[PATCH v5 3/3] tests: test cases for seccomp-assisted syscall filtering

Dmitry V. Levin ldv at altlinux.org
Sat Sep 21 16:42:50 UTC 2019


On Sat, Sep 21, 2019 at 07:02:44PM +0300, Dmitry V. Levin wrote:
[...]
> diff --git a/tests/filter_seccomp-perf.test b/tests/filter_seccomp-perf.test
> new file mode 100755
> index 000000000..4c61b1a8d
> --- /dev/null
> +++ b/tests/filter_seccomp-perf.test
> @@ -0,0 +1,26 @@
> +#!/bin/sh
> +#
> +# Check seccomp filter performance.
> +#
> +# Copyright (c) 2019 Paul Chaignon <paul.chaignon at gmail.com>
> +# Copyright (c) 2019 The strace developers.
> +# All rights reserved.
> +#
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +
> +. "${srcdir=.}/init.sh"
> +. "${srcdir=.}/filter_seccomp.sh"
> +
> +num_regular="$(run_strace    -f -qq -e signal=none -e trace=fchdir ../$NAME)"
> +mv "$LOG" "$LOG.regular"
> +num_seccomp="$(run_strace -n -f -qq -e signal=none -e trace=fchdir ../$NAME)"
> +mv "$LOG" "$LOG.seccomp"
> +match_diff "$LOG.regular" "$LOG.seccomp"
> +
> +min_ratio=8
> +# With seccomp filter enabled, we should be able to complete
> +# at least $min_ratio times more chdir system calls.
> +ratio="$((num_seccomp / num_regular))"
> +if [ "$ratio" -lt "$min_ratio" ]; then
> +	fail_ "Only $ratio times more syscalls performed with seccomp filter enabled, expected at least $min_ratio times speedup"
> +fi

JFYI, I've got the following data when running this on a fairly fast
x86_64 box:

$ time ./filter_seccomp-perf
3480990
0.05user 0.94system 0:01.00elapsed 100%CPU (0avgtext+0avgdata 1324maxresident)k
0inputs+0outputs (0major+66minor)pagefaults 0swaps

$ time ../strace -n -f -qq -e signal=none -e trace=fchdir ./filter_seccomp-perf
2962562
0.05user 0.94system 0:01.00elapsed 100%CPU (0avgtext+0avgdata 3280maxresident)k
0inputs+0outputs (0major+321minor)pagefaults 0swaps

$ time ../strace    -f -qq -e signal=none -e trace=fchdir ./filter_seccomp-perf
81429
0.53user 0.73system 0:01.00elapsed 127%CPU (0avgtext+0avgdata 3156maxresident)k
0inputs+0outputs (0major+284minor)pagefaults 0swaps


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190921/dba377a0/attachment.bin>


More information about the Strace-devel mailing list