This patchset introduces seccomp program type which can be used to attach to the existing seccomp framework. The motivation is to enable sharing of seccomp filter through bpf prog fd and bpffs. With this in place, we can eliminate a hot path of JITing cBPF program (seccomp filter) where we apply the same seccomp filter to thousands of micro VMs on a bare metal instance. This also allows us to write seccomp filter in an intuitive way, see selftests for reference. Hengqi Chen (6): bpf: Introduce BPF_PROG_TYPE_SECCOMP bpf: Add test_run support for seccomp program type seccomp: Refactor filter copy/create for reuse seccomp: Support attaching BPF_PROG_TYPE_SECCOMP progs selftests/bpf: Add seccomp verifier tests selftests/bpf: Test BPF_PROG_TYPE_SECCOMP include/linux/bpf.h | 3 + include/linux/bpf_types.h | 4 + include/linux/seccomp.h | 3 +- include/uapi/linux/bpf.h | 1 + include/uapi/linux/seccomp.h | 2 + kernel/seccomp.c | 142 ++++++++++++++-- net/bpf/test_run.c | 27 +++ tools/include/uapi/linux/bpf.h | 1 + tools/include/uapi/linux/seccomp.h | 2 + tools/lib/bpf/libbpf.c | 2 + tools/lib/bpf/libbpf_probes.c | 1 + .../selftests/bpf/prog_tests/seccomp.c | 40 +++++ .../selftests/bpf/prog_tests/verifier.c | 2 + .../selftests/bpf/progs/test_seccomp.c | 24 +++ .../selftests/bpf/progs/verifier_seccomp.c | 154 ++++++++++++++++++ 15 files changed, 390 insertions(+), 18 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/seccomp.c create mode 100644 tools/testing/selftests/bpf/progs/test_seccomp.c create mode 100644 tools/testing/selftests/bpf/progs/verifier_seccomp.c -- 2.34.1
