7FissUuB49iqL6eBkYr0PlyBalD3VejtC52HBIhIokH OnC+Dn2ypjRmB+66ecbI7MOeFVWqGgXvD8/wKHl2jcb5HJkDV14R8ikaeDFYQ+OCfX/q ursw== X-Gm-Message-State: AOJu0YwK0qcMxI/sfNM87/ayn7DBxLjZf446QYx1wNrYHp6hVXtAdfIx SEC/WR/X/oVYicsoJUbWhIpi9mL6U60H9g== X-Received: by 2002:a2e:97c8:0:b0:2bc:e954:4203 with SMTP id m8-20020a2e97c8000000b002bce9544203mr7159098ljj.26.1695710340426; Mon, 25 Sep 2023 23:39:00 -0700 (PDT) Received: from f (cst-prg-24-34.cust.vodafone.cz. [46.135.24.34]) by smtp.gmail.com with ESMTPSA id lw3-20020a170906bcc300b009ade1a4f795sm7244603ejb.168.2023.09.25.23.38.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 Sep 2023 23:38:59 -0700 (PDT) Date: Tue, 26 Sep 2023 08:38:57 +0200 From: Mateusz Guzik To: John Johansen Cc: Vinicius Costa Gomes , linux-security-module@vger.kernel.org, apparmor@lists.ubuntu.com, linux-kernel@vger.kernel.org Subject: Re: [apparmor] use per-cpu refcounts for apparmor labels? Message-ID: <20230926063857.h3afce5hagnlkoob@f> References: <87a5t9bypm.fsf@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Mon, 25 Sep 2023 23:39:12 -0700 (PDT) On Mon, Sep 25, 2023 at 11:21:26PM -0700, John Johansen wrote: > On 9/25/23 16:49, Vinicius Costa Gomes wrote: > > Hi Mateusz, > > > > Mateusz Guzik writes: > > > > > I'm sanity-checking perf in various microbenchmarks and I found > > > apparmor to be the main bottleneck in some of them. > > > > > > For example: will-it-scale open1_processes -t 16, top of the profile: > > > 20.17% [kernel] [k] apparmor_file_alloc_security > > > 20.08% [kernel] [k] apparmor_file_open > > > 20.05% [kernel] [k] apparmor_file_free_security > > > 18.39% [kernel] [k] apparmor_current_getsecid_subj > > > [snip] > > > > > > This serializes on refing/unrefing apparmor objs, sounds like a great > > > candidate for per-cpu refcounting instead (I'm assuming they are > > > expected to be long-lived). > > > > > > I would hack it up myself, but I failed to find a clear spot to switch > > > back from per-cpu to centalized operation and don't want to put > > > serious effort into it. > > > > > > Can you sort this out? > > > > I will add looking into it on the todo list. Its going to have to come > after some other major cleanups land, and I am not sure we can make > the semantic work well for some of these. For other we might get away > with switching to a critical section like Vinicius's patch has done > for apparmor_current_getsecid_subj. > Is there an eta? I looked at dodging ref round trips myself, but then found that ref manipulation in apparmor_file_alloc_security and the free counterpart cannot be avoided. Thus per-cpu refs instead. Perhaps making the label as stale would be a good enough switching point? Is it *guaranteed* to get labelled as stale before it gets freed? btw, __aa_proxy_redirect open-codes setting the flag. > > I was looking at this same workload, and proposed a patch[1] some time > > ago, see if it helps: > > > > https://lists.ubuntu.com/archives/apparmor/2023-August/012914.html > > > > But my idea was different, in many cases, we are looking at the label > > associated with the current task, and there's no need to take the > > refcount. > > > > yes, and thanks for that. >