Paul Chaignon's GSoC status report - #8 of 12

[Paul Chaignon]

Hi all,

Accomplishments:
- Finished addressing the comments on the seccomp RFC patchset.  I've
  tried one implementation to remove the arch-specific code from the
  common code, but it looks ugly IMHO.  I have a third array (nr_mask_vec)
  with the mask used in init_sock_filter.  For each entry in
  audit_arch_vec, if a mask is set in the corresponding entry in
  nr_mask_vec, the BPF code checks both the audit_arch number and the
  mask.  A single entry is set in nr_mask_vec.
- I spent last week working on the new BPF program for syscall matching,
  using binary logic.  I first did a quick prototype in C, then converted
  it to bytecode manually and started writing code to generate that
  bytecode.
  The program is a bit more complex than I hoped, mostly because of cBPF's
  limitations: only 2 registers (A and X) and conditional jumps are on A
  register only.  You can find an extract of the cBPF program at the end
  of email.  It would of course be faster and shorter if we could have
  variable offsets for jumps.
  The program is a bit longer when there are few syscalls to trace.  I
  haven't compared the speeds yet.

Priorities:
- Debug cBPF program generation.  I might replace the current linear
  program with this program for the v2 patchset.  The more appropriate of
  both can be chosen automatically in a later patch.


Extract of the cBPF program to match syscalls, for one personality:
bitarrays[0] refers to the first 32-bit number used to store syscall
numbers to trace.  RET_TRACE and RET_ALLOW refer to the offsets to the
return statements at the end of the program.

/* X = 1 << nr % 32; */
ld seccomp_data.nr
mod 32
tax
ld 1
lsh %x
tax

/* A = nr / 32; */
ld seccomp_data.nr
div 32

/*
 * if (A == 0)
 *   return (X & bitarrays[0])? RET_TRACE : RET_ALLOW;
 */
jeq 0, 2, 0
txa
jset RET_TRACE, RET_ALLOW, bitarrays[0]

/* Same for A == 1, bitarrays[1] */
jeq 0, 2, 1
txa
jset RET_TRACE, RET_ALLOW, bitarrays[1]

/* etc. */
...


Paul