[PATCH v3 0/2] filter_seccomp: new bpf generation strategy
Dmitry V. Levin
ldv at altlinux.org
Sun Nov 3 16:01:24 UTC 2019
On Thu, Oct 31, 2019 at 08:55:12PM +0100, Paul Chaignon wrote:
> This patchset implements a new BPF generation strategy for seccomp filter,
> as well as some necessary code refactoring. The first patch replaces
> check_bpf_program_size() with init_seccomp_filter(). The second refactors
> the code to use a list of BPF program generators. The third introduces
> the binary match generation strategy.
>
> The following table compares the two generation strategies for diverse
> filters, under x86-64. Each number counts the lines of the generated
> program. lin. refers to the linear generation strategy and bin. the
> binary match one. The second column points to the best strategy for each
> filter, to get a quick impression.
>
> best lin. bin.
> none lin. 36 84
> ptrace lin. 39 88
> !ptrace lin. 32 66
> %desc bin. 239 172
> %file bin. 173 172
> %fstat lin. 44 107
> %ipc lin. 49 111
> !%ipc lin. 42 87
> %lstat lin. 41 96
> %memory,%ipc,%pure,%signal,%network bin. 193 176
>
> The binary match strategy is most efficient when there's a large number of
> traced syscalls. All generated programs are far below both BPF_MAXINSNS
> and the maximum conditional jump offset.
>
> See patches for details.
>
> Paul Chaignon (2):
> filter_seccomp: list of seccomp filter generation strategies
> filter_seccomp: binary match generation strategy
>
> filter_seccomp.c | 207 ++++++++++++++++++++++++++++++++++++++++++++---
> 1 file changed, 195 insertions(+), 12 deletions(-)
It's now merged into master, thanks!
We still can do better with test coverage of these new features, though.
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20191103/7160f569/attachment.bin>
More information about the Strace-devel
mailing list