[PATCH v3 0/2] filter_seccomp: new bpf generation strategy

Paul Chaignon paul.chaignon at gmail.com
Thu Oct 31 19:55:12 UTC 2019

This patchset implements a new BPF generation strategy for seccomp filter,
as well as some necessary code refactoring.  The first patch replaces
check_bpf_program_size() with init_seccomp_filter().  The second refactors
the code to use a list of BPF program generators.  The third introduces
the binary match generation strategy.

The following table compares the two generation strategies for diverse
filters, under x86-64.  Each number counts the lines of the generated
program.  lin. refers to the linear generation strategy and bin. the
binary match one.  The second column points to the best strategy for each
filter, to get a quick impression.

                best    lin.    bin.
none            lin.    36      84
ptrace          lin.    39      88
!ptrace         lin.    32      66
%desc           bin.    239     172
%file           bin.    173     172
%fstat          lin.    44      107
%ipc            lin.    49      111
!%ipc           lin.    42      87
%lstat          lin.    41      96
%memory,%ipc,%pure,%signal,%network     bin.    193     176

The binary match strategy is most efficient when there's a large number of
traced syscalls.  All generated programs are far below both BPF_MAXINSNS
and the maximum conditional jump offset.

See patches for details.

Paul Chaignon (2):
  filter_seccomp: list of seccomp filter generation strategies
  filter_seccomp: binary match generation strategy

 filter_seccomp.c | 207 ++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 195 insertions(+), 12 deletions(-)


More information about the Strace-devel mailing list