From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.5 required=3.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED,DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76883C4363D for ; Thu, 24 Sep 2020 12:44:57 +0000 (UTC) Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0A4E2206D9 for ; Thu, 24 Sep 2020 12:44:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="nCGFriv/" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0A4E2206D9 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=containers-bounces@lists.linux-foundation.org Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id BC1A92E10C; Thu, 24 Sep 2020 12:44:56 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ic6gq3HJz9RA; Thu, 24 Sep 2020 12:44:53 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by silver.osuosl.org (Postfix) with ESMTP id F34552E0FE; Thu, 24 Sep 2020 12:44:52 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id EDFA5C0890; Thu, 24 Sep 2020 12:44:52 +0000 (UTC) Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id D9099C0859 for ; Thu, 24 Sep 2020 12:44:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id C5DB42E109 for ; Thu, 24 Sep 2020 12:44:50 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Unp4yRo+LW+W for ; Thu, 24 Sep 2020 12:44:46 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-il1-f176.google.com (mail-il1-f176.google.com [209.85.166.176]) by silver.osuosl.org (Postfix) with ESMTPS id 65C4027E4C for ; Thu, 24 Sep 2020 12:44:46 +0000 (UTC) Received: by mail-il1-f176.google.com with SMTP id s88so2963593ilb.6 for ; Thu, 24 Sep 2020 05:44:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=3aehQo/yRfhFUHB1dumyvMfUbkZ02zfVtfOyrlCUCaI=; b=nCGFriv/8sgax0UHt+DUO8aQ986sUT+eqetbLNt9cYwSA3JzUS4hp5nL0wEM4pDTm4 I0511RNTK5Sw5wnEuoK5FJvNGXPvJJa/zuBMBizsKorOvdwkOkJQwjIsxJaHk5A2Towe 9ParrxvHFlSz7guxQBiJxr/Wdwy2LpeY2rYO/flxXbmHb6A+6ifwep3PwdkcOpWGEh0J z1GyyrJs1y+YYpZ6yqjWcCyR2pK3+OlluaO02FNvAJT1UV1oLUTlKCDbbuNXJPaDAFP+ Nwsk2E0k2h0NIOY9bC32nx07R5QkFCdpTCJgfH9RgGIn7xqCwTyxfpr69/Xa8Q0Y2YLH Rs+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=3aehQo/yRfhFUHB1dumyvMfUbkZ02zfVtfOyrlCUCaI=; b=Z3BGe2Chr6GVaFisW7hLV8O8IJEjKoXid4DhcY2STSyKfQnpH5bpOKZntynpvpKw3S iQv6FQwpvELKrQLimMw8ktA7KafVI5ThBRVlWfiU+knTFD194vSmbzqYQJJYDzE+3BiD O/y9uQqVXUXGqwUn1kgi25OAr63guEEQfnOgeknULv94n3cfU7UJIGSa+ZKcnrW7eaPn /7X1D7rN4+LRAgz5XqRXnFlpOSxB96NEZ+PDVdiSeh7EP2meJgu4e3YX4PiVy/7w5Crb H7Y7wIWeTEJJ2F/2kTbWKynrEs+O1rC8bK58QsqqrL3bdFrHHpRZ6XrwAhM9+xC7SDth 3CXg== X-Gm-Message-State: AOAM530BEQ8p5DnxxVyrWfZI0si1bfDGknfJpP7zeBMQSfKvgubyK69i RhImI0q37YUWfGCVb3pxchUunabhwIxHsg== X-Google-Smtp-Source: ABdhPJxtAhUVAW7pPuRTVnNeknSF1GHXhg6olEpVTDJpgnqnoZCs1cVoTvO5gywN4hMQ0Xne4LgiNw== X-Received: by 2002:a92:1503:: with SMTP id v3mr3782779ilk.56.1600951485405; Thu, 24 Sep 2020 05:44:45 -0700 (PDT) Received: from localhost.localdomain (host-173-230-99-154.tnkngak.clients.pavlovmedia.com. [173.230.99.154]) by smtp.gmail.com with ESMTPSA id p5sm1575175ilg.32.2020.09.24.05.44.