Re: [RFC PATCH 0/2] landlock: Refactor layer masks

public inbox for linux-security-module@vger.kernel.org
 help / color / mirror / Atom feed

From: "Mickaël Salaün" <mic@digikod.net>
To: "Günther Noack" <gnoack3000@gmail.com>
Cc: linux-security-module@vger.kernel.org,
	Tingmao Wang <m@maowtm.org>,
	 Justin Suess <utilityemal77@gmail.com>,
	Samasth Norway Ananda <samasth.norway.ananda@oracle.com>,
	 Matthieu Buffet <matthieu@buffet.re>,
	Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>,
	 konstantin.meskhidze@huawei.com
Subject: Re: [RFC PATCH 0/2] landlock: Refactor layer masks
Date: Fri, 9 Jan 2026 16:59:19 +0100	[thread overview]
Message-ID: <20260109.au3vee9Eisei@digikod.net> (raw)
In-Reply-To: <20251230.d4bf391b98c5@gnoack.org>

On Tue, Dec 30, 2025 at 11:48:21AM +0100, Günther Noack wrote:
> On Tue, Dec 30, 2025 at 11:39:17AM +0100, Günther Noack wrote:
> > Tentative results with and without this patch set show that the
> > hypothesis likely holds true.  The benchmark I used exercises a "worst
> > case" scenario that attempts to be bottlenecked on the affected code:
> > constructs a large number of nested directories, with one "path
> > beneath" rule each and then tries to open the innermost directory many
> > times.  The benchmark is intentionally unrealistic to amplify the
> > amount of time used for the path walk logic and forces Landlock to
> > walk the full path (eventually failing the open syscall).  (I'll send
> > the benchmark program in a reply to this mail for full transparency.)
> 
> Please see the benchmark program below.

Thanks for the investigation!

> 
> To compile it, use:
> 
>     cc -o benchmark_worsecase benchmark_worsecase.c

It would be useful to clean up a bit this benchmark and add it to the
selftests' Landlock directory (see seccomp_benchmark.c).

