lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 24 Sep 2020 12:37:42 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     'Jann Horn' <jannh@...gle.com>, Kees Cook <keescook@...omium.org>
CC:     YiFei Zhu <yifeifz2@...inois.edu>,
        Christian Brauner <christian.brauner@...ntu.com>,
        Tycho Andersen <tycho@...ho.pizza>,
        "Andy Lutomirski" <luto@...capital.net>,
        Will Drewry <wad@...omium.org>,
        "Andrea Arcangeli" <aarcange@...hat.com>,
        Giuseppe Scrivano <gscrivan@...hat.com>,
        Tobin Feldman-Fitzthum <tobin@....com>,
        Dimitrios Skarlatos <dskarlat@...cmu.edu>,
        Valentin Rothberg <vrothber@...hat.com>,
        "Hubertus Franke" <frankeh@...ibm.com>,
        Jack Chen <jianyan2@...inois.edu>,
        "Josep Torrellas" <torrella@...inois.edu>,
        Tianyin Xu <tyxu@...inois.edu>, bpf <bpf@...r.kernel.org>,
        Linux Containers <containers@...ts.linux-foundation.org>,
        Linux API <linux-api@...r.kernel.org>,
        kernel list <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH 3/6] seccomp: Implement constant action bitmaps

From: Jann Horn
> Sent: 24 September 2020 13:29
...
> I think our goal here should be that if a syscall is always allowed,
> seccomp should execute the smallest amount of instructions we can get
> away with, and touch the smallest amount of memory possible (and
> preferably that memory should be shared between threads). The bitmap
> fastpath should probably also avoid populate_seccomp_data().

If most syscalls are expected to be allowed then an initial:
	if (global_mask & (1u << (syscall_number & 63))
test can be used to skip any further lookups.

Although ISTR someone suggesting that the global_mask should
be per-cpu because even shared read-only cache lines were
expensive on some architecture.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