From: "Sverdlin, Alexander (Nokia - DE/Ulm)" <alexander.sverdlin@nokia.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Paul Moore <pmoore@redhat.com>,
"linux-audit@redhat.com" <linux-audit@redhat.com>,
Richard Guy Briggs <rbriggs@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] audit: always enable syscall auditing when supported and audit is enabled
Date: Mon, 28 Jan 2019 15:38:12 +0000 [thread overview]
Message-ID: <8bf5d613-9b27-381d-283b-c8892483f424@nokia.com> (raw)
In-Reply-To: <CAHC9VhT1T4wTonW_L8CH2j1aMqSaBcUf-zH==233+ZZvSKhkwg@mail.gmail.com>
Hello Paul,
On 28/01/2019 15:52, Paul Moore wrote:
>>>>> time also enables syscall auditing; this patch simplifies the Kconfig
>>>>> menus by removing the option to disable syscall auditing when audit
>>>>> is selected and the target arch supports it.
>>>>>
>>>>> Signed-off-by: Paul Moore <pmoore@redhat.com>
>>>> this patch is responsible for massive performance degradation for those
>>>> who used only CONFIG_SECURITY_APPARMOR.
>>>>
>>>> And the numbers are, take the following test for instance:
>>>>
>>>> dd if=/dev/zero of=/dev/null count=2M
>>>>
>>>> ARM64: 500MB/s -> 350MB/s
>>>> ARM: 400MB/s -> 300MB/s
>>> Hi there.
>>>
>>> Out of curiosity, what kernel/distribution are you running, or is this
>>> a custom kernel compile? Can you also share the output of 'auditctl
>> This test was carried out with Linux 4.9. Custom built.
> I suspected that was the case, thanks.
>
>>> -l' from your system? The general approach taken by everyone to
>>> turn-off the per-syscall audit overhead is to add the "-a never,task"
>>> rule to their audit configuration:
>>>
>>> # auditctl -a never,task
>>>
>>> If you are using Fedora/CentOS/RHEL, or a similarly configured system,
>> This is an embedded distribution. We are not using auditctl or any other
>> audit-related user-space packages.
>>
>>> you can find this configuration in the /etc/audit/audit.rules file (be
>>> warned, that file is automatically generated based on
>>> /etc/audit/rules.d).
>> I suppose in this case rule list must be empty. Is there a way to check
>> this without extra user-space packages?
> Yes, unless you are loading rules through some other method I would
> expect that your audit rule list is empty.
>
> I'm not aware of any other tools besides auditctl to load audit rules
> into the kernel, although I haven't ever had a need for another tool
> so I haven't looked very hard. If you didn't want to bring auditctl
> into your distribution, I expect it would be a rather trivial task to
> create a small tool to load a single "-a never,task" into the kernel.
I've done a quick test on my x86_64 PC and got the following results:
1. empty rules list:
perf record dd if=/dev/zero of=/dev/null count=2M
2097152+0 records in
2097152+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 1.69685 s, 633 MB/s
perf report:
