[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ec31caaea19247f0b9bd9c73ccaa7dbd@AcuMS.aculab.com>
Date: Thu, 24 Sep 2020 12:37:42 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Jann Horn' <jannh@...gle.com>, Kees Cook <keescook@...omium.org>
CC: YiFei Zhu <yifeifz2@...inois.edu>,
Christian Brauner <christian.brauner@...ntu.com>,
Tycho Andersen <tycho@...ho.pizza>,
"Andy Lutomirski" <luto@...capital.net>,
Will Drewry <wad@...omium.org>,
"Andrea Arcangeli" <aarcange@...hat.com>,
Giuseppe Scrivano <gscrivan@...hat.com>,
Tobin Feldman-Fitzthum <tobin@....com>,
Dimitrios Skarlatos <dskarlat@...cmu.edu>,
Valentin Rothberg <vrothber@...hat.com>,
"Hubertus Franke" <frankeh@...ibm.com>,
Jack Chen <jianyan2@...inois.edu>,
"Josep Torrellas" <torrella@...inois.edu>,
Tianyin Xu <tyxu@...inois.edu>, bpf <bpf@...r.kernel.org>,
Linux Containers <containers@...ts.linux-foundation.org>,
Linux API <linux-api@...r.kernel.org>,
kernel list <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH 3/6] seccomp: Implement constant action bitmaps
From: Jann Horn
> Sent: 24 September 2020 13:29
...
> I think our goal here should be that if a syscall is always allowed,
> seccomp should execute the smallest amount of instructions we can get
> away with, and touch the smallest amount of memory possible (and
> preferably that memory should be shared between threads). The bitmap
> fastpath should probably also avoid populate_seccomp_data().
If most syscalls are expected to be allowed then an initial:
if (global_mask & (1u << (syscall_number & 63))
test can be used to skip any further lookups.
Although ISTR someone suggesting that the global_mask should
be per-cpu because even shared read-only cache lines were
expensive on some architecture.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Powered by blists - more mailing lists