[PATCH RFC 0/9] filter_seccomp: new bpf generation strategies

Paul Chaignon paul.chaignon at gmail.com
Fri Aug 23 09:42:05 UTC 2019 

This patchset proposes two new BPF generation strategies for
seccomp-filter, as well as some necessary code refactoring.  Since
seccomp-filter isn't merged yet, I've included the four patches of the
seccomp-filter patchset in addition to the five new patches, to ease
testing for reviewers.  I'll only discuss the five new patches here.

The first patch replaces check_bpf_program_size() with
init_seccomp_filter().  The second refactors the code to use a list of BPF
program generators.  The third and fourth introduce the reverse linear and
the binary match generation strategies.  The last patch optimizes the
binary match strategy.

The following tables compare the generation strategies for diverse
filters, under x86-64, aarch64, and arm.  Each number counts the lines of
the generated program.  lin. refers to the linear generation strategy,
rev. the reverse linear, and bin. the binary match one.  The second column
points to the best strategy for each filter, to get a quick impression.

x86-64:
		best	lin.	rev.	bin.
none		lin.	36	47	84
ptrace		lin.	39	51	88
!ptrace		rev.	32	23	66
%desc		bin.	239	274	172
%file		bin.	173	213	172
%fstat		lin.	44	63	107
%ipc		lin.	49	63	111
!%ipc		rev.	42	33	87
%lstat		lin.	41	57	96
%memory,%ipc,%pure,%signal,%network	bin.	193	246	176

aarch64:
		best	lin.	rev.	bin.
none		lin.	26	35	60
ptrace		lin.	28	39	65
!ptrace		rev.	20	14	42
%desc		bin.	140	171	107
%file		bin.	114	134	104
%fstat		lin.	32	45	74
%ipc		lin.	32	43	70
!%ipc		rev.	24	18	52
%lstat		lin.	29	41	67
%memory,%ipc,%pure,%signal,%network	bin.	111	139	107

arm:
		best	lin.	rev.	bin.
none		lin.	8	14	26
ptrace		lin.	9	16	26
!ptrace		rev.	8	5	18
%desc		bin.	84	110	55
%file		bin.	61	79	55
%fstat		lin.	12	22	35
%ipc		lin.	12	20	34
!%ipc		rev.	12	8	24
%lstat		lin.	11	20	33
%memory,%ipc,%pure,%signal,%network	bin.	70	95	56

First, one can note that the winning strategy for a given filter is the
same across all architectures, because the strategies don't impact the
arch-specific part of the bytecode.  The reverse linear strategy is the
most efficient only when almost all syscalls are being traced, and
generally by a small amount compared to the linear strategy.  The binary
match strategy is most efficient when there's a large number of traced
syscalls.  Finally, all generated programs are far below both BPF_MAXINSNS
and the maximum conditional jump offset.

>From these evaluations, it's not clear whether the reverse linear strategy
is worth keeping?  The binary match strategy may be worth keeping, but
probably not its optimization; I think it adds unnecessary complexity, as
it optimizes cases for which the linear strategy is more efficient anyway.

Chen Jingpiao (2):
  Introduce seccomp-assisted syscall filtering
  tests: test cases for seccomp-assisted syscall filtering

Paul Chaignon (7):
  Add seccomp-filter syscall flag
  filter_seccomp: skip seccomp setup when there's nothing to filter
  filter_seccomp: use init_sock_filter to check number of BPF
    instructions
  filter_seccomp: list of seccomp-filter generation strategies
  filter_seccomp: reverse linear generation strategy
  filter_seccomp: binary match generation strategy
  filter_seccomp: optimize binary match

 Makefile.am                    |   2 +
 NEWS                           |   2 +
 filter_seccomp.c               | 703 +++++++++++++++++++++++++++++++++
 filter_seccomp.h               |  21 +
 linux/32/syscallent.h          |   4 +-
 linux/64/syscallent.h          |   4 +-
 linux/aarch64/arch_defs_.h     |   2 +
 linux/alpha/syscallent.h       |   4 +-
 linux/arch_defs_.h             |   4 +
 linux/arm/syscallent.h         |   8 +-
 linux/avr32/syscallent.h       |   6 +-
 linux/bfin/syscallent.h        |   8 +-
 linux/hppa/syscallent.h        |   4 +-
 linux/i386/syscallent.h        |   8 +-
 linux/ia64/arch_defs_.h        |   1 +
 linux/ia64/syscallent.h        |   4 +-
 linux/m68k/syscallent.h        |   8 +-
 linux/microblaze/syscallent.h  |   8 +-
 linux/mips/syscallent-n32.h    |   4 +-
 linux/mips/syscallent-n64.h    |   4 +-
 linux/mips/syscallent-o32.h    |  10 +-
 linux/powerpc/syscallent.h     |   8 +-
 linux/powerpc64/arch_defs_.h   |   2 +
 linux/powerpc64/syscallent.h   |   8 +-
 linux/riscv/arch_defs_.h       |   2 +
 linux/s390/syscallent.h        |   8 +-
 linux/s390x/arch_defs_.h       |   2 +
 linux/s390x/syscallent.h       |   8 +-
 linux/sh/syscallent.h          |   8 +-
 linux/sh64/syscallent.h        |   8 +-
 linux/sparc/syscallent.h       |  10 +-
 linux/sparc64/arch_defs_.h     |   2 +
 linux/sparc64/syscallent.h     |  10 +-
 linux/tile/arch_defs_.h        |   2 +
 linux/x32/arch_defs_.h         |   2 +
 linux/x32/syscallent.h         |   4 +-
 linux/x86_64/arch_defs_.h      |   3 +
 linux/x86_64/syscallent.h      |   4 +-
 linux/xtensa/syscallent.h      |   4 +-
 number_set.c                   |  12 +
 number_set.h                   |   4 +
 strace.1.in                    |  17 +-
 strace.c                       |  76 +++-
 sysent.h                       |   1 +
 sysent_shorthand_defs.h        |   2 +
 tests/.gitignore               |   2 +
 tests/Makefile.am              |   3 +
 tests/filter_seccomp-perf.c    |  33 ++
 tests/filter_seccomp-perf.test |  17 +
 tests/filter_seccomp.in        |   4 +
 tests/gen_tests.in             |   2 +
 tests/init.sh                  |   5 +
 tests/pure_executables.list    |   1 +
 tests/status-none-f.c          |  19 +
 trace_event.h                  |   5 +
 55 files changed, 1030 insertions(+), 87 deletions(-)
 create mode 100644 filter_seccomp.c
 create mode 100644 filter_seccomp.h
 create mode 100644 tests/filter_seccomp-perf.c
 create mode 100755 tests/filter_seccomp-perf.test
 create mode 100644 tests/filter_seccomp.in
 create mode 100644 tests/status-none-f.c

-- 
2.17.1

More information about the Strace-devel mailing list