From: "Mickaël Salaün" <mic@digikod.net>
To: "Günther Noack" <gnoack3000@gmail.com>
Cc: linux-security-module@vger.kernel.org,
Tingmao Wang <m@maowtm.org>,
Justin Suess <utilityemal77@gmail.com>,
Samasth Norway Ananda <samasth.norway.ananda@oracle.com>,
Matthieu Buffet <matthieu@buffet.re>,
Mikhail Ivanov <ivanov.mikhail1@huawei-partners.com>,
konstantin.meskhidze@huawei.com,
Randy Dunlap <rdunlap@infradead.org>
Subject: Re: [PATCH v3 1/3] selftests/landlock: Add filesystem access benchmark
Date: Tue, 10 Feb 2026 16:42:18 +0100 [thread overview]
Message-ID: <20260210.eid3pie9eiJi@digikod.net> (raw)
In-Reply-To: <20260206151154.97915-3-gnoack3000@gmail.com>
On Fri, Feb 06, 2026 at 04:11:53PM +0100, Günther Noack wrote:
> fs_bench benchmarks the performance of Landlock's path walk
> by exercising it in a scenario that amplifies Landlock's overhead:
>
> * Create a large number of nested directories
> * Enforce a Landlock policy in which a rule is associated with each of
> these subdirectories
> * Benchmark openat() applied to the deepest directory,
> forcing Landlock to walk the entire path.
>
> Signed-off-by: Günther Noack <gnoack3000@gmail.com>
> ---
> tools/testing/selftests/landlock/.gitignore | 1 +
> tools/testing/selftests/landlock/Makefile | 1 +
> tools/testing/selftests/landlock/fs_bench.c | 214 ++++++++++++++++++++
> 3 files changed, 216 insertions(+)
> create mode 100644 tools/testing/selftests/landlock/fs_bench.c
>
> diff --git a/tools/testing/selftests/landlock/.gitignore b/tools/testing/selftests/landlock/.gitignore
> index a820329cae0d..1974e17a2611 100644
> --- a/tools/testing/selftests/landlock/.gitignore
> +++ b/tools/testing/selftests/landlock/.gitignore
> @@ -1,4 +1,5 @@
> /*_test
> +/fs_bench
> /sandbox-and-launch
> /true
> /wait-pipe
> diff --git a/tools/testing/selftests/landlock/Makefile b/tools/testing/selftests/landlock/Makefile
> index 044b83bde16e..fc43225d319a 100644
> --- a/tools/testing/selftests/landlock/Makefile
> +++ b/tools/testing/selftests/landlock/Makefile
> +int main(int argc, char *argv[])
> +{
> + bool use_landlock = true;
> + size_t num_iterations = 100000;
> + size_t num_subdirs = 10000;
> + int c, curr, fd;
> + struct tms start_time, end_time;
> +
> + setbuf(stdout, NULL);
> + while ((c = getopt(argc, argv, "hLd:n:")) != -1) {
> + switch (c) {
> + case 'h':
> + usage(argv[0]);
> + return EXIT_SUCCESS;
> + case 'L':
> + use_landlock = false;
> + break;
> + case 'd':
> + num_subdirs = atoi(optarg);
> + break;
> + case 'n':
> + num_iterations = atoi(optarg);
> + break;
> + default:
> + usage(argv[0]);
> + return EXIT_FAILURE;
> + }
> + }
> +
> + printf("*** Benchmark ***\n");
> + printf("%zu dirs, %zu iterations, %s landlock\n", num_subdirs,
> + num_iterations, use_landlock ? "with" : "without");
> +
> + if (times(&start_time) == -1)
> + err(1, "times");
> +
> + curr = build_directory(num_subdirs, use_landlock);
> +
> + for (int i = 0; i < num_iterations; i++) {
> + fd = openat(curr, "file.txt", O_CREAT | O_TRUNC | O_WRONLY);
Some build environments complain that O_CREAT requires the fourth
openat argument to be set. I set the mode to 0600.
> + if (use_landlock) {
> + if (fd == 0)
> + errx(1, "openat succeeded, expected EACCES");
> + if (errno != EACCES)
> + err(1, "openat expected EACCES, but got");
> + }
> + if (fd != -1)
> + close(fd);
> + }
> +
> + if (times(&end_time) == -1)
> + err(1, "times");
> +
> + printf("*** Benchmark concluded ***\n");
> + printf("System: %ld clocks\n",
> + end_time.tms_stime - start_time.tms_stime);
> + printf("User : %ld clocks\n",
> + end_time.tms_utime - start_time.tms_utime);
> + printf("Clocks per second: %ld\n", CLOCKS_PER_SEC);
> +
> + close(curr);
> +
> + remove_recursively(num_subdirs);
> +}
> --
> 2.52.0
>
>
next prev parent reply other threads:[~2026-02-10 16:56 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-06 15:11 [PATCH v3 0/3] landlock: Refactor layer masks Günther Noack
2026-02-06 15:11 ` [PATCH v3 1/3] selftests/landlock: Add filesystem access benchmark Günther Noack
2026-02-10 15:42 ` Mickaël Salaün [this message]
2026-02-06 15:11 ` [PATCH v3 2/3] landlock: access_mask_subset() helper Günther Noack
2026-02-06 15:11 ` [PATCH v3 3/3] landlock: transpose the layer masks data structure Günther Noack
2026-02-07 10:17 ` Mickaël Salaün
2026-02-06 17:03 ` [PATCH v3 0/3] landlock: Refactor layer masks Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260210.eid3pie9eiJi@digikod.net \
--to=mic@digikod.net \
--cc=gnoack3000@gmail.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-security-module@vger.kernel.org \
--cc=m@maowtm.org \
--cc=matthieu@buffet.re \
--cc=rdunlap@infradead.org \
--cc=samasth.norway.ananda@oracle.com \
--cc=utilityemal77@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox