public inbox for [email protected]
 help / color / mirror / Atom feed
From: Joel Granados <[email protected]>
To: Paul Moore <[email protected]>
Cc: <[email protected]>,
	<[email protected]>, <[email protected]>,
	Arnd Bergmann <[email protected]>,
	Greg Kroah-Hartman <[email protected]>,
	Luis Chamberlain <[email protected]>
Subject: Re: [PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook
Date: Fri, 16 Sep 2022 14:59:00 +0200	[thread overview]
Message-ID: <20220916125900.yvgnbpqm3j2cxpvd@localhost> (raw)
In-Reply-To: <20220907081729.r3ork6q3wnvv7rrv@localhost>

[-- Attachment #1: Type: text/plain, Size: 7865 bytes --]

Hello.

Took the time to re-run my performance tests on the current LSM patch
for io_uring_cmd. I'll explain what I did and then give the results:

How I ran it:
I took a version of the kernel with the patch a0d2212773d1 and then
compiled two versions: The first was the vanilla kernel and the other
was the same except for the LSM hook called from io_uring_cmd removed.
Same kernel configurations. For my tests I used one of the test files
from FIO called t/io_uring.c which is basically a READ test. I ran my
tests on both an nvme device and the null device (/dev/null). For the
first I did not change io_uring.c and for the second I replaced the
admin calls with dummy data that was not really needed for testing with
/dev/null. These are the arguments I used for the test
"./t/io_uring -b4096 -d128 -c32 -s32 -p0 -F1 -B0 -O0 -P1 -u1 -n1"
Finally, I'm taking the max of several samples.

Results:
+-------------------------------------+------------------------+-----------------------+
|                Name                 | /dev/ng0n1 (BW: MiB/s) | /dev/null (BW: GiB/s) |
+-------------------------------------+------------------------+-----------------------+
| (A) for-next (vanilla)              |                   1341 |                 30.16 |
| (B) for-next (no io_uring_cmd hook) |                   1362 |                 40.61 |
| [1-(A/B)] * 100                     |             1.54185022 |          25.732578183 |
+-------------------------------------+------------------------+-----------------------+

So on a device (dev/ng0n1) there is a 1% performance difference on a
read. Whereas on the null device (dev/null) there is a 25% difference on
a read.

This difference is interesting and expected as there is a lot more stuff
happening when we go through the actual device.

Best

Joel

On Wed, Sep 07, 2022 at 10:17:29AM +0200, Joel Granados wrote:
> Hey Paul
> 
> On Thu, Sep 01, 2022 at 05:30:38PM -0400, Paul Moore wrote:
> > On Thu, Sep 1, 2022 at 4:15 PM Joel Granados <[email protected]> wrote:
> > > Hey Paul
> > >
> > > I realize that you have already sent this upstream but I wanted to share
> > > the Selinux part of the testing that we did to see if there is any
> > > feedback.
> > >
> > > With my tests I see that the selinux_uring_cmd hook is run and it
> > > results in a "avc : denied" when I run it with selinux in permissive
> > > mode with an unpriviledged user. I assume that this is the expected
> > > behavior. Here is how I tested
> > >
> > > *** With the patch:
> > > * I ran the io_uring_passthrough.c test on a char device with an
> > >   unpriviledged user.
> > > * I took care of changing the permissions of /dev/ng0n1 to 666 prior
> > >   to any testing.
> > > * made sure that Selinux was in permissive mode.
> > > * Made sure to have audit activated by passing "audit=1" to the kernel
> > > * After noticing that some audit messages where getting lost I upped the
> > >   backlog limit to 256
> > > * Prior to executing the test, I also placed a breakpoint inside
> > >   selinux_uring_cmd to make sure that it was executed.
> > > * This is the output of the audit when I executed the test:
> > >
> > >   [  136.615924] audit: type=1400 audit(1662043624.701:94): avc:  denied  { create } for  pid=263 comm="io_uring_passth" anonclass=[io_uring] scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:kernel_t tclass=anon_inode permissive=1
> > >   [  136.621036] audit: type=1300 audit(1662043624.701:94): arch=c000003e syscall=425 success=yes exit=3 a0=40 a1=7ffca29835a0 a2=7ffca29835a0 a3=561529be2300 items=0 ppid=252 pid=263 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=pts1 ses=3 comm="io_uring_passth" exe="/mnt/src/liburing/test/io_uring_passthrough.t" subj=system_u:system_r:kernel_t key=(null)
> > >   [  136.624812] audit: type=1327 audit(1662043624.701:94): proctitle=2F6D6E742F7372632F6C69627572696E672F746573742F696F5F7572696E675F706173737468726F7567682E74002F6465762F6E67306E31
> > >   [  136.626074] audit: type=1400 audit(1662043624.702:95): avc:  denied  { map } for  pid=263 comm="io_uring_passth" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=11715 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:kernel_t tclass=anon_inode permissive=1
> > >   [  136.628012] audit: type=1400 audit(1662043624.702:95): avc:  denied  { read write } for  pid=263 comm="io_uring_passth" path="anon_inode:[io_uring]" dev="anon_inodefs" ino=11715 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:kernel_t tclass=anon_inode permissive=1
> > >   [  136.629873] audit: type=1300 audit(1662043624.702:95): arch=c000003e syscall=9 success=yes exit=140179765297152 a0=0 a1=1380 a2=3 a3=8001 items=0 ppid=252 pid=263 auid=1001 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 tty=pts1 ses=3 comm="io_uring_passth" exe="/mnt/src/liburing/test/io_uring_passthrough.t" subj=system_u:system_r:kernel_t key=(null)
> > >   [  136.632415] audit: type=1327 audit(1662043624.702:95): proctitle=2F6D6E742F7372632F6C69627572696E672F746573742F696F5F7572696E675F706173737468726F7567682E74002F6465762F6E67306E31
> > >   [  136.633652] audit: type=1400 audit(1662043624.705:96): avc:  denied  { cmd } for  pid=263 comm="io_uring_passth" path="/dev/ng0n1" dev="devtmpfs" ino=120 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:device_t tclass=io_uring permissive=1
> > >   [  136.635384] audit: type=1336 audit(1662043624.705:96): uring_op=46 items=0 ppid=252 pid=263 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 subj=system_u:system_r:kernel_t key=(null)
> > >   [  136.636863] audit: type=1336 audit(1662043624.705:96): uring_op=46 items=0 ppid=252 pid=263 uid=1001 gid=1002 euid=1001 suid=1001 fsuid=1001 egid=1002 sgid=1002 fsgid=1002 subj=system_u:system_r:kernel_t key=(null)
> > >
> > > * From the output on time 136.633652 I see that the access should have
> > >   been denied had selinux been enforcing.
> > > * I also saw that the breakpoint hit.
> > >
> > > *** Without the patch:
> > > * I ran the io_uring_passthrough.c test on a char device with an
> > >   unpriviledged user.
> > > * I took care of changing the permissions of /dev/ng0n1 to 666 prior
> > >   to any testing.
> > > * made sure that Selinux was in permissive mode.
> > > * Made sure to have audit activated by passing "audit=1" to the kernel
> > > * After noticing that some audit messages where getting lost I upped the
> > >   backlog limit to 256
> > > * There were no audit messages when I executed the test.
> > >
> > > As with my smack tests I would really appreciate feecback on the
> > > approach I took to testing and it's validity.
> > 
> > Hi Joel,
> > 
> > Thanks for the additional testing and verification!  Work like this is
> > always welcome, regardless if the patch has already been merged
> > upstream.
> np
> 
> > 
> > As far as you test approach is concerned, I think you are on the right
> > track, I might suggest resolving the other SELinux/AVC denials you are
> > seeing with your test application to help reduce the noise in the
> > logs.  Are you familiar with the selinux-testsuite (link below)?
> > 
> > * https://protect2.fireeye.com/v1/url?k=6f356c96-0ebe79ac-6f34e7d9-74fe4860008a-01002a6e4c92bb3e&q=1&e=46f33488-9311-49fa-9747-da210f2d147d&u=https%3A%2F%2Fgithub.com%2FSELinuxProject%2Fselinux-testsuite
> Thx. Could not figure out how to remove the AVC from a quick look at the
> page, but I'll probably figures something out :).
> 
> ATM, I'm doing a performance test on the io_uring_passtrhough
> path to see how much, if any, perf we loose.
> 
> Thx again
> 
> Best
> 
> Joel
> 
> > 
> > -- 
> > paul-moore.com



[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

  reply	other threads:[~2022-09-16 12:59 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-22 21:21 [PATCH 0/3] LSM hooks for IORING_OP_URING_CMD Paul Moore
2022-08-22 21:21 ` [PATCH 1/3] lsm,io_uring: add LSM hooks for the new uring_cmd file op Paul Moore
2022-08-23  6:53   ` Greg Kroah-Hartman
2022-08-23 16:48     ` Paul Moore
2022-08-24  6:12       ` Greg Kroah-Hartman
2022-08-24 14:00         ` Paul Moore
2022-08-22 21:21 ` [PATCH 2/3] selinux: implement the security_uring_cmd() LSM hook Paul Moore
2022-08-23  6:52   ` Greg Kroah-Hartman
2022-08-23 16:49     ` Paul Moore
     [not found]   ` <CGME20220901201553eucas1p258ee1cba97c888aab172d31d9c06e922@eucas1p2.samsung.com>
2022-09-01 20:15     ` Joel Granados
2022-09-01 21:30       ` Paul Moore
2022-09-07  8:17         ` Joel Granados
2022-09-16 12:59           ` Joel Granados [this message]
2022-08-22 21:21 ` [PATCH 3/3] /dev/null: add IORING_OP_URING_CMD support Paul Moore
2022-08-22 22:36   ` Jens Axboe
2022-08-22 23:09     ` Paul Moore
2022-08-22 23:13       ` Jens Axboe
2022-08-22 23:19         ` Paul Moore
2022-08-22 23:25           ` Jens Axboe
2022-08-22 23:37             ` Paul Moore
2022-08-23  6:51   ` Greg Kroah-Hartman
2022-08-23 13:33     ` Jens Axboe
2022-08-23 17:02       ` Paul Moore
2022-08-23  6:52   ` Greg Kroah-Hartman
2022-08-23 17:02     ` Paul Moore
2022-08-24  6:10       ` Greg Kroah-Hartman
2022-08-24 14:06         ` Paul Moore
2022-08-26 16:27 ` [PATCH 0/3] LSM hooks for IORING_OP_URING_CMD Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220916125900.yvgnbpqm3j2cxpvd@localhost \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox