[PATCH v5 3/3] tests: test cases for seccomp-assisted syscall filtering

Paul Chaignon paul.chaignon at gmail.com
Sat Sep 21 20:28:32 UTC 2019


On Sat, Sep 21, 2019 at 07:42:50PM +0300, Dmitry V. Levin wrote:
> On Sat, Sep 21, 2019 at 07:02:44PM +0300, Dmitry V. Levin wrote:
> [...]
> > diff --git a/tests/filter_seccomp-perf.test b/tests/filter_seccomp-perf.test
> > new file mode 100755
> > index 000000000..4c61b1a8d
> > --- /dev/null
> > +++ b/tests/filter_seccomp-perf.test
> > @@ -0,0 +1,26 @@
> > +#!/bin/sh
> > +#
> > +# Check seccomp filter performance.
> > +#
> > +# Copyright (c) 2019 Paul Chaignon <paul.chaignon at gmail.com>
> > +# Copyright (c) 2019 The strace developers.
> > +# All rights reserved.
> > +#
> > +# SPDX-License-Identifier: GPL-2.0-or-later
> > +
> > +. "${srcdir=.}/init.sh"
> > +. "${srcdir=.}/filter_seccomp.sh"
> > +
> > +num_regular="$(run_strace    -f -qq -e signal=none -e trace=fchdir ../$NAME)"
> > +mv "$LOG" "$LOG.regular"
> > +num_seccomp="$(run_strace -n -f -qq -e signal=none -e trace=fchdir ../$NAME)"
> > +mv "$LOG" "$LOG.seccomp"
> > +match_diff "$LOG.regular" "$LOG.seccomp"
> > +
> > +min_ratio=8
> > +# With seccomp filter enabled, we should be able to complete
> > +# at least $min_ratio times more chdir system calls.
> > +ratio="$((num_seccomp / num_regular))"
> > +if [ "$ratio" -lt "$min_ratio" ]; then
> > +	fail_ "Only $ratio times more syscalls performed with seccomp filter enabled, expected at least $min_ratio times speedup"
> > +fi
> 
> JFYI, I've got the following data when running this on a fairly fast
> x86_64 box:
> 
> $ time ./filter_seccomp-perf
> 3480990
> 0.05user 0.94system 0:01.00elapsed 100%CPU (0avgtext+0avgdata 1324maxresident)k
> 0inputs+0outputs (0major+66minor)pagefaults 0swaps
> 
> $ time ../strace -n -f -qq -e signal=none -e trace=fchdir ./filter_seccomp-perf
> 2962562
> 0.05user 0.94system 0:01.00elapsed 100%CPU (0avgtext+0avgdata 3280maxresident)k
> 0inputs+0outputs (0major+321minor)pagefaults 0swaps
> 
> $ time ../strace    -f -qq -e signal=none -e trace=fchdir ./filter_seccomp-perf
> 81429
> 0.53user 0.73system 0:01.00elapsed 127%CPU (0avgtext+0avgdata 3156maxresident)k
> 0inputs+0outputs (0major+284minor)pagefaults 0swaps

Nice!  Now we need to extend the scenarios where seccomp-bpf can be
enabled.

Paul


More information about the Strace-devel mailing list