> 
> Source code:
> 
> ```
> #define _GNU_SOURCE
> #include <err.h>
> #include <fcntl.h>
> #include <linux/landlock.h>
> #include <stdbool.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/prctl.h>
> #include <sys/stat.h>
> #include <sys/syscall.h>
> #include <sys/times.h>
> #include <time.h>
> #include <unistd.h>
> 
> /* Flags */
> bool use_landlock = true;
> size_t num_iterations = 100000;
> size_t num_subdirs = 10000;
> 
> void usage() { puts("Usage: benchmark_worstcase [-no-landlock]"); }
> 
> /*
>  * Build a deep directory, enforce Landlock and return the FD to the
>  * deepest dir.  On any failure, exit the process with an error.
>  */
> int build_directory(size_t depth) {
>   const char *path = "d"; /* directory name */
> 
>   if (use_landlock) {
>     int abi = syscall(SYS_landlock_create_ruleset, NULL, 0,
>                       LANDLOCK_CREATE_RULESET_VERSION);
>     if (abi < 7)
>       err(1, "Landlock ABI too low: got %d, wanted 7+", abi);
>   }
> 
>   int ruleset_fd = -1;
>   if (use_landlock) {
>     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
>       err(1, "prctl");
> 
>     struct landlock_ruleset_attr attr = {
>         .handled_access_fs = 0xffff, /* All FS access rights as of 2025-12 */
>     };
>     ruleset_fd = syscall(SYS_landlock_create_ruleset, &attr, sizeof(attr), 0U);
>     if (ruleset_fd < 0)
>       err(1, "landlock_create_ruleset");
>   }
> 
>   int current = open(".", O_PATH);
>   if (current < 0)
>     err(1, "open(.)");
> 
>   while (depth--) {
>     if (use_landlock) {
>       struct landlock_path_beneath_attr attr = {
>           .allowed_access = LANDLOCK_ACCESS_FS_IOCTL_DEV,
>           .parent_fd = current,
>       };
>       if (syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
>                   &attr, 0) < 0)
>         err(1, "landlock_add_rule");
>     }
> 
>     if (mkdirat(current, path, 0700) < 0)
>       err(1, "mkdirat(%s)", path);
> 
>     int previous = current;
>     current = openat(current, path, O_PATH);
>     if (current < 0)
>       err(1, "open(%s)", path);
> 
>     close(previous);
>   }
> 
>   if (use_landlock) {
>     if (syscall(SYS_landlock_restrict_self, ruleset_fd, 0) < 0)
>       err(1, "landlock_restrict_self");
>   }
> 
>   close(ruleset_fd);
>   return current;
> }
> 
> int main(int argc, char *argv[]) {
>   for (int i = 1; i < argc; i++) {
>     if (!strcmp(argv[i], "-no-landlock")) {
>       use_landlock = false;
>     } else if (!strcmp(argv[i], "-d")) {
>       i++;
>       if (i < argc)
>         err(1, "expected number of subdirs after -d");
>       num_subdirs = atoi(argv[i]);
>     } else if (!strcmp(argv[i], "-n")) {
>       i++;
>       if (i < argc)
>         err(1, "expected number of iterations after -n");
>       num_iterations = atoi(argv[i]);
>     } else {
>       usage();
>       errx(1, "unknown argument: %s", argv[i]);
>     }
>   }
> 
>   printf("*** Benchmark ***\n");
>   printf("%zu dirs, %zu iterations, %s landlock\n", num_subdirs,
>          num_iterations, use_landlock ? "with" : "without");
> 
>   struct tms start_time;
>   if (times(&start_time) == -1)
>     err(1, "times");    
>   
>   int current = build_directory(num_subdirs);
> 
>   for (int i = 0; i < num_iterations; i++) {
>     int fd = openat(current, ".", O_DIRECTORY);
>     if (fd != -1)
>       errx(1, "openat succeeded, expected error");
>   }
> 
>   struct tms end_time;
>   if (times(&end_time) == -1)
>     err(1, "times");
>   
>   printf("*** Benchmark concluded ***\n");
>   printf("System: %ld clocks\n", end_time.tms_stime - start_time.tms_stime);
>   printf("User  : %ld clocks\n", end_time.tms_utime - start_time.tms_utime);
>   printf("Clocks per second: %d\n", CLOCKS_PER_SEC);
>   
>   close(current);  
> }
> ```
>

next prev parent reply	other threads:[~2026-01-09 15:59 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-30 10:39 [RFC PATCH 0/2] landlock: Refactor layer masks Günther Noack
2025-12-30 10:39 ` [RFC PATCH 1/2] landlock: access_mask_subset() helper Günther Noack
2026-01-09 16:06   ` Mickaël Salaün
2026-01-11 20:01     ` Günther Noack
2025-12-30 10:39 ` [RFC PATCH 2/2] landlock: transpose the layer masks data structure Günther Noack
2025-12-31 23:14   ` Justin Suess
2026-01-09 16:18   ` Mickaël Salaün
2026-01-11 20:51     ` Günther Noack
2026-01-11 21:52   ` Günther Noack
2026-01-21 22:16     ` Mickaël Salaün
2026-01-21  0:26   ` Tingmao Wang
2026-01-21 22:27     ` Mickaël Salaün
2026-01-21 23:08     ` Justin Suess
2026-01-23 22:11     ` Günther Noack
2026-01-21 22:22   ` Mickaël Salaün
     [not found]     ` <20260123.13e99fee0197@gnoack.org>
2026-01-28 21:49       ` Mickaël Salaün
2026-01-25  1:52   ` Tingmao Wang
2025-12-30 10:48 ` [RFC PATCH 0/2] landlock: Refactor layer masks Günther Noack
2026-01-09 15:59   ` Mickaël Salaün [this message]
2026-01-11 21:40     ` Günther Noack

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260109.au3vee9Eisei@digikod.net \
    --to=mic@digikod.net \
    --cc=gnoack3000@gmail.com \
    --cc=ivanov.mikhail1@huawei-partners.com \
    --cc=konstantin.meskhidze@huawei.com \
    --cc=linux-security-module@vger.kernel.org \
    --cc=m@maowtm.org \
    --cc=matthieu@buffet.re \
    --cc=samasth.norway.ananda@oracle.com \
    --cc=utilityemal77@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox