* [net-next v2 0/2] eBPF Seccomp filters
@ 2018-02-17 7:35 Sargun Dhillon
0 siblings, 0 replies; only message in thread
From: Sargun Dhillon @ 2018-02-17 7:35 UTC (permalink / raw)
To: netdev-u79uwXL29TY76Z2rM5mHXA,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA
Cc: wad-F7+t8E8rja9g9hUCZPvPmw, keescook-F7+t8E8rja9g9hUCZPvPmw,
daniel-FeC+5ew28dpmcu3hnIyYJQ, ast-DgEjT+Ai2ygdnm+yROfE0A,
luto-kltTT9wpgjJwATOyAt5JVQ
This patchset enables seccomp filters to be written in eBPF. Although, this
patchset doesn't introduce much of the functionality enabled by eBPF, it lays
the ground work for it. Currently, you have to disable CHECKPOINT_RESTORE
support in order to utilize eBPF seccomp filters, as eBPF filters cannot be
retrieved via the ptrace GET_FILTER API.
Any user can load a bpf seccomp filter program, and it can be pinned and
reused without requiring access to the bpf syscalls. A user only requires
the traditional permissions of either being cap_sys_admin, or have
no_new_privs set in order to install their rule.
The primary reason for not adding maps support in this patchset is
to avoid introducing new complexities around PR_SET_NO_NEW_PRIVS.
If we have a map that the BPF program can read, it can potentially
"change" privileges after running. It seems like doing writes only
is safe, because it can be pure, and side effect free, and therefore
not negatively effect PR_SET_NO_NEW_PRIVS. Nonetheless, if we come
to an agreement, this can be in a follow-up patchset.
A benchmark of this patchset is as follows for a very standard eBPF filter:
Given this test program:
for (i = 10; i < 99999999; i++) syscall(__NR_getpid);
If I implement an eBPF filter with PROG_ARRAYs with a program per syscall,
and tail call, the numbers are such:
ebpf JIT 12.3% slower than native
ebpf no JIT 13.6% slower than native
seccomp JIT 17.6% slower than native
seccomp no JIT 37% slower than native
The speed of the traditional seccomp filter increases O(n) with the number
of syscalls with discrete rulesets, whereas ebpf is O(1), given any number
of syscall filters.
Changes since v1:
* Use a flag to indicate loading an eBPF filter, not a separate command
* Remove printk helper
* Remove ptrace patch / restore filter / sample
* Add some safe helpers
Sargun Dhillon (2):
bpf, seccomp: Add eBPF filter capabilities
bpf: Add eBPF seccomp sample programs
arch/Kconfig | 8 +++
include/linux/bpf_types.h | 3 +
include/linux/seccomp.h | 3 +-
include/uapi/linux/bpf.h | 2 +
include/uapi/linux/seccomp.h | 7 ++-
kernel/bpf/syscall.c | 1 +
kernel/seccomp.c | 145 +++++++++++++++++++++++++++++++++++++------
samples/bpf/Makefile | 5 ++
samples/bpf/bpf_load.c | 9 ++-
samples/bpf/seccomp1_kern.c | 43 +++++++++++++
samples/bpf/seccomp1_user.c | 45 ++++++++++++++
11 files changed, 247 insertions(+), 24 deletions(-)
create mode 100644 samples/bpf/seccomp1_kern.c
create mode 100644 samples/bpf/seccomp1_user.c
--
2.14.1
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2018-02-17 7:35 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-17 7:35 [net-next v2 0/2] eBPF Seccomp filters Sargun Dhillon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.