On Tue, Sep 22, 2020 at 12:51 AM YiFei Zhu <zhuyifei1999@xxxxxxxxx> wrote: > On Mon, Sep 21, 2020 at 1:09 PM Jann Horn <jannh@xxxxxxxxxx> wrote: > > > > On Mon, Sep 21, 2020 at 7:35 AM YiFei Zhu <zhuyifei1999@xxxxxxxxx> wrote: > > [...] > > > We do this by creating a per-task bitmap of permitted syscalls. > > > If seccomp filter is invoked we check if it is cached and if so > > > directly return allow. Else we call into the cBPF filter, and if > > > the result is an allow then we cache the results. > > > > What? Why? We already have code to statically evaluate the filter for > > all syscall numbers. We should be using the results of that instead of > > re-running the filter and separately caching the results. > > > > > The cache is per-task > > > > Please don't. The static results are per-filter, so the bitmask(s) > > should also be per-filter and immutable. > > I do agree that an immutable bitmask is faster and easier to reason > about its correctness. However, I did not find the "code to statically > evaluate the filter for all syscall numbers" while reading seccomp.c. > Would you give me a pointer to that and I will see how to best make > use of it? I'm talking about the code you're adding in the other patch ("[RFC PATCH seccomp 1/2] seccomp/cache: Add "emulator" to check if filter is arg-dependent"). Sorry, that was a bit unclear.