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Sep 2020 05:44:44 -0700 (PDT) From: YiFei Zhu To: containers@lists.linux-foundation.org Subject: [PATCH v2 seccomp 5/6] selftests/seccomp: Compare bitmap vs filter overhead Date: Thu, 24 Sep 2020 07:44:20 -0500 Message-Id: X-Mailer: git-send-email 2.28.0 In-Reply-To: References: MIME-Version: 1.0 Cc: Andrea Arcangeli , Giuseppe Scrivano , Valentin Rothberg , Kees Cook , Jann Horn , YiFei Zhu , Tobin Feldman-Fitzthum , linux-kernel@vger.kernel.org, Andy Lutomirski , Hubertus Franke , Jack Chen , Dimitrios Skarlatos , Josep Torrellas , Will Drewry , bpf@vger.kernel.org, Tianyin Xu X-BeenThere: containers@lists.linux-foundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Linux Containers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: containers-bounces@lists.linux-foundation.org Sender: "Containers" RnJvbTogS2VlcyBDb29rIDxrZWVzY29va0BjaHJvbWl1bS5vcmc+CgpBcyBwYXJ0IG9mIHRoZSBz ZWNjb21wIGJlbmNobWFya2luZywgaW5jbHVkZSB0aGUgZXhwZWN0YXRpb25zIHdpdGgKcmVnYXJk IHRvIHRoZSB0aW1pbmcgYmVoYXZpb3Igb2YgdGhlIGNvbnN0YW50IGFjdGlvbiBiaXRtYXBzLCBh bmQgcmVwb3J0CmluY29uc2lzdGVuY2llcyBiZXR0ZXIuCgpFeGFtcGxlIG91dHB1dCB3aXRoIGNv bnN0YW50IGFjdGlvbiBiaXRtYXBzIG9uIHg4NjoKCiQgc3VkbyAuL3NlY2NvbXBfYmVuY2htYXJr IDEwMDAwMDAwMApDdXJyZW50IEJQRiBzeXNjdGwgc2V0dGluZ3M6Cm5ldC5jb3JlLmJwZl9qaXRf ZW5hYmxlID0gMQpuZXQuY29yZS5icGZfaml0X2hhcmRlbiA9IDAKQmVuY2htYXJraW5nIDEwMDAw MDAwMCBzeXNjYWxscy4uLgo2My44OTYyNTUzNTggLSAwLjAwODUwNDUyOSA9IDYzODg3NzUwODI5 ICg2My45cykKZ2V0cGlkIG5hdGl2ZTogNjM4IG5zCjEzMC4zODMzMTI0MjMgLSA2My44OTczMTUx ODkgPSA2NjQ4NTk5NzIzNCAoNjYuNXMpCmdldHBpZCBSRVRfQUxMT1cgMSBmaWx0ZXIgKGJpdG1h cCk6IDY2NCBucwoxOTYuNzg5MDgwNDIxIC0gMTMwLjM4NDQxNDk4MyA9IDY2NDA0NjY1NDM4ICg2 Ni40cykKZ2V0cGlkIFJFVF9BTExPVyAyIGZpbHRlcnMgKGJpdG1hcCk6IDY2NCBucwoyNjguODQ0 NjQzMzA0IC0gMTk2Ljc5MDIzNDE2OCA9IDcyMDU0NDA5MTM2ICg3Mi4xcykKZ2V0cGlkIFJFVF9B TExPVyAzIGZpbHRlcnMgKGZ1bGwpOiA3MjAgbnMKMzQyLjYyNzQ3MjUxNSAtIDI2OC44NDU3OTkx MDMgPSA3Mzc4MTY3MzQxMiAoNzMuOHMpCmdldHBpZCBSRVRfQUxMT1cgNCBmaWx0ZXJzIChmdWxs KTogNzM3IG5zCkVzdGltYXRlZCB0b3RhbCBzZWNjb21wIG92ZXJoZWFkIGZvciAxIGJpdG1hcHBl ZCBmaWx0ZXI6IDI2IG5zCkVzdGltYXRlZCB0b3RhbCBzZWNjb21wIG92ZXJoZWFkIGZvciAyIGJp dG1hcHBlZCBmaWx0ZXJzOiAyNiBucwpFc3RpbWF0ZWQgdG90YWwgc2VjY29tcCBvdmVyaGVhZCBm b3IgMyBmdWxsIGZpbHRlcnM6IDgyIG5zCkVzdGltYXRlZCB0b3RhbCBzZWNjb21wIG92ZXJoZWFk IGZvciA0IGZ1bGwgZmlsdGVyczogOTkgbnMKRXN0aW1hdGVkIHNlY2NvbXAgZW50cnkgb3Zlcmhl YWQ6IDI2IG5zCkVzdGltYXRlZCBzZWNjb21wIHBlci1maWx0ZXIgb3ZlcmhlYWQgKGxhc3QgMiBk aWZmKTogMTcgbnMKRXN0aW1hdGVkIHNlY2NvbXAgcGVyLWZpbHRlciBvdmVyaGVhZCAoZmlsdGVy cyAvIDQpOiAxOCBucwpFeHBlY3RhdGlvbnM6CgluYXRpdmUg4omkIDEgYml0bWFwICg2Mzgg4omk IDY2NCk6IOKclO+4jwoJbmF0aXZlIOKJpCAxIGZpbHRlciAoNjM4IOKJpCA3MjApOiDinJTvuI8K CXBlci1maWx0ZXIgKGxhc3QgMiBkaWZmKSDiiYggcGVyLWZpbHRlciAoZmlsdGVycyAvIDQpICgx NyDiiYggMTgpOiDinJTvuI8KCTEgYml0bWFwcGVkIOKJiCAyIGJpdG1hcHBlZCAoMjYg4omIIDI2 KTog4pyU77iPCgllbnRyeSDiiYggMSBiaXRtYXBwZWQgKDI2IOKJiCAyNik6IOKclO+4jwoJZW50 cnkg4omIIDIgYml0bWFwcGVkICgyNiDiiYggMjYpOiDinJTvuI8KCW5hdGl2ZSArIGVudHJ5ICsg KHBlciBmaWx0ZXIgKiA0KSDiiYggNCBmaWx0ZXJzIHRvdGFsICg3MzIg4omIIDczNyk6IOKclO+4 jwoKU2lnbmVkLW9mZi1ieTogS2VlcyBDb29rIDxrZWVzY29va0BjaHJvbWl1bS5vcmc+ClNpZ25l ZC1vZmYtYnk6IFlpRmVpIFpodSA8eWlmZWlmejJAaWxsaW5vaXMuZWR1PgotLS0KIC4uLi9zZWxm dGVzdHMvc2VjY29tcC9zZWNjb21wX2JlbmNobWFyay5jICAgICB8IDE1MSArKysrKysrKysrKysr KystLS0KIHRvb2xzL3Rlc3Rpbmcvc2VsZnRlc3RzL3NlY2NvbXAvc2V0dGluZ3MgICAgICB8ICAg MiArLQogMiBmaWxlcyBjaGFuZ2VkLCAxMzAgaW5zZXJ0aW9ucygrKSwgMjMgZGVsZXRpb25zKC0p CgpkaWZmIC0tZ2l0IGEvdG9vbHMvdGVzdGluZy9zZWxmdGVzdHMvc2VjY29tcC9zZWNjb21wX2Jl bmNobWFyay5jIGIvdG9vbHMvdGVzdGluZy9zZWxmdGVzdHMvc2VjY29tcC9zZWNjb21wX2JlbmNo bWFyay5jCmluZGV4IDkxZjVhODljYWRhYy4uZmNjODA2NTg1MjY2IDEwMDY0NAotLS0gYS90b29s cy90ZXN0aW5nL3NlbGZ0ZXN0cy9zZWNjb21wL3NlY2NvbXBfYmVuY2htYXJrLmMKKysrIGIvdG9v bHMvdGVzdGluZy9zZWxmdGVzdHMvc2VjY29tcC9zZWNjb21wX2JlbmNobWFyay5jCkBAIC00LDEy