From: Stephen Smalley <sds@tycho.nsa.gov>
To: Wenhui Zhang <wenhui@gwmail.gwu.edu>
Cc: John Johansen <john.johansen@canonical.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Casey Schaufler <casey.schaufler@intel.com>,
James Morris <jmorris@namei.org>,
linux-security-module@vger.kernel.org,
SELinux <selinux@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
penguin-kernel@i-love.sakura.ne.jp,
Paul Moore <paul@paul-moore.com>
Subject: Re: Perf Data on LSM in v5.3
Date: Wed, 15 Jan 2020 10:42:17 -0500 [thread overview]
Message-ID: <fe62d7a7-5f7c-cb14-01b1-f3d7fef2862b@tycho.nsa.gov> (raw)
In-Reply-To: <1479ac1a-b957-f907-b983-c0bcefd51457@tycho.nsa.gov>
On 1/15/20 10:34 AM, Stephen Smalley wrote:
> On 1/15/20 10:21 AM, Wenhui Zhang wrote:
>>
>> On Wed, Jan 15, 2020 at 9:08 AM Stephen Smalley <sds@tycho.nsa.gov
>> <mailto:sds@tycho.nsa.gov>> wrote:
>>
>> On 1/15/20 8:40 AM, Stephen Smalley wrote:
>> > On 1/14/20 8:00 PM, Wenhui Zhang wrote:
>> >> Hi, John:
>> >>
>> >> It seems like, the MAC hooks are default to*return 0 or empty
>> void
>> >> hooks* if CONFIG_SECURITY, CONFIG_SECURITY_NETWORK ,
>> >> CONFIG_PAGE_TABLE_ISOLATION, CONFIG_SECURITY_INFINIBAND,
>> >> CONFIG_SECURITY_PATH, CONFIG_INTEL_TXT,
>> >> CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR,
>> >> CONFIG_HARDENED_USERCOPY, CONFIG_HARDENED_USERCOPY_FALLBACK *are
>> NOT
>> >> set*.
>> >>
>> >> If HOOKs are "return 0 or empty void hooks", MAC is not enabled.
>> >> In runtime of fs-benchmarks, if CONFIG_DEFAULT_SECURITY_DAC=y,
>> then
>> >> capability is enabled.
>> >>
>> >> Please correct me if I am wrong.
>> >>
>> >> For the first test, wo-sec is tested with:
>> >> # CONFIG_SECURITY_DMESG_RESTRICT is not set
>> >> # CONFIG_SECURITY is not set
>> >> # CONFIG_SECURITYFS is not set
>> >> # CONFIG_PAGE_TABLE_ISOLATION is not set
>> >> # CONFIG_INTEL_TXT is not set
>> >> CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
>> >> # CONFIG_HARDENED_USERCOPY is not set
>> >> CONFIG_FORTIFY_SOURCE=y
>> >> # CONFIG_STATIC_USERMODEHELPER is not set
>> >> CONFIG_DEFAULT_SECURITY_DAC=y
>> >>
>> >>
>> >> For the second test, w-sec is tested with:
>> >> # CONFIG_SECURITY_DMESG_RESTRICT is not set
>> >> CONFIG_SECURITY=y
>> >> CONFIG_SECURITYFS=y
>> >> # CONFIG_SECURITY_NETWORK is not set
>> >> CONFIG_PAGE_TABLE_ISOLATION=y
>> >> CONFIG_SECURITY_INFINIBAND=y
>> >> CONFIG_SECURITY_PATH=y
>> >> CONFIG_INTEL_TXT=y
>> >> CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
>> >> CONFIG_HARDENED_USERCOPY=y
>> >> CONFIG_HARDENED_USERCOPY_FALLBACK=y
>> >> # CONFIG_HARDENED_USERCOPY_PAGESPAN is not set
>> >> CONFIG_FORTIFY_SOURCE=y
>> >> # CONFIG_STATIC_USERMODEHELPER is not set
>> >> # CONFIG_SECURITY_SMACK is not set
>> >> # CONFIG_SECURITY_TOMOYO is not set
>> >> # CONFIG_SECURITY_APPARMOR is not set
>> >> # CONFIG_SECURITY_LOADPIN is not set
>> >> # CONFIG_SECURITY_YAMA is not set
>> >> # CONFIG_SECURITY_SAFESETID is not set
>> >> # CONFIG_INTEGRITY is not set
>> >> CONFIG_DEFAULT_SECURITY_DAC=y
>> >> #
>> >>
>>
>> CONFIG_LSM="yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo"
>>
>>
>> >>
>> >
>> > Your configs should only differ with respect to CONFIG_SECURITY*
>> if you
>> > want to evaluate LSM, SELinux, etc overheads.
>> PAGE_TABLE_ISOLATION,
>> > INTEL_TXT, and HARDENED_USERCOPY are not relevant to LSM itself.
>> >
>> > Also, what benchmarks are you using? Your own home-grown ones, a
>> set of
>> > open source standard benchmarks (if so, which ones?). You should
>> > include both micro and macro benchmarks in your suite.
>> >
>> > How stable are your results? What kind of variance / standard
>> deviation
>> > are you seeing?
>> >
>> > It is hard to get meaningful, reliable performance measurements
>> so going
>> > down this road is not to be done lightly.
>>
>> Also, I note that you don't enable CONFIG_SECURITY_NETWORK above.
>> That
>> means you aren't including the base LSM overhead for the networking
>> security hooks. So if you then compare that against SELinux (which
>> requires CONFIG_SECURITY_NETWORK), you are going to end up
>> attributing
>> the cost of both the LSM overhead and SELinux overhead all to
>> SELinux.
>> If you truly want to isolate the base LSM overhead, you need to
>> enable
>> all the hooks.
>>
>> I will give it a try for enabling CONFIG_SECURITY_NETWORK later this
>> week, however I wonder if this would affect the test results that much.
>> I am testing with LMBench 2.5 , with focusing on filesystem unit
>> tests, however not network stack at this time.
>> My understanding of why this result is so different from previous
>> paper 20 years ago, is that the Bottleneck changes.
>> As Chris was testing with 4 cores , each 700MHz CPU, and 128MB memory,
>> with HDD (latency is about 20,000,000 ns for sequential read).
>> The Bottleneck of accessing files w/ MAC are mostly on I/O.
>> However hardware setup is different now, we have much larger and
>> faster memory (better prefetching as well), with SSD (latency is about
>> 49,000 ns for sequential read). , while CPU speed is not increasing as
>> much as that of I/O.
>> The Bottleneck of accessing files w/ MAC are mostly on CPU now.
>
> Don't know if lmbench is still a good benchmark and I recall struggling
> with it even back then to get stable results.
>
> Could be bottleneck changes, could be the fact that your kernel config
> changes aren't limited to CONFIG_SECURITY* (e.g. PTI introduces
> non-trivial overheads), could be changes to LSM since that time (e.g.
> stacking support, moving security_ calls out-of-line, more hooks, ...),
> could be that running SELinux w/o policy is flooding the system logs
> with warnings or other messages since it wasn't really designed to be
> used that way past initialization. Lots of options, can't tell without
> more info on your details.
I'd think that these days one would leverage perf and/or lkp for Linux
kernel performance measurements, not lmbench.
next prev parent reply other threads:[~2020-01-15 15:41 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAOSEQ1poqrUQdRc+ZLNbEoPqgd4MMomeYmefjca_mj-2zxrdUA@mail.gmail.com>
2020-01-14 21:07 ` Perf Data on LSM in v5.3 Casey Schaufler
[not found] ` <CAOSEQ1p0q4gxVwN3MJkP=xxn4GUVaKsaArtQpxNy5rv7vYvVVw@mail.gmail.com>
2020-01-14 23:59 ` Casey Schaufler
[not found] ` <CAOSEQ1qipfe0Juz+4V9FgebAPDDXePd29s8=G1pFtHGqx4Sedg@mail.gmail.com>
2020-01-15 14:06 ` Stephen Smalley
2020-01-15 0:24 ` John Johansen
[not found] ` <CAOSEQ1rBu+wRzgk_Jh2RsZpf8Lv1+WUi-Pte-EsBMphnEr4SsQ@mail.gmail.com>
2020-01-15 13:40 ` Stephen Smalley
2020-01-15 14:09 ` Stephen Smalley
[not found] ` <CAOSEQ1o3nhY-svtsFSSv+M=V+NchxmBbhY-FvqoTzJgMnZ1ydw@mail.gmail.com>
2020-01-15 15:34 ` Stephen Smalley
2020-01-15 15:42 ` Stephen Smalley [this message]
[not found] ` <CAOSEQ1o6+uL-ATjQ_YXaJP9KxFTS3_b_bzeO7M8eiKbCB9dsyQ@mail.gmail.com>
2020-01-15 16:04 ` Stephen Smalley
2020-01-24 14:57 ` Stephen Smalley
[not found] ` <CAOSEQ1rOQ50WjvvUSeVpf0RREenP_59u34yx1YQE1YdigzOXcg@mail.gmail.com>
2020-01-31 19:15 ` Casey Schaufler
2020-01-31 19:50 ` Stephen Smalley
[not found] ` <CAOSEQ1qPCtdsaieuXtWDEBEZAyddvLTNn8VDAJ-JWKeAP5PYsA@mail.gmail.com>
2020-01-15 16:48 ` Stephen Smalley
2020-01-16 0:00 ` John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fe62d7a7-5f7c-cb14-01b1-f3d7fef2862b@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=selinux@vger.kernel.org \
--cc=wenhui@gwmail.gwu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).