Audit overhead and default rules
Andrew Lutomirski
luto at mit.edu
Mon Feb 10 19:05:38 UTC 2014
On a default Fedora installation, every system call incurs a fair
amount of overhead due to syscall auditing. This happens despite the
fact that syscalls aren't actually audited, except as part of AVC
denials.
The overhead is something like 20-40ns per syscall, and the total time
to do a simple syscall with auditing completely disabled is about 70ns
on my laptop. So this is actually a large effect.
What would people think about changing the default audit rules to add
something like '-t task,never'? This would remove the overhead, but
it would come at the cost of removing the syscall records from
/var/log/audit/audit.log when an AVC denial occurs.
This could make debugging selinux errors a bit harder, but it would be
easy for users to re-enable full auditing.
I've been playing with fixing this in the kernel, but it's a mess.
--Andy
More information about the devel
mailing list