Linux-Security-Module Archive on lore.kernel.org
 help / color / Atom feed
From: "zhujianwei (C)" <zhujianwei7@huawei.com>
To: "bpf@vger.kernel.org" <bpf@vger.kernel.org>,
	"linux-security-module@vger.kernel.org" 
	<linux-security-module@vger.kernel.org>
Cc: Hehuazhen <hehuazhen@huawei.com>
Subject: new seccomp mode aims to improve performance
Date: Fri, 29 May 2020 12:48:58 +0000
Message-ID: <c22a6c3cefc2412cad00ae14c1371711@huawei.com> (raw)

Hi, all

  We're using seccomp to increase container security, but bpf rules filter causes performance to deteriorate. So, is there a good solution to improve performance, or can we add a simplified seccomp mode to improve performance?
  
  // Pseudo code
  int __secure_computing(int this_syscall)
  {
  	...
  	switch (mode) {
  	case SECCOMP_MODE_STRICT:
  		...
  	case SECCOMP_MODE_FILTER:
  		...
  	case SECCOMP_MODE_LIGHT_FILTER:
  		//do light syscall filter.
  		...
  		break;
  	}
  	...
  }
  		
  int light_syscall_filter(int syscall_num) {
  	if(scno > SYSNUM_MAX) {
  		...
  		return -EACCESS;
  	}
  
  	bool *filter_map = get_filter_map(current);
  	if(filter_map == NULL) {
  		...
  		return -EFAULT;
  	}
  
  	if(filter_map[syscall_num] == true) {
  		...
  		return 0;
  	} else {
  		...
  		return -EACCESS;
  	}
  	...
  }

             reply index

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-29 12:48 zhujianwei (C) [this message]
2020-05-29 15:43 ` Alexei Starovoitov
2020-05-29 16:09   ` Kees Cook
2020-05-29 17:31     ` Alexei Starovoitov
2020-05-29 19:27     ` Kees Cook
2020-05-31 17:19       ` Alexei Starovoitov
2020-06-01 18:16         ` Kees Cook
2020-06-01  2:08       ` 答复: " zhujianwei (C)
2020-06-01  3:30         ` Alexei Starovoitov
2020-06-02  2:42           ` 答复: " zhujianwei (C)
2020-06-02  3:24             ` Alexei Starovoitov
2020-06-02 11:13               ` 答复: " zhujianwei (C)
2020-06-02 11:34               ` zhujianwei (C)
2020-06-02 18:32                 ` Kees Cook
2020-06-03  4:51                   ` 答复: " zhujianwei (C)
2020-06-01 10:11       ` Lennart Poettering
2020-06-01 12:32         ` Paul Moore
2020-06-02 12:53           ` Lennart Poettering
2020-06-02 15:03             ` Paul Moore
2020-06-02 18:39               ` Kees Cook
2020-06-01 18:21         ` Kees Cook
2020-06-02 12:44           ` Lennart Poettering
2020-06-02 18:37             ` Kees Cook
2020-06-16  6:00             ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c22a6c3cefc2412cad00ae14c1371711@huawei.com \
    --to=zhujianwei7@huawei.com \
    --cc=bpf@vger.kernel.org \
    --cc=hehuazhen@huawei.com \
    --cc=linux-security-module@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Security-Module Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-security-module/0 linux-security-module/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-security-module linux-security-module/ https://lore.kernel.org/linux-security-module \
		linux-security-module@vger.kernel.org
	public-inbox-index linux-security-module

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-security-module


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git