ICs0LDE2IEBACiAgKi8KICNkZWZpbmUgX0dOVV9TT1VSQ0UKICNpbmNsdWRlIDxhc3NlcnQuaD4K KyNpbmNsdWRlIDxsaW1pdHMuaD4KKyNpbmNsdWRlIDxzdGRib29sLmg+CisjaW5jbHVkZSA8c3Rk ZGVmLmg+CiAjaW5jbHVkZSA8c3RkaW8uaD4KICNpbmNsdWRlIDxzdGRsaWIuaD4KICNpbmNsdWRl IDx0aW1lLmg+CiAjaW5jbHVkZSA8dW5pc3RkLmg+CiAjaW5jbHVkZSA8bGludXgvZmlsdGVyLmg+ CiAjaW5jbHVkZSA8bGludXgvc2VjY29tcC5oPgorI2luY2x1ZGUgPHN5cy9wYXJhbS5oPgogI2lu Y2x1ZGUgPHN5cy9wcmN0bC5oPgogI2luY2x1ZGUgPHN5cy9zeXNjYWxsLmg+CiAjaW5jbHVkZSA8 c3lzL3R5cGVzLmg+CkBAIC03MCwxOCArNzQsNzQgQEAgdW5zaWduZWQgbG9uZyBsb25nIGNhbGli cmF0ZSh2b2lkKQogCXJldHVybiBzYW1wbGVzICogc2Vjb25kczsKIH0KIAorYm9vbCBhcHByb3go aW50IGlfb25lLCBpbnQgaV90d28pCit7CisJZG91YmxlIG9uZSA9IGlfb25lLCBvbmVfYnVtcCA9 IG9uZSAqIDAuMDE7CisJZG91YmxlIHR3byA9IGlfdHdvLCB0d29fYnVtcCA9IHR3byAqIDAuMDE7 CisKKwlvbmVfYnVtcCA9IG9uZSArIE1BWChvbmVfYnVtcCwgMi4wKTsKKwl0d29fYnVtcCA9IHR3 byArIE1BWCh0d29fYnVtcCwgMi4wKTsKKworCS8qIEVxdWFsIHRvLCBvciB3aXRoaW4gMSUgb3Ig MiBkaWdpdHMgKi8KKwlpZiAob25lID09IHR3byB8fAorCSAgICAob25lID4gdHdvICYmIG9uZSA8 PSB0d29fYnVtcCkgfHwKKwkgICAgKHR3byA+IG9uZSAmJiB0d28gPD0gb25lX2J1bXApKQorCQly ZXR1cm4gdHJ1ZTsKKwlyZXR1cm4gZmFsc2U7Cit9CisKK2Jvb2wgbGUoaW50IGlfb25lLCBpbnQg aV90d28pCit7CisJaWYgKGlfb25lIDw9IGlfdHdvKQorCQlyZXR1cm4gdHJ1ZTsKKwlyZXR1cm4g ZmFsc2U7Cit9CisKK2xvbmcgY29tcGFyZShjb25zdCBjaGFyICpuYW1lX29uZSwgY29uc3QgY2hh ciAqbmFtZV9ldmFsLCBjb25zdCBjaGFyICpuYW1lX3R3bywKKwkgICAgIHVuc2lnbmVkIGxvbmcg bG9uZyBvbmUsIGJvb2wgKCpldmFsKShpbnQsIGludCksIHVuc2lnbmVkIGxvbmcgbG9uZyB0d28p Cit7CisJYm9vbCBnb29kOworCisJcHJpbnRmKCJcdCVzICVzICVzICglbGxkICVzICVsbGQpOiAi LCBuYW1lX29uZSwgbmFtZV9ldmFsLCBuYW1lX3R3bywKKwkgICAgICAgKGxvbmcgbG9uZylvbmUs IG5hbWVfZXZhbCwgKGxvbmcgbG9uZyl0d28pOworCWlmIChvbmUgPiBJTlRfTUFYKSB7CisJCXBy aW50ZigiTWlzY2FsY3VsYXRpb24hIE1lYXN1cmVtZW50IHdlbnQgbmVnYXRpdmU6ICVsbGRcbiIs IChsb25nIGxvbmcpb25lKTsKKwkJcmV0dXJuIDE7CisJfQorCWlmICh0d28gPiBJTlRfTUFYKSB7 CisJCXByaW50ZigiTWlzY2FsY3VsYXRpb24hIE1lYXN1cmVtZW50IHdlbnQgbmVnYXRpdmU6ICVs bGRcbiIsIChsb25nIGxvbmcpdHdvKTsKKwkJcmV0dXJuIDE7CisJfQorCisJZ29vZCA9IGV2YWwo b25lLCB0d28pOworCXByaW50ZigiJXNcbiIsIGdvb2QgPyAi4pyU77iPIiA6ICLinYwiKTsKKwor CXJldHVybiBnb29kID8gMCA6IDE7Cit9CisKIGludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2 W10pCiB7CisJc3RydWN0IHNvY2tfZmlsdGVyIGJpdG1hcF9maWx0ZXJbXSA9IHsKKwkJQlBGX1NU TVQoQlBGX0xEfEJQRl9XfEJQRl9BQlMsIG9mZnNldG9mKHN0cnVjdCBzZWNjb21wX2RhdGEsIG5y KSksCisJCUJQRl9TVE1UKEJQRl9SRVR8QlBGX0ssIFNFQ0NPTVBfUkVUX0FMTE9XKSwKKwl9Owor CXN0cnVjdCBzb2NrX2Zwcm9nIGJpdG1hcF9wcm9nID0geworCQkubGVuID0gKHVuc2lnbmVkIHNo b3J0KUFSUkFZX1NJWkUoYml0bWFwX2ZpbHRlciksCisJCS5maWx0ZXIgPSBiaXRtYXBfZmlsdGVy LAorCX07CiAJc3RydWN0IHNvY2tfZmlsdGVyIGZpbHRlcltdID0geworCQlCUEZfU1RNVChCUEZf TER8QlBGX1d8QlBGX0FCUywgb2Zmc2V0b2Yoc3RydWN0IHNlY2NvbXBfZGF0YSwgYXJnc1swXSkp LAogCQlCUEZfU1RNVChCUEZfUkVUfEJQRl9LLCBTRUNDT01QX1JFVF9BTExPVyksCiAJfTsKIAlz dHJ1Y3Qgc29ja19mcHJvZyBwcm9nID0gewogCQkubGVuID0gKHVuc2lnbmVkIHNob3J0KUFSUkFZ X1NJWkUoZmlsdGVyKSwKIAkJLmZpbHRlciA9IGZpbHRlciwKIAl9OwotCWxvbmcgcmV0OwotCXVu c2lnbmVkIGxvbmcgbG9uZyBzYW1wbGVzOwotCXVuc2lnbmVkIGxvbmcgbG9uZyBuYXRpdmUsIGZp bHRlcjEsIGZpbHRlcjI7CisKKwlsb25nIHJldCwgYml0czsKKwl1bnNpZ25lZCBsb25nIGxvbmcg c2FtcGxlcywgY2FsYzsKKwl1bnNpZ25lZCBsb25nIGxvbmcgbmF0aXZlLCBmaWx0ZXIxLCBmaWx0 ZXIyLCBiaXRtYXAxLCBiaXRtYXAyOworCXVuc2lnbmVkIGxvbmcgbG9uZyBlbnRyeSwgcGVyX2Zp bHRlcjEsIHBlcl9maWx0ZXIyOwogCiAJcHJpbnRmKCJDdXJyZW50IEJQRiBzeXNjdGwgc2V0dGlu Z3M6XG4iKTsKIAlzeXN0ZW0oInN5c2N0bCBuZXQuY29yZS5icGZfaml0X2VuYWJsZSIpOwpAQCAt MTAxLDM1ICsxNjEsODIgQEAgaW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKmFyZ3ZbXSkKIAlyZXQg PSBwcmN0bChQUl9TRVRfTk9fTkVXX1BSSVZTLCAxLCAwLCAwLCAwKTsKIAlhc3NlcnQocmV0ID09 IDApOwogCi0JLyogT25lIGZpbHRlciAqLwotCXJldCA9IHByY3RsKFBSX1NFVF9TRUNDT01QLCBT RUNDT01QX01PREVfRklMVEVSLCAmcHJvZyk7CisJLyogT25lIGZpbHRlciByZXN1bHRpbmcgaW4g YSBiaXRtYXAgKi8KKwlyZXQgPSBwcmN0bChQUl9TRVRfU0VDQ09NUCwgU0VDQ09NUF9NT0RFX0ZJ TFRFUiwgJmJpdG1hcF9wcm9nKTsKIAlhc3NlcnQocmV0ID09IDApOwogCi0JZmlsdGVyMSA9IHRp bWluZyhDTE9DS19QUk9DRVNTX0NQVVRJTUVfSUQsIHNhbXBsZXMpIC8gc2FtcGxlczsKLQlwcmlu dGYoImdldHBpZCBSRVRfQUxMT1cgMSBmaWx0ZXI6ICVsbHUgbnNcbiIsIGZpbHRlcjEpOworCWJp dG1hcDEgPSB0aW1pbmcoQ0xPQ0tfUFJPQ0VTU19DUFVUSU1FX0lELCBzYW1wbGVzKSAvIHNhbXBs ZXM7CisJcHJpbnRmKCJnZXRwaWQgUkVUX0FMTE9XIDEgZmlsdGVyIChiaXRtYXApOiAlbGx1IG5z XG4iLCBiaXRtYXAxKTsKKworCS8qIFNlY29uZCBmaWx0ZXIgcmVzdWx0aW5nIGluIGEgYml0bWFw ICovCisJcmV0ID0gcHJjdGwoUFJfU0VUX1NFQ0NPTVAsIFNFQ0NPTVBfTU9ERV9GSUxURVIsICZi aXRtYXBfcHJvZyk7CisJYXNzZXJ0KHJldCA9PSAwKTsKIAotCWlmIChmaWx0ZXIxID09IG5hdGl2 ZSkKLQkJcHJpbnRmKCJObyBvdmVyaGVhZCBtZWFzdXJlZCE/IFRyeSBydW5uaW5nIGFnYWluIHdp dGggbW9yZSBzYW1wbGVzLlxuIik7CisJYml0bWFwMiA9IHRpbWluZyhDTE9DS19QUk9DRVNTX0NQ VVRJTUVfSUQsIHNhbXBsZXMpIC8gc2FtcGxlczsKKwlwcmludGYoImdldHBpZCBSRVRfQUxMT1cg MiBmaWx0ZXJzIChiaXRtYXApOiAlbGx1IG5zXG4iLCBiaXRtYXAyKTsKIAotCS8qIFR3byBmaWx0 ZXJzICovCisJLyogVGhpcmQgZmlsdGVyLCBjYW4gbm8gbG9uZ2VyIGJlIGNvbnZlcnRlZCB0byBi aXRtYXAgKi8KIAlyZXQgPSBwcmN0bChQUl9TRVRfU0VDQ09NUCwgU0VDQ09NUF9NT0RFX0ZJTFRF UiwgJnByb2cpOwogCWFzc2VydChyZXQgPT0gMCk7CiAKLQlmaWx0ZXIyID0gdGltaW5nKENMT0NL X1BST0NFU1NfQ1BVVElNRV9JRCwgc2FtcGxlcykgLyBzYW1wbGVzOwotCXByaW50ZigiZ2V0cGlk IFJFVF9BTExPVyAyIGZpbHRlcnM6ICVsbHUgbnNcbiIsIGZpbHRlcjIpOwotCi0JLyogQ2FsY3Vs YXRpb25zICovCi0JcHJpbnRmKCJFc3RpbWF0ZWQgdG90YWwgc2VjY29tcCBvdmVyaGVhZCBmb3Ig MSBmaWx0ZXI6ICVsbHUgbnNcbiIsCi0JCWZpbHRlcjEgLSBuYXRpdmUpOworCWZpbHRlcjEgPSB0 aW1pbmcoQ0xPQ0tfUFJPQ0VTU19DUFVUSU1FX0lELCBzYW1wbGVzKSAvIHNhbXBsZXM7CisJcHJp bnRmKCJnZXRwaWQgUkVUX0FMTE9XIDMgZmlsdGVycyAoZnVsbCk6ICVsbHUgbnNcbiIsIGZpbHRl cjEpOwogCi0JcHJpbnRmKCJFc3RpbWF0ZWQgdG90YWwgc2VjY29tcCBvdmVyaGVhZCBmb3IgMiBm aWx0ZXJzOiAlbGx1IG5zXG4iLAotCQlmaWx0ZXIyIC0gbmF0aXZlKTsKKwkvKiBGb3VydGggZmls dGVyLCBjYW4gbm90IGJlIGNvbnZlcnRlZCB0byBiaXRtYXAgYmVjYXVzZSBvZiBmaWx0ZXIgMyAq LworCXJldCA9IHByY3RsKFBSX1NFVF9TRUNDT01QLCBTRUNDT01QX01PREVfRklMVEVSLCAmYml0 bWFwX3Byb2cpOworCWFzc2VydChyZXQgPT0gMCk7CiAKLQlwcmludGYoIkVzdGltYXRlZCBzZWNj b21wIHBlci1maWx0ZXIgb3ZlcmhlYWQ6ICVsbHUgbnNcbiIsCi0JCWZpbHRlcjIgLSBmaWx0ZXIx KTsKKwlmaWx0ZXIyID0gdGltaW5nKENMT0NLX1BST0NFU1NfQ1BVVElNRV9JRCwgc2FtcGxlcykg LyBzYW1wbGVzOworCXByaW50ZigiZ2V0cGlkIFJFVF9BTExPVyA0IGZpbHRlcnMgKGZ1bGwpOiAl bGx1IG5zXG4iLCBmaWx0ZXIyKTsKKworCS8qIEVzdGltYXRpb25zICovCisjZGVmaW5lIEVTVElN QVRFKGZtdCwgdmFyLCB3aGF0KQlkbyB7CQkJXAorCQl2YXIgPSAod2hhdCk7CQkJCQlcCisJCXBy aW50ZigiRXN0aW1hdGVkICIgZm10ICI6ICVsbHUgbnNcbiIsIHZhcik7CVwKKwkJaWYgKHZhciA+ IElOVF9NQVgpCQkJCVwKKwkJCWdvdG8gbW9yZV9zYW1wbGVzOwkJCVwKKwl9IHdoaWxlICgwKQor CisJRVNUSU1BVEUoInRvdGFsIHNlY2NvbXAgb3ZlcmhlYWQgZm9yIDEgYml0bWFwcGVkIGZpbHRl ciIsIGNhbGMsCisJCSBiaXRtYXAxIC0gbmF0aXZlKTsKKwlFU1RJTUFURSgidG90YWwgc2VjY29t cCBvdmVyaGVhZCBmb3IgMiBiaXRtYXBwZWQgZmlsdGVycyIsIGNhbGMsCisJCSBiaXRtYXAyIC0g bmF0aXZlKTsKKwlFU1RJTUFURSgidG90YWwgc2VjY29tcCBvdmVyaGVhZCBmb3IgMyBmdWxsIGZp bHRlcnMiLCBjYWxjLAorCQkgZmlsdGVyMSAtIG5hdGl2ZSk7CisJRVNUSU1BVEUoInRvdGFsIHNl Y2NvbXAgb3ZlcmhlYWQgZm9yIDQgZnVsbCBmaWx0ZXJzIiwgY2FsYywKKwkJIGZpbHRlcjIgLSBu YXRpdmUpOworCUVTVElNQVRFKCJzZWNjb21wIGVudHJ5IG92ZXJoZWFkIiwgZW50cnksCisJCSBi