On Wed, Jun 11, 2014 at 3:18 PM, H. Peter Anvin <hpa@xxxxxxxxx> wrote: > On 06/11/2014 02:56 PM, Andy Lutomirski wrote: >> >> 13ns is with the simplest nonempty filter. I hope that empty filters >> don't work. >> > > Why wouldn't they? Is it permissible to fall off the end of a BPF program? I'm getting EINVAL trying to install an actual empty filter. The filter I tested with was: #include <unistd.h> #include <linux/filter.h> #include <linux/seccomp.h> #include <sys/syscall.h> #include <err.h> #include <sys/prctl.h> #include <stddef.h> #include <stdio.h> int main(int argc, char **argv) { int rc; struct sock_filter filter[] = { BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), }; struct sock_fprog prog = { .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])), .filter = filter, }; if (argc < 2) { printf("Usage: null_seccomp PATH ARGS...\n"); return 1; } if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) err(1, "PR_SET_NO_NEW_PRIVS"); if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) err(1, "PR_SET_SECCOMP"); execv(argv[1], argv + 1); err(1, argv[1]); } --Andy