# Overhead Command Shared Object Symbol
# ........ ....... ................. ..................................
#
14.26% dd [kernel.kallsyms] [k] entry_SYSCALL_64
11.33% dd [kernel.kallsyms] [k] __clear_user
5.00% dd [kernel.kallsyms] [k] fsnotify
4.92% dd libc-2.28.so [.] read
4.80% dd [kernel.kallsyms] [k] __audit_syscall_exit
4.60% dd [kernel.kallsyms] [k] syscall_return_via_sysret
4.24% dd libc-2.28.so [.] __GI___libc_write
3.84% dd [kernel.kallsyms] [k] __indirect_thunk_start
3.82% dd libc-2.28.so [.] __memcpy_ssse3_back
3.04% dd [kernel.kallsyms] [k] entry_SYSCALL_64_after_hwframe
2.98% dd [kernel.kallsyms] [k] __fget_light
2.97% dd [kernel.kallsyms] [k] do_syscall_64
2.33% dd [kernel.kallsyms] [k] vfs_write
2.32% dd [kernel.kallsyms] [k] __audit_syscall_entry
2.31% dd [kernel.kallsyms] [k] iov_iter_zero
2.22% dd [kernel.kallsyms] [k] syscall_trace_enter
1.89% dd [kernel.kallsyms] [k] syscall_slow_exit_work
1.56% dd [kernel.kallsyms] [k] __fsnotify_parent
1.52% dd [kernel.kallsyms] [k] __x64_sys_write
1.42% dd [kernel.kallsyms] [k] __vfs_read
1.34% dd [kernel.kallsyms] [k] __x64_sys_read
1.30% dd [kernel.kallsyms] [k] vfs_read
1.16% dd [kernel.kallsyms] [k] ksys_write
1.05% dd [kernel.kallsyms] [k] security_file_permission
2. auditctl -a never,task
perf record dd if=/dev/zero of=/dev/null count=2M
2097152+0 records in
2097152+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 1.29384 s, 830 MB/s
perf report:
# Overhead Command Shared Object Symbol
# ........ ....... ................. ...................................
#
16.90% dd [kernel.kallsyms] [k] entry_SYSCALL_64
14.24% dd [kernel.kallsyms] [k] __clear_user
6.00% dd [kernel.kallsyms] [k] fsnotify
5.35% dd [kernel.kallsyms] [k] syscall_return_via_sysret
5.26% dd [kernel.kallsyms] [k] __indirect_thunk_start
4.85% dd libc-2.28.so [.] read
4.81% dd libc-2.28.so [.] __GI___libc_write
4.09% dd libc-2.28.so [.] __memcpy_ssse3_back
3.92% dd [kernel.kallsyms] [k] __fget_light
3.43% dd [kernel.kallsyms] [k] entry_SYSCALL_64_after_hwframe
3.07% dd [kernel.kallsyms] [k] iov_iter_zero
2.93% dd [kernel.kallsyms] [k] do_syscall_64
2.45% dd [kernel.kallsyms] [k] vfs_write
2.07% dd [kernel.kallsyms] [k] __vfs_read
2.02% dd [kernel.kallsyms] [k] __fsnotify_parent
1.42% dd [kernel.kallsyms] [k] vfs_read
1.34% dd [kernel.kallsyms] [k] ksys_read
1.18% dd [kernel.kallsyms] [k] ksys_write
1.18% dd [kernel.kallsyms] [k] read_iter_zero
1.10% dd [kernel.kallsyms] [k] __vfs_write
Which brings me to an idea, that the subject patch should have been accompanied
by a default "never,task" rule inside the kernel, otherwise you require an
extra user-space package (audit) just to bring Linux 4.5+ to 4.4 performance
levels.
--
Best regards,
Alexander Sverdlin.
next prev parent reply other threads:[~2019-01-28 15:38 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-08 16:42 [PATCH] audit: always enable syscall auditing when supported and audit is enabled Paul Moore
2015-12-08 20:50 ` Richard Guy Briggs
2019-01-28 8:34 ` Sverdlin, Alexander (Nokia - DE/Ulm)
2019-01-28 14:19 ` Paul Moore
2019-01-28 14:36 ` Sverdlin, Alexander (Nokia - DE/Ulm)
2019-01-28 14:52 ` Paul Moore
2019-01-28 15:38 ` Sverdlin, Alexander (Nokia - DE/Ulm) [this message]
2019-01-28 16:26 ` Paul Moore
2019-01-28 20:03 ` Steve Grubb
2019-01-28 20:08 ` Paul Moore
2019-01-28 21:19 ` Steve Grubb
2019-01-28 21:49 ` Richard Guy Briggs
2019-01-28 22:01 ` Paul Moore
2019-01-28 14:45 ` Sverdlin, Alexander (Nokia - DE/Ulm)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8bf5d613-9b27-381d-283b-c8892483f424@nokia.com \
--to=alexander.sverdlin@nokia.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=pmoore@redhat.com \
--cc=rbriggs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox