On Tue, Nov 23, 2021 at 2:50 AM Zixuan Zhao <zhaozixu...@huawei.com> wrote: > We used lat_syscall of lmbench3 to test the performance impact of this > patch. We changed the number of rules and run lat_syscall with 1000 > repetitions at each test. Syscalls measured by lat_syscall are not > monitored by rules. > > Before this optimization: > > null read write stat fstat open > 0 rules 1.87ms 2.74ms 2.56ms 26.31ms 4.13ms 69.66ms > 10 rules 2.15ms 3.13ms 3.32ms 26.99ms 4.16ms 74.70ms > 20 rules 2.45ms 3.97ms 3.82ms 27.05ms 4.60ms 76.35ms > 30 rules 2.64ms 4.52ms 3.95ms 30.30ms 4.94ms 78.94ms > 40 rules 2.83ms 4.97ms 4.23ms 32.16ms 5.40ms 81.88ms > 50 rules 3.00ms 5.30ms 4.84ms 33.49ms 5.79ms 83.20ms > 100 rules 4.24ms 9.75ms 7.42ms 37.68ms 6.55ms 93.70ms > 160 rules 5.50ms 16.89ms 12.18ms 51.53ms 17.45ms 155.40ms > > After this optimization: > > null read write stat fstat open > 0 rules 1.81ms 2.84ms 2.42ms 27.70ms 4.15ms 69.10ms > 10 rules 1.97ms 2.83ms 2.69ms 27.70ms 4.15ms 69.30ms > 20 rules 1.72ms 2.91ms 2.41ms 26.49ms 3.91ms 71.19ms > 30 rules 1.85ms 2.94ms 2.48ms 26.27ms 3.97ms 71.43ms > 40 rules 1.88ms 2.94ms 2.78ms 26.85ms 4.08ms 69.79ms > 50 rules 1.86ms 3.17ms 3.08ms 26.25ms 4.03ms 72.32ms > 100 rules 1.84ms 3.00ms 2.81ms 26.25ms 3.98ms 70.25ms > 160 rules 1.92ms 3.32ms 3.06ms 26.81ms 4.57ms 71.41ms > > As the result shown above, the syscall latencies increase as the number > of rules increases, while with the patch the latencies remain stable. > This could help when a user adds many audit rules for purposes (such as > attack tracing or process behavior recording) but suffers from low > performance.
I have general concerns about trading memory and complexity for performance gains, but beyond that the numbers you posted above don't yet make sense to me. Why are the latency increases due to rule count not similar across the different syscalls? For example, I would think that if the increase in syscall latency was directly attributed to the audit rule processing then the increase on the "open" syscall should be similar to that of the "null" syscall. In other phrasing, if we can process 160 rules in ~4ms in the "null" case, why does it take us ~86ms in the "open" case? -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
