Commit d3a37ea9 authored by Kees Cook's avatar Kees Cook
Browse files

selftests/seccomp: Expand benchmark to per-filter measurements 



It's useful to see how much (at a minimum) each filter adds to the
syscall overhead. Add additional calculations.

Signed-off-by: default avatarKees Cook <keescook@chromium.org>
parent ad568218

tools/testing/selftests/seccomp/seccomp_benchmark.c

+29 −7
Original line number Diff line number Diff line
@@ -68,32 +68,54 @@ int main(int argc, char *argv[]) 
	};

	long ret;

	unsigned long long samples;

	unsigned long long native, filtered;

	unsigned long long native, filter1, filter2;



	if (argc > 1)

		samples = strtoull(argv[1], NULL, 0);

	else

		samples = calibrate();



	printf("Current BPF sysctl settings:\n");

	system("sysctl net.core.bpf_jit_enable");

	system("sysctl net.core.bpf_jit_harden");

	printf("Benchmarking %llu samples...\n", samples);



	/* Native call */

	native = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples;

	printf("getpid native: %llu ns\n", native);



	ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);

	assert(ret == 0);



	/* One filter */

	ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);

	assert(ret == 0);



	filtered = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples;

	printf("getpid RET_ALLOW: %llu ns\n", filtered);

	filter1 = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples;

	printf("getpid RET_ALLOW 1 filter: %llu ns\n", filter1);



	printf("Estimated seccomp overhead per syscall: %llu ns\n",

		filtered - native);

	if (filter1 == native)

		printf("No overhead measured!? Try running again with more samples.\n");



	if (filtered == native)

		printf("Trying running again with more samples.\n");

	/* Two filters */

	ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);

	assert(ret == 0);



	filter2 = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples;

	printf("getpid RET_ALLOW 2 filters: %llu ns\n", filter2);



	/* Calculations */

	printf("Estimated total seccomp overhead for 1 filter: %llu ns\n",

		filter1 - native);



	printf("Estimated total seccomp overhead for 2 filters: %llu ns\n",

		filter2 - native);



	printf("Estimated seccomp per-filter overhead: %llu ns\n",

		filter2 - filter1);



	printf("Estimated seccomp entry overhead: %llu ns\n",

		filter1 - native - (filter2 - filter1));



	return 0;

}

tools/testing/selftests/seccomp/seccomp_bpf.c

+0 −2
Original line number Diff line number Diff line
@@ -3840,7 +3840,6 @@ TEST(user_notification_filter_empty_threaded) 


/*

 * TODO:

 * - add microbenchmarks

 * - expand NNP testing

 * - better arch-specific TRACE and TRAP handlers.

 * - endianness checking when appropriate
@@ -3848,7 +3847,6 @@ TEST(user_notification_filter_empty_threaded) 
 * - arch value testing (x86 modes especially)

 * - verify that FILTER_FLAG_LOG filters generate log messages

 * - verify that RET_LOG generates log messages

 * - ...

 */



TEST_HARNESS_MAIN

CRA Git | Maintained and supported by SUSTech CRA and CCSE