aXRtYXAxIC0gbmF0aXZlIC0gKGJpdG1hcDIgLSBiaXRtYXAxKSk7CisJRVNUSU1BVEUoInNlY2Nv bXAgcGVyLWZpbHRlciBvdmVyaGVhZCAobGFzdCAyIGRpZmYpIiwgcGVyX2ZpbHRlcjEsCisJCSBm aWx0ZXIyIC0gZmlsdGVyMSk7CisJRVNUSU1BVEUoInNlY2NvbXAgcGVyLWZpbHRlciBvdmVyaGVh ZCAoZmlsdGVycyAvIDQpIiwgcGVyX2ZpbHRlcjIsCisJCSAoZmlsdGVyMiAtIG5hdGl2ZSAtIGVu dHJ5KSAvIDQpOworCisJcHJpbnRmKCJFeHBlY3RhdGlvbnM6XG4iKTsKKwlyZXQgfD0gY29tcGFy ZSgibmF0aXZlIiwgIuKJpCIsICIxIGJpdG1hcCIsIG5hdGl2ZSwgbGUsIGJpdG1hcDEpOworCWJp dHMgPSBjb21wYXJlKCJuYXRpdmUiLCAi4omkIiwgIjEgZmlsdGVyIiwgbmF0aXZlLCBsZSwgZmls dGVyMSk7CisJaWYgKGJpdHMpCisJCWdvdG8gbW9yZV9zYW1wbGVzOworCisJcmV0IHw9IGNvbXBh cmUoInBlci1maWx0ZXIgKGxhc3QgMiBkaWZmKSIsICLiiYgiLCAicGVyLWZpbHRlciAoZmlsdGVy cyAvIDQpIiwKKwkJCXBlcl9maWx0ZXIxLCBhcHByb3gsIHBlcl9maWx0ZXIyKTsKKworCWJpdHMg PSBjb21wYXJlKCIxIGJpdG1hcHBlZCIsICLiiYgiLCAiMiBiaXRtYXBwZWQiLAorCQkJYml0bWFw MSAtIG5hdGl2ZSwgYXBwcm94LCBiaXRtYXAyIC0gbmF0aXZlKTsKKwlpZiAoYml0cykgeworCQlw cmludGYoIlNraXBwaW5nIGNvbnN0YW50IGFjdGlvbiBiaXRtYXAgZXhwZWN0YXRpb25zOiB0aGV5 IGFwcGVhciB1bnN1cHBvcnRlZC5cbiIpOworCQlnb3RvIG91dDsKKwl9CiAKLQlwcmludGYoIkVz dGltYXRlZCBzZWNjb21wIGVudHJ5IG92ZXJoZWFkOiAlbGx1IG5zXG4iLAotCQlmaWx0ZXIxIC0g bmF0aXZlIC0gKGZpbHRlcjIgLSBmaWx0ZXIxKSk7CisJcmV0IHw9IGNvbXBhcmUoImVudHJ5Iiwg IuKJiCIsICIxIGJpdG1hcHBlZCIsIGVudHJ5LCBhcHByb3gsIGJpdG1hcDEgLSBuYXRpdmUpOwor CXJldCB8PSBjb21wYXJlKCJlbnRyeSIsICLiiYgiLCAiMiBiaXRtYXBwZWQiLCBlbnRyeSwgYXBw cm94LCBiaXRtYXAyIC0gbmF0aXZlKTsKKwlyZXQgfD0gY29tcGFyZSgibmF0aXZlICsgZW50cnkg KyAocGVyIGZpbHRlciAqIDQpIiwgIuKJiCIsICI0IGZpbHRlcnMgdG90YWwiLAorCQkJZW50cnkg KyAocGVyX2ZpbHRlcjEgKiA0KSArIG5hdGl2ZSwgYXBwcm94LCBmaWx0ZXIyKTsKKwlpZiAocmV0 ID09IDApCisJCWdvdG8gb3V0OwogCittb3JlX3NhbXBsZXM6CisJcHJpbnRmKCJTYXcgdW5leHBl Y3RlZCBiZW5jaG1hcmsgcmVzdWx0LiBUcnkgcnVubmluZyBhZ2FpbiB3aXRoIG1vcmUgc2FtcGxl cz9cbiIpOworb3V0OgogCXJldHVybiAwOwogfQpkaWZmIC0tZ2l0IGEvdG9vbHMvdGVzdGluZy9z ZWxmdGVzdHMvc2VjY29tcC9zZXR0aW5ncyBiL3Rvb2xzL3Rlc3Rpbmcvc2VsZnRlc3RzL3NlY2Nv bXAvc2V0dGluZ3MKaW5kZXggYmE0ZDg1Zjc0Y2Q2Li42MDkxYjQ1ZDIyNmIgMTAwNjQ0Ci0tLSBh L3Rvb2xzL3Rlc3Rpbmcvc2VsZnRlc3RzL3NlY2NvbXAvc2V0dGluZ3MKKysrIGIvdG9vbHMvdGVz dGluZy9zZWxmdGVzdHMvc2VjY29tcC9zZXR0aW5ncwpAQCAtMSArMSBAQAotdGltZW91dD05MAor dGltZW91dD0xMjAKLS0gCjIuMjguMAoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX18KQ29udGFpbmVycyBtYWlsaW5nIGxpc3QKQ29udGFpbmVyc0BsaXN0cy5s aW51eC1mb3VuZGF0aW9uLm9yZwpodHRwczovL2xpc3RzLmxpbnV4Zm91bmRhdGlvbi5vcmcvbWFp bG1hbi9saXN0aW5mby9jb250YWluZXJz From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C342C4727D for ; Thu, 24 Sep 2020 12:50:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3DC1C20708 for ; Thu, 24 Sep 2020 12:50:04 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="nCGFriv/" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727855AbgIXMoz (ORCPT ); Thu, 24 Sep 2020 08:44:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41660 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727823AbgIXMoq (ORCPT ); Thu, 24 Sep 2020 08:44:46 -0400 Received: from mail-il1-x132.google.com (mail-il1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B045C0613CE; Thu, 24 Sep 2020 05:44:46 -0700 (PDT) Received: by mail-il1-x132.google.com with SMTP id l16so2913101ilt.13; Thu, 24 Sep 2020 05:44:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=3aehQo/yRfhFUHB1dumyvMfUbkZ02zfVtfOyrlCUCaI=; b=nCGFriv/8sgax0UHt+DUO8aQ986sUT+eqetbLNt9cYwSA3JzUS4hp5nL0wEM4pDTm4 I0511RNTK5Sw5wnEuoK5FJvNGXPvJJa/zuBMBizsKorOvdwkOkJQwjIsxJaHk5A2Towe 