On Mon, Sep 21, 2020 at 1:09 PM Jann Horn <jannh@xxxxxxxxxx> wrote: > > On Mon, Sep 21, 2020 at 7:35 AM YiFei Zhu <zhuyifei1999@xxxxxxxxx> wrote: > [...] > > We do this by creating a per-task bitmap of permitted syscalls. > > If seccomp filter is invoked we check if it is cached and if so > > directly return allow. Else we call into the cBPF filter, and if > > the result is an allow then we cache the results. > > What? Why? We already have code to statically evaluate the filter for > all syscall numbers. We should be using the results of that instead of > re-running the filter and separately caching the results. > > > The cache is per-task > > Please don't. The static results are per-filter, so the bitmask(s) > should also be per-filter and immutable. I do agree that an immutable bitmask is faster and easier to reason about its correctness. However, I did not find the "code to statically evaluate the filter for all syscall numbers" while reading seccomp.c. Would you give me a pointer to that and I will see how to best make use of it? YiFei Zhu _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
