diff options
| author | Kees Cook <keescook@chromium.org> | 2015-12-02 14:39:36 -0500 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2017-08-14 16:46:41 -0400 |
| commit | 967d7ba8415139107033770a40c7ec7dd17fbcb1 (patch) | |
| tree | 1d11b9221671f6d715df3d762ffce895cbde0f16 /tools | |
| parent | a33b2d0359a0aae25d5ac7a26b85a5682485ebbb (diff) | |
selftests/seccomp: Add simple seccomp overhead benchmark
This attempts to produce a comparison between native getpid() and a
RET_ALLOW-filtered getpid(), to measure the overhead cost of using
seccomp().
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/testing/selftests/seccomp/Makefile | 18 | ||||
| -rw-r--r-- | tools/testing/selftests/seccomp/seccomp_benchmark.c | 99 |
2 files changed, 112 insertions, 5 deletions
diff --git a/tools/testing/selftests/seccomp/Makefile b/tools/testing/selftests/seccomp/Makefile index aeb0c805f3ca..553d870b4ca9 100644 --- a/tools/testing/selftests/seccomp/Makefile +++ b/tools/testing/selftests/seccomp/Makefile | |||
| @@ -1,8 +1,16 @@ | |||
| 1 | TEST_GEN_PROGS := seccomp_bpf | 1 | all: |
| 2 | CFLAGS += -Wl,-no-as-needed -Wall | ||
| 3 | LDFLAGS += -lpthread | ||
| 4 | 2 | ||
| 5 | include ../lib.mk | 3 | include ../lib.mk |
| 6 | 4 | ||
| 7 | $(TEST_GEN_PROGS): seccomp_bpf.c ../kselftest_harness.h | 5 | .PHONY: all clean |
| 8 | $(CC) $(CFLAGS) $(LDFLAGS) $< -o $@ | 6 | |
| 7 | BINARIES := seccomp_bpf seccomp_benchmark | ||
| 8 | CFLAGS += -Wl,-no-as-needed -Wall | ||
| 9 | |||
| 10 | seccomp_bpf: seccomp_bpf.c ../kselftest_harness.h | ||
| 11 | $(CC) $(CFLAGS) $(LDFLAGS) -lpthread $< -o $@ | ||
| 12 | |||
| 13 | TEST_PROGS += $(BINARIES) | ||
| 14 | EXTRA_CLEAN := $(BINARIES) | ||
| 15 | |||
| 16 | all: $(BINARIES) | ||
diff --git a/tools/testing/selftests/seccomp/seccomp_benchmark.c b/tools/testing/selftests/seccomp/seccomp_benchmark.c new file mode 100644 index 000000000000..5838c8697ec3 --- /dev/null +++ b/tools/testing/selftests/seccomp/seccomp_benchmark.c | |||
| @@ -0,0 +1,99 @@ | |||
| 1 | /* | ||
| 2 | * Strictly speaking, this is not a test. But it can report during test | ||
| 3 | * runs so relative performace can be measured. | ||
| 4 | */ | ||
| 5 | #define _GNU_SOURCE | ||
| 6 | #include <assert.h> | ||
| 7 | #include <stdio.h> | ||
| 8 | #include <stdlib.h> | ||
| 9 | #include <time.h> | ||
| 10 | #include <unistd.h> | ||
| 11 | #include <linux/filter.h> | ||
| 12 | #include <linux/seccomp.h> | ||
| 13 | #include <sys/prctl.h> | ||
| 14 | #include <sys/syscall.h> | ||
| 15 | #include <sys/types.h> | ||
| 16 | |||
| 17 | #define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0])) | ||
| 18 | |||
| 19 | unsigned long long timing(clockid_t clk_id, unsigned long long samples) | ||
| 20 | { | ||
| 21 | pid_t pid, ret; | ||
| 22 | unsigned long long i; | ||
| 23 | struct timespec start, finish; | ||
| 24 | |||
| 25 | pid = getpid(); | ||
| 26 | assert(clock_gettime(clk_id, &start) == 0); | ||
| 27 | for (i = 0; i < samples; i++) { | ||
| 28 | ret = syscall(__NR_getpid); | ||
| 29 | assert(pid == ret); | ||
| 30 | } | ||
| 31 | assert(clock_gettime(clk_id, &finish) == 0); | ||
| 32 | |||
| 33 | i = finish.tv_sec - start.tv_sec; | ||
| 34 | i *= 1000000000; | ||
| 35 | i += finish.tv_nsec - start.tv_nsec; | ||
| 36 | |||
| 37 | printf("%lu.%09lu - %lu.%09lu = %llu\n", | ||
| 38 | finish.tv_sec, finish.tv_nsec, | ||
| 39 | start.tv_sec, start.tv_nsec, | ||
| 40 | i); | ||
| 41 | |||
| 42 | return i; | ||
| 43 | } | ||
| 44 | |||
| 45 | unsigned long long calibrate(void) | ||
| 46 | { | ||
| 47 | unsigned long long i; | ||
| 48 | |||
| 49 | printf("Calibrating reasonable sample size...\n"); | ||
| 50 | |||
| 51 | for (i = 5; ; i++) { | ||
| 52 | unsigned long long samples = 1 << i; | ||
| 53 | |||
| 54 | /* Find something that takes more than 5 seconds to run. */ | ||
| 55 | if (timing(CLOCK_REALTIME, samples) / 1000000000ULL > 5) | ||
| 56 | return samples; | ||
| 57 | } | ||
| 58 | } | ||
| 59 | |||
| 60 | int main(int argc, char *argv[]) | ||
| 61 | { | ||
| 62 | struct sock_filter filter[] = { | ||
| 63 | BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), | ||
| 64 | }; | ||
| 65 | struct sock_fprog prog = { | ||
| 66 | .len = (unsigned short)ARRAY_SIZE(filter), | ||
| 67 | .filter = filter, | ||
| 68 | }; | ||
| 69 | long ret; | ||
| 70 | unsigned long long samples; | ||
| 71 | unsigned long long native, filtered; | ||
| 72 | |||
| 73 | if (argc > 1) | ||
| 74 | samples = strtoull(argv[1], NULL, 0); | ||
| 75 | else | ||
| 76 | samples = calibrate(); | ||
| 77 | |||
| 78 | printf("Benchmarking %llu samples...\n", samples); | ||
| 79 | |||
| 80 | native = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples; | ||
| 81 | printf("getpid native: %llu ns\n", native); | ||
| 82 | |||
| 83 | ret = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); | ||
| 84 | assert(ret == 0); | ||
| 85 | |||
| 86 | ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog); | ||
| 87 | assert(ret == 0); | ||
| 88 | |||
| 89 | filtered = timing(CLOCK_PROCESS_CPUTIME_ID, samples) / samples; | ||
| 90 | printf("getpid RET_ALLOW: %llu ns\n", filtered); | ||
| 91 | |||
| 92 | printf("Estimated seccomp overhead per syscall: %llu ns\n", | ||
| 93 | filtered - native); | ||
| 94 | |||
| 95 | if (filtered == native) | ||
| 96 | printf("Trying running again with more samples.\n"); | ||
| 97 | |||
| 98 | return 0; | ||
| 99 | } | ||