9ParrxvHFlSz7guxQBiJxr/Wdwy2LpeY2rYO/flxXbmHb6A+6ifwep3PwdkcOpWGEh0J z1GyyrJs1y+YYpZ6yqjWcCyR2pK3+OlluaO02FNvAJT1UV1oLUTlKCDbbuNXJPaDAFP+ Nwsk2E0k2h0NIOY9bC32nx07R5QkFCdpTCJgfH9RgGIn7xqCwTyxfpr69/Xa8Q0Y2YLH Rs+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=3aehQo/yRfhFUHB1dumyvMfUbkZ02zfVtfOyrlCUCaI=; b=PAIBhKiWppEo05rqmiVBb1hZI1aD11e7uZUT/f6SqpH44uDHWjOL9ROZ0nahImkzew TqH8g9Wf/9YSduv8QuGI/zRXFaUj0WqEMrS+CyOJ/Yhy7ZshUxu1GoKRhtKlcdmMUm/X ICYRvO+H+Y/Y3DDJelK8IEnT4bhIhSopvd99ktukChAJQy7QOieLnCI1Dwi2aFbBIEV7 /j8hHDF+sN10j6oNnYklU10hUVrkJ5/8fgNNCjdgJLoy7f0lBVgIu9KqXG5c+DlmwZ1P ULndSL583Q7H2QkAlBIrsNMdAlDzTmnuBC0PJGn+OfV0tXSMBdRxoTgm7zOn1x9prh5C BGCQ== X-Gm-Message-State: AOAM5333JXwMyZ9idRRwmy1BMLUu24c3lDA2BfR0KL8VeHUbm2SfEP3V rf/oqR5LqeCtEAEYIn7E20M= X-Google-Smtp-Source: ABdhPJxtAhUVAW7pPuRTVnNeknSF1GHXhg6olEpVTDJpgnqnoZCs1cVoTvO5gywN4hMQ0Xne4LgiNw== X-Received: by 2002:a92:1503:: with SMTP id v3mr3782779ilk.56.1600951485405; Thu, 24 Sep 2020 05:44:45 -0700 (PDT) Received: from localhost.localdomain (host-173-230-99-154.tnkngak.clients.pavlovmedia.com. [173.230.99.154]) by smtp.gmail.com with ESMTPSA id p5sm1575175ilg.32.2020.09.24.05.44.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Sep 2020 05:44:44 -0700 (PDT) From: YiFei Zhu To: containers@lists.linux-foundation.org Cc: YiFei Zhu , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, Aleksa Sarai , Andrea Arcangeli , Andy Lutomirski , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jack Chen , Jann Horn , Josep Torrellas , Kees Cook , Tianyin Xu , Tobin Feldman-Fitzthum , Tycho Andersen , Valentin Rothberg , Will Drewry Subject: [PATCH v2 seccomp 5/6] selftests/seccomp: Compare bitmap vs filter overhead Date: Thu, 24 Sep 2020 07:44:20 -0500 Message-Id: X-Mailer: git-send-email 2.28.0 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Kees Cook As part of the seccomp benchmarking, include the expectations with regard to the timing behavior of the constant action bitmaps, and report inconsistencies better. Example output with constant action bitmaps on x86: $ sudo ./seccomp_benchmark 100000000 Current BPF sysctl settings: net.core.bpf_jit_enable = 1 net.core.bpf_jit_harden = 0 Benchmarking 100000000 syscalls... 63.896255358 - 0.008504529 = 63887750829 (63.9s) getpid native: 638 ns 130.383312423 - 63.897315189 = 66485997234 (66.5s) getpid RET_ALLOW 1 filter (bitmap): 664 ns 196.789080421 - 130.384414983 = 66404665438 (66.4s) getpid RET_ALLOW 2 filters (bitmap): 664 ns 268.844643304 - 196.790234168 = 72054409136 (72.1s) getpid RET_ALLOW 3 filters (full): 720 ns 342.627472515 - 268.845799103 = 73781673412 (73.8s) getpid RET_ALLOW 4 filters (full): 737 ns Estimated total seccomp overhead for 1 bitmapped filter: 26 ns Estimated total seccomp overhead for 2 bitmapped filters: 26 ns Estimated total seccomp overhead for 3 full filters: 82 ns Estimated total seccomp overhead for 4 full filters: 99 ns Estimated seccomp entry overhead: 26 ns Estimated seccomp per-filter overhead (last 2 diff): 17 ns Estimated seccomp per-filter overhead (filters / 4): 18 ns Expectations: native ≤ 1 bitmap (638 ≤ 664): ✔️ native ≤ 1 filter (638 ≤ 720): ✔️ per-filter (last 2 diff) ≈ per-filter (filters / 4) (17 ≈ 18): ✔️ 1 bitmapped ≈ 2 bitmapped (26 ≈ 26): ✔️ entry ≈ 1 bitmapped (26 ≈ 26): ✔️ entry ≈ 2 bitmapped (26 ≈ 26): ✔️ native + entry + (per filter * 4) ≈ 4 filters total (732 ≈ 737): ✔️ Signed-off-by: Kees Cook Signed-off-by: YiFei