[RFC PATCH 0/2] landlock: Refactor layer masks

Mickaël Salaün mic at digikod.net
Fri Jan 9 15:59:19 UTC 2026 

On Tue, Dec 30, 2025 at 11:48:21AM +0100, Günther Noack wrote:
> On Tue, Dec 30, 2025 at 11:39:17AM +0100, Günther Noack wrote:
> > Tentative results with and without this patch set show that the
> > hypothesis likely holds true.  The benchmark I used exercises a "worst
> > case" scenario that attempts to be bottlenecked on the affected code:
> > constructs a large number of nested directories, with one "path
> > beneath" rule each and then tries to open the innermost directory many
> > times.  The benchmark is intentionally unrealistic to amplify the
> > amount of time used for the path walk logic and forces Landlock to
> > walk the full path (eventually failing the open syscall).  (I'll send
> > the benchmark program in a reply to this mail for full transparency.)
> 
> Please see the benchmark program below.

Thanks for the investigation!

> 
> To compile it, use:
> 
>     cc -o benchmark_worsecase benchmark_worsecase.c

It would be useful to clean up a bit this benchmark and add it to the
selftests' Landlock directory (see seccomp_benchmark.c).

> 
> Source code:
> 
> ```
> #define _GNU_SOURCE
> #include <err.h>
> #include <fcntl.h>
> #include <linux/landlock.h>
> #include <stdbool.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/prctl.h>
> #include <sys/stat.h>
> #include <sys/syscall.h>
> #include <sys/times.h>
> #include <time.h>
> #include <unistd.h>
> 
> /* Flags */
> bool use_landlock = true;
> size_t num_iterations = 100000;
> size_t num_subdirs = 10000;
> 
> void usage() { puts("Usage: benchmark_worstcase [-no-landlock]"); }
> 
> /*
>  * Build a deep directory, enforce Landlock and return the FD to the
>  * deepest dir.  On any failure, exit the process with an error.
>  */
> int build_directory(size_t depth) {
>   const char *path = "d"; /* directory name */
> 
>   if (use_landlock) {
>     int abi = syscall(SYS_landlock_create_ruleset, NULL, 0,
>                       LANDLOCK_CREATE_RULESET_VERSION);
>     if (abi < 7)
>       err(1, "Landlock ABI too low: got %d, wanted 7+", abi);
>   }
> 
>   int ruleset_fd = -1;
>   if (use_landlock) {
>     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
>       err(1, "prctl");
> 
>     struct landlock_ruleset_attr attr = {
>         .handled_access_fs = 0xffff, /* All FS access rights as of 2025-12 */
>     };
>     ruleset_fd = syscall(SYS_landlock_create_ruleset, &attr, sizeof(attr), 0U);
>     if (ruleset_fd < 0)
>       err(1, "landlock_create_ruleset");
>   }
> 
>   int current = open(".", O_PATH);
>   if (current < 0)
>     err(1, "open(.)");
> 
>   while (depth--) {
>     if (use_landlock) {
>       struct landlock_path_beneath_attr attr = {
>           .allowed_access = LANDLOCK_ACCESS_FS_IOCTL_DEV,
>           .parent_fd = current,
>       };
>       if (syscall(SYS_landlock_add_rule, ruleset_fd, LANDLOCK_RULE_PATH_BENEATH,
>                   &attr, 0) < 0)
>         err(1, "landlock_add_rule");
>     }
> 
>     if (mkdirat(current, path, 0700) < 0)
>       err(1, "mkdirat(%s)", path);
> 
>     int previous = current;
>     current = openat(current, path, O_PATH);
>     if (current < 0)
>       err(1, "open(%s)", path);
> 
>     close(previous);
>   }
> 
>   if (use_landlock) {
>     if (syscall(SYS_landlock_restrict_self, ruleset_fd, 0) < 0)
>       err(1, "landlock_restrict_self");
>   }
> 
>   close(ruleset_fd);
>   return current;
> }
> 
> int main(int argc, char *argv[]) {
>   for (int i = 1; i < argc; i++) {
>     if (!strcmp(argv[i], "-no-landlock")) {
>       use_landlock = false;
>     } else if (!strcmp(argv[i], "-d")) {
>       i++;
>       if (i < argc)
>         err(1, "expected number of subdirs after -d");
>       num_subdirs = atoi(argv[i]);
>     } else if (!strcmp(argv[i], "-n")) {
>       i++;
>       if (i < argc)
>         err(1, "expected number of iterations after -n");
>       num_iterations = atoi(argv[i]);
>     } else {
>       usage();
>       errx(1, "unknown argument: %s", argv[i]);
>     }
>   }
> 
>   printf("*** Benchmark ***\n");
>   printf("%zu dirs, %zu iterations, %s landlock\n", num_subdirs,
>          num_iterations, use_landlock ? "with" : "without");
> 
>   struct tms start_time;
>   if (times(&start_time) == -1)
>     err(1, "times");    
>   
>   int current = build_directory(num_subdirs);
> 
>   for (int i = 0; i < num_iterations; i++) {
>     int fd = openat(current, ".", O_DIRECTORY);
>     if (fd != -1)
>       errx(1, "openat succeeded, expected error");
>   }
> 
>   struct tms end_time;
>   if (times(&end_time) == -1)
>     err(1, "times");
>   
>   printf("*** Benchmark concluded ***\n");
>   printf("System: %ld clocks\n", end_time.tms_stime - start_time.tms_stime);
>   printf("User  : %ld clocks\n", end_time.tms_utime - start_time.tms_utime);
>   printf("Clocks per second: %d\n", CLOCKS_PER_SEC);
>   
>   close(current);  
> }
> ```
>

More information about the Linux-security-module-archive mailing list