UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity

selftests/seccomp: Expand benchmark to per-filter measurements 

It's useful to see how much (at a minimum) each filter adds to the
syscall overhead. Add additional calculations.

Signed-off-by: Kees Cook <keescook@chromium.org>
This commit is contained in:
Kees Cook 2020-06-01 12:34:44 -07:00
parent ad5682184a
commit d3a37ea9f6
2 changed files with 29 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
tools/testing/selftests/seccomp/seccomp_benchmark.c
View File

@ -68,32 +68,54 @@ int main(int argc, char *argv[])
}; };
long ret; long ret;
unsigned long long samples; unsigned long long samples;
unsigned long long native, filtered; unsigned long long native, filter1, filter2;
if (argc > 1) if (argc > 1)
samples = strtoull(argv[1], NULL, 0); samples = strtoull(argv[1], NULL, 0);
else else
samples = calibrate(); samples = calibrate();
printf("Current BPF sysctl settings:\n");
system("sysctl net.core.bpf_jit_enable");
system("sysctl net.core.bpf_jit_harden");
printf("Benchmarking %llu samples...\n", samples); printf("Benchmarking %llu samples...\n", samples);
/* Native call */
native = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples; native = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples;
printf("getpid native: %llu ns\n", native); printf("getpid native: %llu ns\n", native);
ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
assert(ret == 0); assert(ret == 0);
/* One filter */
ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
assert(ret == 0); assert(ret == 0);
filtered = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples; filter1 = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples;
printf("getpid RET_ALLOW: %llu ns\n", filtered); printf("getpid RET_ALLOW 1 filter: %llu ns\n", filter1);
printf("Estimated seccomp overhead per syscall: %llu ns\n", if (filter1 == native)
filtered - native); printf("No overhead measured!? Try running again with more samples.\n");
if (filtered == native) /* Two filters */
printf("Trying running again with more samples.\n"); ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
assert(ret == 0);
filter2 = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples;
printf("getpid RET_ALLOW 2 filters: %llu ns\n", filter2);
/* Calculations */
printf("Estimated total seccomp overhead for 1 filter: %llu ns\n",
filter1 - native);
printf("Estimated total seccomp overhead for 2 filters: %llu ns\n",
filter2 - native);
printf("Estimated seccomp per-filter overhead: %llu ns\n",
filter2 - filter1);
printf("Estimated seccomp entry overhead: %llu ns\n",
filter1 - native - (filter2 - filter1));
return 0; return 0;
} }

2
tools/testing/selftests/seccomp/seccomp_bpf.c
View File

@ -3840,7 +3840,6 @@ TEST(user_notification_filter_empty_threaded)
/* /*
* TODO: * TODO:
* - add microbenchmarks
* - expand NNP testing * - expand NNP testing
* - better arch-specific TRACE and TRAP handlers. * - better arch-specific TRACE and TRAP handlers.
* - endianness checking when appropriate * - endianness checking when appropriate
@ -3848,7 +3847,6 @@ TEST(user_notification_filter_empty_threaded)
* - arch value testing (x86 modes especially) * - arch value testing (x86 modes especially)
* - verify that FILTER_FLAG_LOG filters generate log messages * - verify that FILTER_FLAG_LOG filters generate log messages
* - verify that RET_LOG generates log messages * - verify that RET_LOG generates log messages
* - ...
*/ */
TEST_HARNESS_MAIN TEST_HARNESS_MAIN