From: "Günther Noack" <gnoack3000@gmail.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: linux-security-module@vger.kernel.org,
Tingmao Wang <m@maowtm.org>,
Justin Suess <utilityemal77@gmail.com>,
Samasth Norway Ananda <samasth.norway.ananda@oracle.com>,
Matthieu Buffet <matthieu@buffet.re>,
Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>,
konstantin.meskhidze@huawei.com
Subject: Re: [RFC PATCH 0/2] landlock: Refactor layer masks
Date: Tue, 30 Dec 2025 11:48:21 +0100 [thread overview]
Message-ID: <20251230.d4bf391b98c5@gnoack.org> (raw)
In-Reply-To: <20251230103917.10549-3-gnoack3000@gmail.com>
On Tue, Dec 30, 2025 at 11:39:17AM +0100, Günther Noack wrote:
> Tentative results with and without this patch set show that the
> hypothesis likely holds true. The benchmark I used exercises a "worst
> case" scenario that attempts to be bottlenecked on the affected code:
> constructs a large number of nested directories, with one "path
> beneath" rule each and then tries to open the innermost directory many
> times. The benchmark is intentionally unrealistic to amplify the
> amount of time used for the path walk logic and forces Landlock to
> walk the full path (eventually failing the open syscall). (I'll send
> the benchmark program in a reply to this mail for full transparency.)
Please see the benchmark program below.
To compile it, use:
cc -o benchmark_worsecase benchmark_worsecase.c
Source code:
```
#define _GNU_SOURCE
#include <err.h>
#include <fcntl.h>
#include <linux/landlock.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/times.h>
#include <time.h>
#include <unistd.h>
/* Flags */
bool use_landlock = true;
size_t num_iterations = 100000;
size_t num_subdirs = 10000;
void usage() { puts("Usage: benchmark_worstcase [-no-landlock]"); }
/*
* Build a deep directory, enforce Landlock and return the FD to the
* deepest dir. On any failure, exit the process with an error.
*/
int build_directory(size_t depth) {
const char *path = "d"; /* directory name */
if (use_landlock) {
int abi = syscall(SYS_landlock_create_ruleset, NULL, 0,
LANDLOCK_CREATE_RULESET_VERSION);
if (abi < 7)
err(1, "Landlock ABI too low: got %d, wanted 7+", abi);
}
int ruleset_fd = -1;
if (use_landlock) {
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
err(1, "prctl");
struct landlock_ruleset_attr attr = {
.handled_access_fs = 0xffff, /* All FS access rights as of 2025-12 */
};
ruleset_fd = syscall(SYS_landlock_create_ruleset, &attr, sizeof(attr), 0U);
if (ruleset_fd < 0)
err(1, "landlock_create_ruleset");
}
int current = open(".", O_PATH);
if (current < 0)
err(1, "open(.)");
while (depth--) {
if (use_landlock) {
struct landlock_path_beneath_attr attr = {
.allowed_access = LANDLOCK_ACCESS_FS_IOCTL_DEV,
.parent_fd = current,
};
if (syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
&attr, 0) < 0)
err(1, "landlock_add_rule");
}
if (mkdirat(current, path, 0700) < 0)
err(1, "mkdirat(%s)", path);
int previous = current;
current = openat(current, path, O_PATH);
if (current < 0)
err(1, "open(%s)", path);
close(previous);
}
if (use_landlock) {
if (syscall(SYS_landlock_restrict_self, ruleset_fd, 0) < 0)
err(1, "landlock_restrict_self");
}
close(ruleset_fd);
return current;
}
int main(int argc, char *argv[]) {
for (int i = 1; i < argc; i++) {
if (!strcmp(argv[i], "-no-landlock")) {
use_landlock = false;
} else if (!strcmp(argv[i], "-d")) {
i++;
if (i < argc)
err(1, "expected number of subdirs after -d");
num_subdirs = atoi(argv[i]);
} else if (!strcmp(argv[i], "-n")) {
i++;
if (i < argc)
err(1, "expected number of iterations after -n");
num_iterations = atoi(argv[i]);
} else {
usage();
errx(1, "unknown argument: %s", argv[i]);
}
}
printf("*** Benchmark ***\n");
printf("%zu dirs, %zu iterations, %s landlock\n", num_subdirs,
num_iterations, use_landlock ? "with" : "without");
struct tms start_time;
if (times(&start_time) == -1)
err(1, "times");
int current = build_directory(num_subdirs);
for (int i = 0; i < num_iterations; i++) {
int fd = openat(current, ".", O_DIRECTORY);
if (fd != -1)
errx(1, "openat succeeded, expected error");
}
struct tms end_time;
if (times(&end_time) == -1)
err(1, "times");
printf("*** Benchmark concluded ***\n");
printf("System: %ld clocks\n", end_time.tms_stime - start_time.tms_stime);
printf("User : %ld clocks\n", end_time.tms_utime - start_time.tms_utime);
printf("Clocks per second: %d\n", CLOCKS_PER_SEC);
close(current);
}
```
prev parent reply other threads:[~2025-12-30 10:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-30 10:39 [RFC PATCH 0/2] landlock: Refactor layer masks Günther Noack
2025-12-30 10:39 ` [RFC PATCH 1/2] landlock: access_mask_subset() helper Günther Noack
2025-12-30 10:39 ` [RFC PATCH 2/2] landlock: transpose the layer masks data structure Günther Noack
2025-12-30 10:48 ` Günther Noack [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251230.d4bf391b98c5@gnoack.org \
--to=gnoack3000@gmail.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=m@maowtm.org \
--cc=matthieu@buffet.re \
--cc=mic@digikod.net \
--cc=samasth.norway.ananda@oracle.com \
--cc=utilityemal77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).