Re: [PATCH] audit: always enable syscall auditing when supported and audit is enabled

From: Sverdlin, Alexander (Nokia - DE/Ulm)
Date: Mon Jan 28 2019 - 09:45:46 EST

Next message: Linus Walleij: "Re: [RFC PATCH v2 09/10] power: supply: Initial support for ROHM BD70528 PMIC charger block"
Previous message: Michal Hocko: "[PATCH 2/2] mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone"
In reply to: Paul Moore: "Re: [PATCH] audit: always enable syscall auditing when supported and audit is enabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Paul,

On 28/01/2019 15:19, Paul Moore wrote:
>>> To the best of our knowledge, everyone who enables audit at compile
>>> time also enables syscall auditing; this patch simplifies the Kconfig
>>> menus by removing the option to disable syscall auditing when audit
>>> is selected and the target arch supports it.
>>>
>>> Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx>
>> this patch is responsible for massive performance degradation for those
>> who used only CONFIG_SECURITY_APPARMOR.
>>
>> And the numbers are, take the following test for instance:
>>
>> dd if=/dev/zero of=/dev/null count=2M
>>
>> ARM64: 500MB/s -> 350MB/s
>> ARM: 400MB/s -> 300MB/s
> Hi there.
>
> Out of curiosity, what kernel/distribution are you running, or is this
> a custom kernel compile? Can you also share the output of 'auditctl
> -l' from your system? The general approach taken by everyone to
> turn-off the per-syscall audit overhead is to add the "-a never,task"
> rule to their audit configuration:
>
> # auditctl -a never,task
>
> If you are using Fedora/CentOS/RHEL, or a similarly configured system,
> you can find this configuration in the /etc/audit/audit.rules file (be
> warned, that file is automatically generated based on
> /etc/audit/rules.d).

here are some perf reports for your reference:

Linux fct-0a 4.9.144-xxx armv7l armv7l armv7l GNU/Linux
# Overhead Command Shared Object Symbol
# ........ ....... ................. ............................
#
14.32% dd [kernel.kallsyms] [k] vector_swi
13.70% dd libc-2.28.so [.] __libc_do_syscall
8.42% dd [kernel.kallsyms] [k] current_kernel_time64
5.65% dd [kernel.kallsyms] [k] arm_clear_user
5.65% dd [kernel.kallsyms] [k] __fget_light
5.54% dd [kernel.kallsyms] [k] __audit_syscall_entry
3.79% dd [kernel.kallsyms] [k] fsnotify
2.97% dd libc-2.28.so [.] memcpy
2.94% dd [kernel.kallsyms] [k] __audit_syscall_exit
2.67% dd [kernel.kallsyms] [k] __fsnotify_parent
2.43% dd [kernel.kallsyms] [k] vfs_read
2.24% dd [kernel.kallsyms] [k] __vfs_read
2.23% dd [kernel.kallsyms] [k] vfs_write
1.96% dd [kernel.kallsyms] [k] syscall_trace_exit
1.71% dd [kernel.kallsyms] [k] syscall_trace_enter
1.23% dd [kernel.kallsyms] [k] rw_verify_area
1.22% dd libc-2.28.so [.] read
1.14% dd [kernel.kallsyms] [k] security_file_permission
1.07% dd [kernel.kallsyms] [k] iov_iter_zero
1.01% dd [kernel.kallsyms] [k] __sys_trace_return
0.88% dd libc-2.28.so [.] __GI___libc_write
0.85% dd dd.coreutils [.] 0x00003c48
0.84% dd [kernel.kallsyms] [k] read_iter_zero
0.79% dd [kernel.kallsyms] [k] unroll_tree_refs
0.75% dd [kernel.kallsyms] [k] __vfs_write
0.68% dd [kernel.kallsyms] [k] __fdget_pos
0.64% dd dd.coreutils [.] 0x000013a4
0.59% dd [kernel.kallsyms] [k] dput
0.57% dd [kernel.kallsyms] [k] kfree
0.56% dd [kernel.kallsyms] [k] path_put
0.52% dd [kernel.kallsyms] [k] ret_to_user

Linux fctj-0a 4.4.167-g4220c09-xxx armv7l GNU/Linux
# Overhead Command Shared Object Symbol
# ........ ....... ................. ...............................
#
23.91% dd [kernel.kallsyms] [k] vector_swi
19.57% dd libc-2.28.so [.] __libc_do_syscall
5.67% dd [kernel.kallsyms] [k] arm_clear_user
4.25% dd libc-2.28.so [.] memcpy
4.22% dd [kernel.kallsyms] [k] fsnotify
3.93% dd [kernel.kallsyms] [k] __fget_light
3.10% dd [kernel.kallsyms] [k] read_iter_zero
2.51% dd [kernel.kallsyms] [k] vfs_write
2.06% dd [kernel.kallsyms] [k] ret_fast_syscall
1.97% dd [kernel.kallsyms] [k] __fsnotify_parent
1.66% dd libc-2.28.so [.] read
1.65% dd [kernel.kallsyms] [k] __vfs_read
1.63% dd [kernel.kallsyms] [k] mmioset
1.61% dd [kernel.kallsyms] [k] vfs_read
1.47% dd libc-2.28.so [.] __GI___libc_write
1.39% dd [kernel.kallsyms] [k] rw_verify_area
1.39% dd [kernel.kallsyms] [k] security_file_permission
1.34% dd [kernel.kallsyms] [k] iov_iter_init
1.34% dd [kernel.kallsyms] [k] iov_iter_zero
1.20% dd [kernel.kallsyms] [k] local_restart
0.89% dd [kernel.kallsyms] [k] sys_read
0.89% dd [kernel.kallsyms] [k] _cond_resched
0.86% dd [kernel.kallsyms] [k] __fdget_pos
0.85% dd [kernel.kallsyms] [k] sys_write
0.77% dd dd [.] 0x00003df0
0.72% dd [kernel.kallsyms] [k] __vfs_write
0.61% dd dd [.] 0x00003946
0.55% dd dd [.] 0x000038ee
0.51% dd dd [.] 0x00003ca8

--
Best regards,
Alexander Sverdlin.

Next message: Linus Walleij: "Re: [RFC PATCH v2 09/10] power: supply: Initial support for ROHM BD70528 PMIC charger block"
Previous message: Michal Hocko: "[PATCH 2/2] mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone"
In reply to: Paul Moore: "Re: [PATCH] audit: always enable syscall auditing when supported and audit is enabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]