From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.4 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E2629C4363D for ; Thu, 24 Sep 2020 12:57:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8CCEF21D24 for ; Thu, 24 Sep 2020 12:57:12 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="kJB1nGYx" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727860AbgIXM4s (ORCPT ); Thu, 24 Sep 2020 08:56:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43582 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727798AbgIXM4r (ORCPT ); Thu, 24 Sep 2020 08:56:47 -0400 Received: from mail-ed1-x543.google.com (mail-ed1-x543.google.com [IPv6:2a00:1450:4864:20::543]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9ADEEC0613D3 for ; Thu, 24 Sep 2020 05:56:47 -0700 (PDT) Received: by mail-ed1-x543.google.com with SMTP id l17so3204631edq.12 for ; Thu, 24 Sep 2020 05:56:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6PIyzkE03cr+kvJe1Aijo1Xyt0QaH2RNf7w1MklGRBQ=; b=kJB1nGYxP0Y6X5WheYqJQFpCi5sL6A711gpSeHDvuzgkectzUE/MXMOOEAnyElFD9v iqJyfIN/NSmWXrpVuFZ0aho0aDIFIpkMOw1pyuVo0+VxTny2vbcrMcsb9bSkOD2pXiG3 Dvl8rC/5qu8B0ATDNukQW590sTpDnKOF0N0ECVTvm6I8NaeU/cOkLhrQclT3Uw6+H6sk /qht2lFhpsGuqbERJ1ekX/lZmTpUh5+Dak+m/8EL3mc+x8jKSLvoDXJXDjOHzU8GK7vZ udXjSph+fxFzM8V094eG/lbsSo3u9cohPOEWwxr8UoH1Ss++gokbpNmfxCbBkzFK3vEe Rtuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6PIyzkE03cr+kvJe1Aijo1Xyt0QaH2RNf7w1MklGRBQ=; b=mvWjqTWSolCdceSXbFxzz83a5SAFNzQGT4Qe2FlqDLfuG7v9IHP0UKCsJsrl9Rj8kw 2uRZzKRrUUtQra1IBK8AxZ/fUKWZDO4ZE/0AP8spyQ1IEq3pPw9gnFivzkVgnRwX+zGZ U20fi1+HlXE2DZWGn1Wk4m3XZ74og/2b7/zAPG+PAdjg5EbOA3puaF7+6yU52tpQMocS o8+sD5EpWoKvSpjsmVkszVY/7ve2SqurqCeJBm3HcAC58UhpBXSy7K5zsqHDSwNE/Ai+ kKt5awLiehK1kEBq6y1qZykdfUK+V/92EoMxgm8ggmVBm+d/YdfiJKE/le/B3FyAGffb snTw== X-Gm-Message-State: AOAM531zYcXaqnYLXm/31X1Kx18zbVLyWnrxt3/+5H4rm7F2RuDwymM+ SRYQYxtohpB2bOoxma7AmmkWfazrdyDBTDYkovqv1Q== X-Google-Smtp-Source: ABdhPJyZT+GnEERoDowCMN+gaCS8CKBwR2yALNltlIzprycdqYNWKl35K4oZS3REzkERw/iLp6ynqEQMU4tQidSctwU= X-Received: by 2002:a50:ccd2:: with SMTP id b18mr885315edj.51.1600952205967; Thu, 24 Sep 2020 05:56:45 -0700 (PDT) MIME-Version: 1.0 References: <20200923232923.3142503-1-keescook@chromium.org> <20200923232923.3142503-4-keescook@chromium.org> <202009240018.A4D8274F@keescook> In-Reply-To: From: Jann Horn Date: Thu, 24 Sep 2020 14:56:19 +0200 Message-ID: Subject: Re: [PATCH 3/6] seccomp: Implement constant action bitmaps To: David Laight Cc: Kees Cook , YiFei Zhu , Christian Brauner , Tycho Andersen , Andy Lutomirski , Will Drewry , Andrea Arcangeli , Giuseppe Scrivano , Tobin Feldman-Fitzthum , Dimitrios Skarlatos , Valentin Rothberg , Hubertus Franke , Jack Chen , Josep Torrellas , Tianyin Xu , bpf , Linux Containers , Linux API , kernel list Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 24, 2020 at 2:37 PM David Laight wrote: > From: Jann Horn > > Sent: 24 September 2020 13:29 > ... > > I think our goal here should be that if a syscall is always allowed, > > seccomp should execute the smallest amount of instructions we can get > > away with, and touch the smallest amount of memory possible (and > > preferably that memory should be shared between threads). The bitmap > > fastpath should probably also avoid populate_seccomp_data(). > > If most syscalls are expected to be allowed E.g. OpenSSH's privilege-separated network process only permits something like 26 specific syscalls. > then an initial: > if (global_mask & (1u << (syscall_number & 63)) > test can be used to skip any further lookups. I guess that would work in principle, but I'm not convinced that it's worth adding another layer of global caching just to avoid one load instruction for locating the correct bitmask from the current process. Especially when it only really provides a benefit when people use seccomp improperly - for application sandboxing, you're supposed to only permit a list of specific syscalls, the smaller the better. > Although ISTR someone suggesting that the global_mask should > be per-cpu because even shared read-only cache lines were > expensive on some architecture. If an architecture did make that expensive, I think we have bigger problems to worry about than a little bitmap in seccomp. (Like the system call table.) So I think we don't have to worry about that here.