[PATCH] apparmor: Fix network performance issue in aa_label_sk_perm

Tony Jones tonyj at suse.de
Fri Sep 7 23:53:31 UTC 2018


On 09/07/2018 09:37 AM, John Johansen wrote:

> hey Tony,
> 
> thanks for the patch, I am curious did you're investigation look
> into what parts of DEFINE_AUDIT_SK are causing the issue?

Hi JJ.

Attached are the perf annotations for DEFINE_AUDIT_SK (percentages are relative to the fn).   
Our kernel performance testing is carried out with default installs which means AppArmor 
is enabled but the performance tests are unconfined. It was obvious that the overhead of 
DEFINE_AUDIT_SK was significant for smaller packet sizes (typical of synthetic benchmarks) 
and that it didn't need to execute for the unconfined case,  hence the patch.  I didn't 
spend any time looking at the performance of confined tasks.  It may be worth your time to 
look at this.

Comparing my current tip (2601dd392dd1) to tip+patch I'm seeing an increase of 3-6% in netperf
throughput for packet sizes 64-1024.

HTH

Tony

 Percent |	Source code & Disassembly of vmlinux for cycles:ppp (117 samples)
---------------------------------------------------------------------------------
         :
         :
         :
         :                      Disassembly of section .text:
         :
         :                      ffffffff813fbec0 <aa_label_sk_perm>:
         :                      aa_label_sk_perm():
         :                                                                 type));
         :                      }
         :
         :                      static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request,
         :                                                  struct sock *sk)
         :                      {
    0.00 :   ffffffff813fbec0:       callq  ffffffff81a017f0 <__fentry__>
    2.56 :   ffffffff813fbec5:       push   %r14
    0.00 :   ffffffff813fbec7:       mov    %rcx,%r14
         :                              struct aa_profile *profile;
         :                              DEFINE_AUDIT_SK(sa, op, sk);
    0.00 :   ffffffff813fbeca:       mov    $0x7,%ecx
         :                      {
    0.00 :   ffffffff813fbecf:       push   %r13
    3.42 :   ffffffff813fbed1:       mov    %edx,%r13d
    0.00 :   ffffffff813fbed4:       push   %r12
    0.00 :   ffffffff813fbed6:       push   %rbp
    0.00 :   ffffffff813fbed7:       mov    %rdi,%rbp
    5.13 :   ffffffff813fbeda:       push   %rbx
    0.00 :   ffffffff813fbedb:       sub    $0xb8,%rsp
         :                              DEFINE_AUDIT_SK(sa, op, sk);
    0.00 :   ffffffff813fbee2:       movzwl 0x10(%r14),%r9d
         :                      {
    1.71 :   ffffffff813fbee7:       mov    %gs:0x28,%rax
    0.00 :   ffffffff813fbef0:       mov    %rax,0xb0(%rsp)
    0.00 :   ffffffff813fbef8:       xor    %eax,%eax
         :                              DEFINE_AUDIT_SK(sa, op, sk);
    0.00 :   ffffffff813fbefa:       lea    0x78(%rsp),%rdx
    1.71 :   ffffffff813fbeff:       lea    0x20(%rsp),%r8
    0.00 :   ffffffff813fbf04:       movq   $0x0,(%rsp)
    0.00 :   ffffffff813fbf0c:       movq   $0x0,0x10(%rsp)
    0.00 :   ffffffff813fbf15:       mov    %rdx,%rdi
   14.53 :   ffffffff813fbf18:       rep stos %rax,%es:(%rdi)
    1.71 :   ffffffff813fbf1b:       mov    $0xb,%ecx
    0.00 :   ffffffff813fbf20:       mov    %r8,%rdi
    0.00 :   ffffffff813fbf23:       mov    %r14,0x80(%rsp)
   18.80 :   ffffffff813fbf2b:       rep stos %rax,%es:(%rdi)
    0.00 :   ffffffff813fbf2e:       mov    %rsi,0x28(%rsp)
    1.71 :   ffffffff813fbf33:       mov    %r9w,0x88(%rsp)
    0.00 :   ffffffff813fbf3c:       cmp    $0x1,%r9w
    0.00 :   ffffffff813fbf41:       je     ffffffff813fbfa1 <aa_label_sk_perm+0xe1>
    0.00 :   ffffffff813fbf43:       mov    $0x2,%eax
    0.00 :   ffffffff813fbf48:       test   %r14,%r14
    0.00 :   ffffffff813fbf4b:       je     ffffffff813fbfa1 <aa_label_sk_perm+0xe1>
   14.53 :   ffffffff813fbf4d:       mov    %al,(%rsp)
