Skip to content

test(benchmarks): permission-policy overhead family#203

Merged
NathanFlurry merged 1 commit into
mainfrom
stack/test-benchmarks-permission-policy-overhead-family-qwowowmr
Jul 2, 2026
Merged

test(benchmarks): permission-policy overhead family#203
NathanFlurry merged 1 commit into
mainfrom
stack/test-benchmarks-permission-policy-overhead-family-qwowowmr

Conversation

@NathanFlurry

Copy link
Copy Markdown
Member

Measures what the permission matcher costs per hot op: each op runs twice —
allow-everything vs a realistic default-deny policy (~15 fs allow globs + 5
network allow patterns) that still permits the op, so the delta is pure match
cost. policyTax = policy_p50/allow_p50 is reported per op and any op over 1.2
emits a finding.

Result on the current matcher: realistic policies are cheap — worst hot-op
tax 1.07 (http_loopback_get), findings empty. Methodology validated with a
temporary ~200-network-rule pathological policy (tcp_echo tax 2.02, finding
emitted) which is documented in the README and not committed.

Reuses the existing op programs (small_write, stat_storm, readdir_large,
tcp_echo, http_loopback_get) via the per-op prepareVm hook; guest-only rows
with explicit unsupported reasons elsewhere.

Measures what the permission matcher costs per hot op: each op runs twice —
allow-everything vs a realistic default-deny policy (~15 fs allow globs + 5
network allow patterns) that still permits the op, so the delta is pure match
cost. policyTax = policy_p50/allow_p50 is reported per op and any op over 1.2
emits a finding.

Result on the current matcher: realistic policies are cheap — worst hot-op
tax 1.07 (http_loopback_get), findings empty. Methodology validated with a
temporary ~200-network-rule pathological policy (tcp_echo tax 2.02, finding
emitted) which is documented in the README and not committed.

Reuses the existing op programs (small_write, stat_storm, readdir_large,
tcp_echo, http_loopback_get) via the per-op prepareVm hook; guest-only rows
with explicit unsupported reasons elsewhere.
@NathanFlurry

Copy link
Copy Markdown
Member Author

Stack for rivet-dev/secure-exec

Get stack: forklift get 203
Push local edits: forklift submit
Merge when ready: forklift merge 203

@railway-app railway-app Bot temporarily deployed to secure-exec / secure-exec-pr-203 July 2, 2026 12:40 Destroyed
@NathanFlurry NathanFlurry merged commit 2c2c401 into main Jul 2, 2026
0 of 2 checks passed
@NathanFlurry NathanFlurry deleted the stack/test-benchmarks-permission-policy-overhead-family-qwowowmr branch July 2, 2026 12:40
@railway-app railway-app Bot temporarily deployed to secure-exec / preview July 2, 2026 12:40 Inactive
@railway-app railway-app Bot temporarily deployed to secure-exec / production July 2, 2026 12:40 Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant