On 27/08/2016 22:43, Alexei Starovoitov wrote: > On Sat, Aug 27, 2016 at 09:35:14PM +0200, Mickaël Salaün wrote: >> On 27/08/2016 20:06, Alexei Starovoitov wrote: >>> On Sat, Aug 27, 2016 at 04:06:38PM +0200, Mickaël Salaün wrote: >>>> As said above, Landlock will not run an eBPF programs when not strictly >>>> needed. Attaching to a cgroup will have the same performance impact as >>>> attaching to a process hierarchy. >>> >>> Having a prog per cgroup per lsm_hook is the only scalable way I >>> could come up with. If you see another way, please propose. >>> current->seccomp.landlock_prog is not the answer. >> >> Hum, I don't see the difference from a performance point of view between >> a cgroup-based or a process hierarchy-based system. >> >> Maybe a better option should be to use an array of pointers with N >> entries, one for each supported hook, instead of a unique pointer list? > > yes, clearly array dereference is faster than link list walk. > Now the question is where to keep this prog_array[num_lsm_hooks] ? > Since we cannot keep it inside task_struct, we have to allocate it. > Every time the task is creted then. What to do on the fork? That > will require changes all over. Then the obvious optimization would be > to share this allocated array of prog pointers across multiple tasks... > and little by little this new facility will look like cgroup. > Hence the suggestion to put this array into cgroup from the start. I see your point :) > >> Anyway, being able to attach an LSM hook program to a cgroup thanks to >> the new BPF_PROG_ATTACH seems a good idea (while keeping the possibility >> to use a process hierarchy). The downside will be to handle an LSM hook >> program which is not triggered by a seccomp-filter, but this should be >> needed anyway to handle interruptions. > > what do you mean 'not triggered by seccomp' ? > You're not suggesting that this lsm has to enable seccomp to be functional? > imo that's non starter due to overhead. Yes, for now, it is triggered by a new seccomp filter return value RET_LANDLOCK, which can take a 16-bit value called cookie. This must not be needed but could be useful to bind a seccomp filter security policy with a Landlock one. Waiting for Kees's point of view…