Zhu --- .../selftests/seccomp/seccomp_benchmark.c | 151 +++++++++++++++--- tools/testing/selftests/seccomp/settings | 2 +- 2 files changed, 130 insertions(+), 23 deletions(-) diff --git a/tools/testing/selftests/seccomp/seccomp_benchmark.c b/tools/testing/selftests/seccomp/seccomp_benchmark.c index 91f5a89cadac..fcc806585266 100644 --- a/tools/testing/selftests/seccomp/seccomp_benchmark.c +++ b/tools/testing/selftests/seccomp/seccomp_benchmark.c @@ -4,12 +4,16 @@ */ #define _GNU_SOURCE #include +#include +#include +#include #include #include #include #include #include #include +#include #include #include #include @@ -70,18 +74,74 @@ unsigned long long calibrate(void) return samples * seconds; } +bool approx(int i_one, int i_two) +{ + double one = i_one, one_bump = one * 0.01; + double two = i_two, two_bump = two * 0.01; + + one_bump = one + MAX(one_bump, 2.0); + two_bump = two + MAX(two_bump, 2.0); + + /* Equal to, or within 1% or 2 digits */ + if (one == two || + (one > two && one <= two_bump) || + (two > one && two <= one_bump)) + return true; + return false; +} + +bool le(int i_one, int i_two) +{ + if (i_one <= i_two) + return true; + return false; +} + +long compare(const char *name_one, const char *name_eval, const char *name_two, + unsigned long long one, bool (*eval)(int, int), unsigned long long two) +{ + bool good; + + printf("\t%s %s %s (%lld %s %lld): ", name_one, name_eval, name_two, + (long long)one, name_eval, (long long)two); + if (one > INT_MAX) { + printf("Miscalculation! Measurement went negative: %lld\n", (long long)one); + return 1; + } + if (two > INT_MAX) { + printf("Miscalculation! Measurement went negative: %lld\n", (long long)two); + return 1; + } + + good = eval(one, two); + printf("%s\n", good ? "✔️" : "❌"); + + return good ? 0 : 1; +} + int main(int argc, char *argv[]) { + struct sock_filter bitmap_filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, offsetof(struct seccomp_data, nr)), + BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), + }; + struct sock_fprog bitmap_prog = { + .len = (unsigned short)ARRAY_SIZE(bitmap_filter), + .filter = bitmap_filter, + }; struct sock_filter filter[] = { + BPF_STMT(BPF_LD|BPF_W|BPF_ABS, offsetof(struct seccomp_data, args[0])), BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), }; struct sock_fprog prog = { .len = (unsigned short)ARRAY_SIZE(filter), .filter = filter, }; - long ret; - unsigned long long samples; - unsigned long long native, filter1, filter2; + + long ret, bits; + unsigned long long samples, calc; + unsigned long long native, filter1, filter2, bitmap1, bitmap2; + unsigned long long entry, per_filter1, per_filter2; printf("Current BPF sysctl settings:\n"); system("sysctl net.core.bpf_jit_enable"); @@ -101,35 +161,82 @@ int main(int argc, char *argv[]) ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); assert(ret == 0); - /* One filter */ - ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); + /* One filter resulting in a bitmap */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bitmap_prog); assert(ret == 0); - filter1 = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples; - printf("getpid RET_ALLOW 1 filter: %llu ns\n", filter1); + bitmap1 = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples; + printf("getpid RET_ALLOW 1 filter (bitmap): %llu ns\n", bitmap1); + + /* Second filter resulting in a bitmap */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bitmap_prog); + assert(ret == 0); - if (filter1 == native) - printf("No overhead measured!? Try running again with more samples.