Re: Perf Data on LSM in v5.3

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Wenhui Zhang <wenhui@gwmail.gwu.edu>,
	Casey Schaufler <casey@schaufler-ca.com>
Cc: Casey Schaufler <casey.schaufler@intel.com>,
	James Morris <jmorris@namei.org>,
	linux-security-module@vger.kernel.org,
	SELinux <selinux@vger.kernel.org>,
	Kees Cook <keescook@chromium.org>,
	John Johansen <john.johansen@canonical.com>,
	penguin-kernel@i-love.sakura.ne.jp,
	Paul Moore <paul@paul-moore.com>
Subject: Re: Perf Data on LSM in v5.3
Date: Wed, 15 Jan 2020 09:06:25 -0500	[thread overview]
Message-ID: <53c1c2ca-77e6-aee8-4a34-a0704e47a9b7@tycho.nsa.gov> (raw)
In-Reply-To: <CAOSEQ1qipfe0Juz+4V9FgebAPDDXePd29s8=G1pFtHGqx4Sedg@mail.gmail.com>

On 1/14/20 7:14 PM, Wenhui Zhang wrote:
> Hi, Casey:
> 
> Nope, I did not test without CONFIG_SECURITY for v 5.3. (I could give it 
> a try later this week, please let me know if you need this data)
> However I did this test for v4.18.20, afterwards i switched  to v5.3 as 
> my base code.
> 
> I am attaching the three results to this email for your reference for 
> v4.18.20.
>   -- without_sec is without CONFIG_SECURITY
> -- with_sec_disable_all is with CONFIG_SECURITY, however no submodule is 
> CONFIG
> -- selinux is with CONFIG_SECURITY, and CONFIG integrity and selinux 
> only, however no policy enabled

Don't enable integrity if you want to evaluate just LSM/SELinux 
overheads.  Also not sure what kind of behavior you get from SELinux 
with no policy loaded; it wasn't designed to be used that way beyond 
early initialization up to the point where init/systemd loads policy. 
Better comparisons would be running standard benchmarks on e.g. Fedora 
with SELinux disabled versus enabled as well as with LSM completely 
disabled.  Then you'd be evaluating SELinux with a policy in enforcing 
mode on a distro that actually supports it.  Similarly, evaluating 
AppArmor perf is best done on a distro that supports it and provides a 
policy, e.g. Ubuntu or latest Debian.

> 
> One interesting fact generated from this test is that, selinux and 
> integrity CONFIG introduces about 20% performance downgrade for readdir.

Would have to see the actual benchmark code, complete kernel config, and 
kernel version to evaluate that result meaningfully.

BTW, it would be interesting to evaluating the LSM overhead alone (i.e. 
CONFIG_SECURITY=y CONFIG_SECURITY_NETWORK=y but all other 
CONFIG_SECURITY*=n) before and after the switch to LSM hook lists aka 
stacking support.  Don't think we ever saw micro benchmark data for that 
change IIRC.

> 
> without_sec 
> <https://drive.google.com/drive/folders/1TuUB1JT5bijG-hNvN1Dti7DyFIXM3u_g>
> 
> with_sec_disable_all 
> <https://drive.google.com/drive/folders/1bWrQ-dTSn1p05hVyvIUIAE4hkKgUp6D->
> 
> selinux 
> <https://drive.google.com/drive/folders/1132zzrw42XH8tbNgYvd44LuocgIw4Wq6>
> 
> 
> 
> On Tue, Jan 14, 2020 at 6:59 PM Casey Schaufler <casey@schaufler-ca.com 
> <mailto:casey@schaufler-ca.com>> wrote:
> 
>     On 1/14/2020 1:15 PM, Wenhui Zhang wrote:
>      >
>      > On Tue, Jan 14, 2020 at 4:08 PM Casey Schaufler
>     <casey@schaufler-ca.com <mailto:casey@schaufler-ca.com>
>     <mailto:casey@schaufler-ca.com <mailto:casey@schaufler-ca.com>>> wrote:
>      >
>      >     On 1/14/2020 12:15 PM, Wenhui Zhang wrote:
>      >     > Hi, Casey:
>      >     >
>      >     > I just performed a performance check on
>      >     > 1. v5.3 with DAC only, and
>      >     > 2. v5.3 with DAC and MAC framework, an empty-policy enabled
>     in sub-modules(e.g. selinux)
>      >
>     This is great. Do you have data for a system without CONFIG_SECURITY?
> 
> 
> 
> 
> -- 
> V/R,
> 
> Wenhui Zhang
> 
> Email: wenhui@gwmail.gwu.edu <mailto:wenhui@gwmail.gwu.edu>
>             Telephone: 1-(703) 424 3193
> 
> 
> 
> 
> 
> 