From: Alexei Starovoitov <email@example.com>
To: Kees Cook <firstname.lastname@example.org>
Cc: "zhujianwei (C)" <email@example.com>,
Subject: Re: new seccomp mode aims to improve performance
Date: Fri, 29 May 2020 10:31:11 -0700 [thread overview]
Message-ID: <CAADnVQLciPUdO4hP2a2EbUE2zdE3AUxb8KZPkVaM+6+1CMNFzg@mail.gmail.com> (raw)
On Fri, May 29, 2020 at 9:09 AM Kees Cook <firstname.lastname@example.org> wrote:
> On Fri, May 29, 2020 at 08:43:56AM -0700, Alexei Starovoitov wrote:
> > On Fri, May 29, 2020 at 5:50 AM zhujianwei (C) <email@example.com> wrote:
> > >
> > > Hi, all
> > >
> > > We're using seccomp to increase container security, but bpf rules filter causes performance to deteriorate. So, is there a good solution to improve performance, or can we add a simplified seccomp mode to improve performance?
> Yes, there are already plans for a simple syscall bitmap seccomp feature.
> > I don't think your hunch at where cpu is spending cycles is correct.
> > Could you please do two experiments:
> > 1. try trivial seccomp bpf prog that simply returns 'allow'
> > 2. replace bpf_prog_run_pin_on_cpu() in seccomp.c with C code
> > that returns 'allow' and make sure it's noinline or in a different C file,
> > so that compiler doesn't optimize the whole seccomp_run_filters() into a nop.
> > Then measure performance of both.
> > I bet you'll see exactly the same numbers.
> Android has already done this, it appeared to not be the same. Calling
> into a SECCOMP_RET_ALLOW filter had a surprisingly high cost. I'll see
> if I can get you the numbers. I was frankly quite surprised -- I
> understood the bulk of the seccomp overhead to be in taking the TIF_WORK
> path, copying arguments, etc, but something else is going on there.
Please show the numbers that prove your point.
I've seen people making this mistake over and over again.
Intel folks also said that calling into bpf is slow only to be proved wrong.
It turned out to be the cost of retpoline and bpf_dispatcher logic resolved it.
next prev parent reply other threads:[~2020-05-29 17:31 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-29 12:48 new seccomp mode aims to improve performance zhujianwei (C)
2020-05-29 15:43 ` Alexei Starovoitov
2020-05-29 16:09 ` Kees Cook
2020-05-29 17:31 ` Alexei Starovoitov [this message]
2020-05-29 19:27 ` Kees Cook
2020-05-31 17:19 ` Alexei Starovoitov
2020-06-01 18:16 ` Kees Cook
2020-06-01 2:08 ` 答复: " zhujianwei (C)
2020-06-01 3:30 ` Alexei Starovoitov
2020-06-02 2:42 ` 答复: " zhujianwei (C)
2020-06-02 3:24 ` Alexei Starovoitov
2020-06-02 11:13 ` 答复: " zhujianwei (C)
2020-06-02 11:34 ` zhujianwei (C)
2020-06-02 18:32 ` Kees Cook
2020-06-03 4:51 ` 答复: " zhujianwei (C)
2020-06-01 10:11 ` Lennart Poettering
2020-06-01 12:32 ` Paul Moore
2020-06-02 12:53 ` Lennart Poettering
2020-06-02 15:03 ` Paul Moore
2020-06-02 18:39 ` Kees Cook
2020-06-01 18:21 ` Kees Cook
2020-06-02 12:44 ` Lennart Poettering
2020-06-02 18:37 ` Kees Cook
2020-06-16 6:00 ` Kees Cook
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).