\n"); + bitmap2 = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples; + printf("getpid RET_ALLOW 2 filters (bitmap): %llu ns\n", bitmap2); - /* Two filters */ + /* Third filter, can no longer be converted to bitmap */ ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); assert(ret == 0); - filter2 = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples; - printf("getpid RET_ALLOW 2 filters: %llu ns\n", filter2); - - /* Calculations */ - printf("Estimated total seccomp overhead for 1 filter: %llu ns\n", - filter1 - native); + filter1 = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples; + printf("getpid RET_ALLOW 3 filters (full): %llu ns\n", filter1); - printf("Estimated total seccomp overhead for 2 filters: %llu ns\n", - filter2 - native); + /* Fourth filter, can not be converted to bitmap because of filter 3 */ + ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bitmap_prog); + assert(ret == 0); - printf("Estimated seccomp per-filter overhead: %llu ns\n", - filter2 - filter1); + filter2 = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples; + printf("getpid RET_ALLOW 4 filters (full): %llu ns\n", filter2); + + /* Estimations */ +#define ESTIMATE(fmt, var, what) do { \ + var = (what); \ + printf("Estimated " fmt ": %llu ns\n", var); \ + if (var > INT_MAX) \ + goto more_samples; \ + } while (0) + + ESTIMATE("total seccomp overhead for 1 bitmapped filter", calc, + bitmap1 - native); + ESTIMATE("total seccomp overhead for 2 bitmapped filters", calc, + bitmap2 - native); + ESTIMATE("total seccomp overhead for 3 full filters", calc, + filter1 - native); + ESTIMATE("total seccomp overhead for 4 full filters", calc, + filter2 - native); + ESTIMATE("seccomp entry overhead", entry, + bitmap1 - native - (bitmap2 - bitmap1)); + ESTIMATE("seccomp per-filter overhead (last 2 diff)", per_filter1, + filter2 - filter1); + ESTIMATE("seccomp per-filter overhead (filters / 4)", per_filter2, + (filter2 - native - entry) / 4); + + printf("Expectations:\n"); + ret |= compare("native", "≤", "1 bitmap", native, le, bitmap1); + bits = compare("native", "≤", "1 filter", native, le, filter1); + if (bits) + goto more_samples; + + ret |= compare("per-filter (last 2 diff)", "≈", "per-filter (filters / 4)", + per_filter1, approx, per_filter2); + + bits = compare("1 bitmapped", "≈", "2 bitmapped", + bitmap1 - native, approx, bitmap2 - native); + if (bits) { + printf("Skipping constant action bitmap expectations: they appear unsupported.\n"); + goto out; + } - printf("Estimated seccomp entry overhead: %llu ns\n", - filter1 - native - (filter2 - filter1)); + ret |= compare("entry", "≈", "1 bitmapped", entry, approx, bitmap1 - native); + ret |= compare("entry", "≈", "2 bitmapped", entry, approx, bitmap2 - native); + ret |= compare("native + entry + (per filter * 4)", "≈", "4 filters total", + entry + (per_filter1 * 4) + native, approx, filter2); + if (ret == 0) + goto out; +more_samples: + printf("Saw unexpected benchmark result. Try running again with more samples?\n"); +out: return 0; } diff --git a/tools/testing/selftests/seccomp/settings b/tools/testing/selftests/seccomp/settings index ba4d85f74cd6..6091b45d226b 100644 --- a/tools/testing/selftests/seccomp/settings +++ b/tools/testing/selftests/seccomp/settings @@ -1 +1 @@ -timeout=90 +timeout=120 -- 2.28.0