[PATCH v2 0/3] filter_seccomp: new bpf generation strategy

Paul Chaignon paul.chaignon at gmail.com
Wed Oct 23 08:26:32 UTC 2019


This patchset implements a new BPF generation strategy for seccomp-filter,
as well as some necessary code refactoring.  The first patch replaces
check_bpf_program_size() with init_seccomp_filter().  The second refactors
the code to use a list of BPF program generators.  The third introduces
the binary match generation strategy.

The following table compares the two generation strategies for diverse
filters, under x86-64.  Each number counts the lines of the generated
program.  lin. refers to the linear generation strategy and bin. the
binary match one.  The second column points to the best strategy for each
filter, to get a quick impression.

		best	lin.	bin.
none		lin.	36	84
ptrace		lin.	39	88
!ptrace		lin.	32	66
%desc		bin.	239	172
%file		bin.	173	172
%fstat		lin.	44	107
%ipc		lin.	49	111
!%ipc		lin.	42	87
%lstat		lin.	41	96
%memory,%ipc,%pure,%signal,%network	bin.	193	176

The binary match strategy is most efficient when there's a large number of
traced syscalls.  All generated programs are far below both BPF_MAXINSNS
and the maximum conditional jump offset.

See patches for details.

Paul Chaignon (3):
  filter_seccomp: use init_sock_filter to check number of BPF
    instructions
  filter_seccomp: list of seccomp-filter generation strategies
  filter_seccomp: binary match generation strategy

 filter_seccomp.c | 447 ++++++++++++++++++++++++++++++-----------------
 1 file changed, 290 insertions(+), 157 deletions(-)

-- 
2.17.1



More information about the Strace-devel mailing list