Re: [RFC PATCH seccomp 2/2] seccomp/cache: Cache filter results that allow syscalls

From: YiFei Zhu
Date: Mon Sep 21 2020 - 18:51:09 EST

On Mon, Sep 21, 2020 at 1:09 PM Jann Horn <jannh@xxxxxxxxxx> wrote:
> On Mon, Sep 21, 2020 at 7:35 AM YiFei Zhu <zhuyifei1999@xxxxxxxxx> wrote:
> [...]
> > We do this by creating a per-task bitmap of permitted syscalls.
> > If seccomp filter is invoked we check if it is cached and if so
> > directly return allow. Else we call into the cBPF filter, and if
> > the result is an allow then we cache the results.
> What? Why? We already have code to statically evaluate the filter for
> all syscall numbers. We should be using the results of that instead of
> re-running the filter and separately caching the results.
> > The cache is per-task
> Please don't. The static results are per-filter, so the bitmask(s)
> should also be per-filter and immutable.

I do agree that an immutable bitmask is faster and easier to reason
about its correctness. However, I did not find the "code to statically
evaluate the filter for all syscall numbers" while reading seccomp.c.
Would you give me a pointer to that and I will see how to best make
use of it?

YiFei Zhu