Re: [PATCH] audit: check syscall bitmap on entry to avoid extra work
From: Ivan Babrou
Date: Tue May 23 2023 - 17:51:00 EST
On Tue, May 23, 2023 at 12:59 PM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> Before seriously considering something like this, I would really like
> to see some time put into profiling the original overhead and some
> designs on how that could be improved. Without that, patches like
> this look like drive-by band-aids which have already caused enough
> headaches for audit maintenance.
Hello Paul,
Could you elaborate on what exactly you would like to see added? It's
not clear to me what is missing.
There's a benchmark in the commit description with the numbers
attached, which quantifies and explains the existing overhead. In my
experience, people on Linux mailing lists frown upon external links to
images, but if it helps to visualize the effects, I have some
flamegraphs for the benchmark from the commit message:
* 10 rules, before:
https://r2.ivan.computer/audit-syscall-bitmap/flamegraph-before.svg?s=audit
* 10 rules, with patch applied:
https://r2.ivan.computer/audit-syscall-bitmap/flamegraph-after.svg?s=audit
Here's a couple extra:
* 0 rules, auditd running:
https://r2.ivan.computer/audit-syscall-bitmap/flamegraph-after.svg?s=audit
* 11 rules (extra rule matching the running syscalls):
https://r2.ivan.computer/audit-syscall-bitmap/flamegraph-after-match.svg?s=audit
The bitmap design mirrors what tracepoints implement for syscall entry/exit:
* https://elixir.bootlin.com/linux/v6.4-rc1/source/kernel/trace/trace_syscalls.c#L585
I am happy to consider a different design if you have one in mind.