On Mon, Jan 28, 2019 at 9:36 AM Sverdlin, Alexander (Nokia - DE/Ulm) <alexander.sverd...@nokia.com> wrote: > Hello Paul, > > On 28/01/2019 15:19, Paul Moore wrote: > >>> time also enables syscall auditing; this patch simplifies the Kconfig > >>> menus by removing the option to disable syscall auditing when audit > >>> is selected and the target arch supports it. > >>> > >>> Signed-off-by: Paul Moore <pmo...@redhat.com> > >> this patch is responsible for massive performance degradation for those > >> who used only CONFIG_SECURITY_APPARMOR. > >> > >> And the numbers are, take the following test for instance: > >> > >> dd if=/dev/zero of=/dev/null count=2M > >> > >> ARM64: 500MB/s -> 350MB/s > >> ARM: 400MB/s -> 300MB/s > > Hi there. > > > > Out of curiosity, what kernel/distribution are you running, or is this > > a custom kernel compile? Can you also share the output of 'auditctl > > This test was carried out with Linux 4.9. Custom built.
I suspected that was the case, thanks. > > -l' from your system? The general approach taken by everyone to > > turn-off the per-syscall audit overhead is to add the "-a never,task" > > rule to their audit configuration: > > > > # auditctl -a never,task > > > > If you are using Fedora/CentOS/RHEL, or a similarly configured system, > > This is an embedded distribution. We are not using auditctl or any other > audit-related user-space packages. > > > you can find this configuration in the /etc/audit/audit.rules file (be > > warned, that file is automatically generated based on > > /etc/audit/rules.d). > > I suppose in this case rule list must be empty. Is there a way to check > this without extra user-space packages? Yes, unless you are loading rules through some other method I would expect that your audit rule list is empty. I'm not aware of any other tools besides auditctl to load audit rules into the kernel, although I haven't ever had a need for another tool so I haven't looked very hard. If you didn't want to bring auditctl into your distribution, I expect it would be a rather trivial task to create a small tool to load a single "-a never,task" into the kernel. -- paul moore www.paul-moore.com
