From: <rkolchmeyer@google.com>
To: stable@vger.kernel.org
Cc: linux-integrity@vger.kernel.org, regressions@lists.linux.dev,
eric.snowberg@oracle.com, zohar@linux.ibm.com,
jlayton@kernel.org, sashal@kernel.org
Subject: IMA performance regression in 5.10.194 when using overlayfs
Date: Tue, 12 Dec 2023 00:40:05 +0000 [thread overview]
Message-ID: <000000000000b505f3060c454a49@google.com> (raw)
Hi all,
5.10.194 includes 331d85f0bc6e (ovl: Always reevaluate the file
signature for IMA), which resulted in a performance regression for
workloads that use IMA and run from overlayfs. 5.10.202 includes
cd5a262a07a5 (ima: detect changes to the backing overlay file), which
resolved the regression in the upstream kernel. However, from my
testing [1], this change doesn't resolve the regression on stable
kernels.
From what I can tell, cd5a262a07a5 (ima: detect changes to the
backing overlay file) depends on both db1d1e8b9867 (IMA: use
vfs_getattr_nosec to get the i_version) and a1175d6b1bda (vfs: plumb
i_version handling into struct kstat). These two dependent changes
were not backported to stable kernels. As a result, IMA seems to be
caching the wrong i_version value when using overlayfs. From my
testing, backporting these two dependent changes is sufficient to
resolve the issue in stable kernels.
Would it make sense to backport those changes to stable kernels? It's
possible that they may not follow the stable kernel patching rules. I
think the issue can also be fixed directly in stable trees with the
following diff (which doesn't make sense in the upstream kernel):
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index 70efd4aa1bd1..c84ae6b62b3a 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -239,7 +239,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
* which do not support i_version, support is limited to an initial
* measurement/appraisal/audit.
*/
- i_version = inode_query_iversion(inode);
+ i_version = inode_query_iversion(real_inode);
hash.hdr.algo = algo;
/* Initialize hash digest to 0's in case of failure */
I've verified that this diff resolves the performance regression.
Which approach would make the most sense to fix the issue in stable
kernels? Backporting the dependent commits, or merging the above diff?
I'd be happy to prepare and mail patches either way. Looking forward
to your thoughts.
Thanks,
-Robert
[1] I'm benchmarking with the following:
cat <<EOF > /sys/kernel/security/ima/policy
audit func=BPRM_CHECK
audit func=FILE_MMAP mask=MAY_EXEC
EOF
docker run --rm debian bash -c "TIMEFORMAT=%3R; time bash -c :"
A good result looks like 0.002 (units are seconds), and a bad result
looks like 0.034.
next reply other threads:[~2023-12-12 0:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-12 0:40 rkolchmeyer [this message]
2023-12-12 2:12 ` IMA performance regression in 5.10.194 when using overlayfs Sasha Levin
2023-12-13 0:37 ` Robert Kolchmeyer
2023-12-18 11:57 ` Greg KH
2023-12-18 11:58 ` Greg KH
2023-12-18 19:39 ` Robert Kolchmeyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000b505f3060c454a49@google.com \
--to=rkolchmeyer@google.com \
--cc=eric.snowberg@oracle.com \
--cc=jlayton@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=regressions@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).