[PATCH v2 0/3] filter_seccomp: new bpf generation strategy
Paul Chaignon
paul.chaignon at gmail.com
Wed Oct 23 08:26:32 UTC 2019
This patchset implements a new BPF generation strategy for seccomp-filter,
as well as some necessary code refactoring. The first patch replaces
check_bpf_program_size() with init_seccomp_filter(). The second refactors
the code to use a list of BPF program generators. The third introduces
the binary match generation strategy.
The following table compares the two generation strategies for diverse
filters, under x86-64. Each number counts the lines of the generated
program. lin. refers to the linear generation strategy and bin. the
binary match one. The second column points to the best strategy for each
filter, to get a quick impression.
best lin. bin.
none lin. 36 84
ptrace lin. 39 88
!ptrace lin. 32 66
%desc bin. 239 172
%file bin. 173 172
%fstat lin. 44 107
%ipc lin. 49 111
!%ipc lin. 42 87
%lstat lin. 41 96
%memory,%ipc,%pure,%signal,%network bin. 193 176
The binary match strategy is most efficient when there's a large number of
traced syscalls. All generated programs are far below both BPF_MAXINSNS
and the maximum conditional jump offset.
See patches for details.
Paul Chaignon (3):
filter_seccomp: use init_sock_filter to check number of BPF
instructions
filter_seccomp: list of seccomp-filter generation strategies
filter_seccomp: binary match generation strategy
filter_seccomp.c | 447 ++++++++++++++++++++++++++++++-----------------
1 file changed, 290 insertions(+), 157 deletions(-)
--
2.17.1
More information about the Strace-devel
mailing list