    0.00 :   ffffffff813fbf50:       movzwl 0x1ea(%r14),%eax
         :                              AA_BUG(!sk);
         :
         :                              if (unconfined(label))
         :                                      return 0;
         :
         :                              return fn_for_each_confined(label, profile,
    0.00 :   ffffffff813fbf58:       xor    %r12d,%r12d
         :                              DEFINE_AUDIT_SK(sa, op, sk);
    0.00 :   ffffffff813fbf5b:       mov    %r8,0x18(%rsp)
    8.55 :   ffffffff813fbf60:       mov    %eax,0x58(%rsp)
    0.00 :   ffffffff813fbf64:       movzbl 0x1e9(%r14),%eax
    0.00 :   ffffffff813fbf6c:       mov    %rdx,0x8(%rsp)
    0.00 :   ffffffff813fbf71:       mov    %eax,0x5c(%rsp)
         :                              if (unconfined(label))
    8.55 :   ffffffff813fbf75:       testb  $0x2,0x40(%rbp)
    0.00 :   ffffffff813fbf79:       je     ffffffff813fbfa8 <aa_label_sk_perm+0xe8>
         :                                              aa_profile_af_sk_perm(profile, &sa, request, sk));
         :                      }
    0.00 :   ffffffff813fbf7b:       mov    0xb0(%rsp),%rdx
    0.00 :   ffffffff813fbf83:       xor    %gs:0x28,%rdx
    4.27 :   ffffffff813fbf8c:       mov    %r12d,%eax
    0.00 :   ffffffff813fbf8f:       jne    ffffffff813fbfe5 <aa_label_sk_perm+0x125>
    0.00 :   ffffffff813fbf91:       add    $0xb8,%rsp
    0.00 :   ffffffff813fbf98:       pop    %rbx
    5.13 :   ffffffff813fbf99:       pop    %rbp
    0.00 :   ffffffff813fbf9a:       pop    %r12
    0.00 :   ffffffff813fbf9c:       pop    %r13
    0.00 :   ffffffff813fbf9e:       pop    %r14
    7.69 :   ffffffff813fbfa0:       retq
         :                              DEFINE_AUDIT_SK(sa, op, sk);
    0.00 :   ffffffff813fbfa1:       mov    $0x7,%eax
    0.00 :   ffffffff813fbfa6:       jmp    ffffffff813fbf4d <aa_label_sk_perm+0x8d>
         :                              return fn_for_each_confined(label, profile,
    0.00 :   ffffffff813fbfa8:       xor    %esi,%esi
    0.00 :   ffffffff813fbfaa:       jmp    ffffffff813fbfcd <aa_label_sk_perm+0x10d>
         :                      aa_profile_af_sk_perm():
         :                      static inline int aa_profile_af_sk_perm(struct aa_profile *profile,
         :                                                              struct common_audit_data *sa,
         :                                                              u32 request,
         :                                                              struct sock *sk)
         :                      {
         :                              return aa_profile_af_perm(profile, sa, request, sk->sk_family,
    0.00 :   ffffffff813fbfac:       movzwl 0x10(%r14),%ecx
    0.00 :   ffffffff813fbfb1:       movzwl 0x1ea(%r14),%r8d
    0.00 :   ffffffff813fbfb9:       mov    %rsp,%rsi
    0.00 :   ffffffff813fbfbc:       mov    %r13d,%edx
    0.00 :   ffffffff813fbfbf:       callq  ffffffff813fbdf0 <aa_profile_af_perm>
         :                      aa_label_sk_perm():
    0.00 :   ffffffff813fbfc4:       lea    0x1(%rbx),%esi
    0.00 :   ffffffff813fbfc7:       test   %eax,%eax
    0.00 :   ffffffff813fbfc9:       cmovne %eax,%r12d
    0.00 :   ffffffff813fbfcd:       mov    %rbp,%rdi
    0.00 :   ffffffff813fbfd0:       callq  ffffffff813f7310 <aa_label_next_confined>
    0.00 :   ffffffff813fbfd5:       mov    %eax,%ebx
    0.00 :   ffffffff813fbfd7:       cltq
    0.00 :   ffffffff813fbfd9:       mov    0x50(%rbp,%rax,8),%rdi
    0.00 :   ffffffff813fbfde:       test   %rdi,%rdi
    0.00 :   ffffffff813fbfe1:       jne    ffffffff813fbfac <aa_label_sk_perm+0xec>
    0.00 :   ffffffff813fbfe3:       jmp    ffffffff813fbf7b <aa_label_sk_perm+0xbb>
         :                      }
    0.00 :   ffffffff813fbfe5:       callq  ffffffff81090d60 <__stack_chk_fail>



More information about the Linux-security-module-archive mailing list