27 Sep, 2016
1 commit
-
seccomp_phase1() does not exist anymore. Instead, update sample to use
__seccomp_filter(). While at it, set max locked memory to unlimited.Signed-off-by: Naveen N. Rao
Acked-by: Alexei Starovoitov
Signed-off-by: David S. Miller
22 May, 2015
1 commit
-
kprobe example that demonstrates how future seccomp programs may look like.
It attaches to seccomp_phase1() function and tail-calls other BPF programs
depending on syscall number.Existing optimized classic BPF seccomp programs generated by Chrome look like:
if (sd.nr < 121) {
if (sd.nr < 57) {
if (sd.nr < 22) {
if (sd.nr < 7) {
if (sd.nr < 4) {
if (sd.nr < 1) {
check sys_read
} else {
if (sd.nr < 3) {
check sys_write and sys_open
} else {
check sys_close
}
}
} else {
} else {
} else {
} else {
} else {
}the future seccomp using native eBPF may look like:
bpf_tail_call(&sd, &syscall_jmp_table, sd.nr);
which is simpler, faster and leaves more room for per-syscall checks.Usage:
$ sudo ./tracex5
-366 [001] d... 4.870033: : read(fd=1, buf=00007f6d5bebf000, size=771)
-369 [003] d... 4.870066: : mmap
-369 [003] d... 4.870077: : syscall=110 (one of get/set uid/pid/gid)
-369 [003] d... 4.870089: : syscall=107 (one of get/set uid/pid/gid)
sh-369 [000] d... 4.891740: : read(fd=0, buf=00000000023d1000, size=512)
sh-369 [000] d... 4.891747: : write(fd=1, buf=00000000023d3000, size=512)
sh-369 [000] d... 4.891747: : read(fd=1, buf=00000000023d3000, size=512)Signed-off-by: Alexei Starovoitov
Signed-off-by: David S. Miller
