Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3669222pxk; Mon, 7 Sep 2020 22:01:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyZE6+m0kj4ocRrbQY9+Kn4j/xv6wDfdlEfH0CUEEoUl+HNy1wxG7yzc/5UpayOn606GiHi X-Received: by 2002:a17:906:c7d9:: with SMTP id dc25mr23383704ejb.452.1599541269800; Mon, 07 Sep 2020 22:01:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599541269; cv=none; d=google.com; s=arc-20160816; b=nTEoTaq2HoSpiXnMC/9n5uGKpNsivZyTlyAwD0pJjRDtqLQWn1W6X1wwfKFh6HzJoy GJYS+89UE/UZhELkaDNq27tE4MEhUcLhdX+GJQpmREnZn/3+hIBI5Kpe0QH/x+rCLU9W H346nb3oz36+Iv8g0lyeuZ3Ycc+ii5el+1bIWwZeQ3nNfg7xFInGDpUBYtxysilrnqdO fIRSbBHo7gbAuatyZ+ea+ALMw0EULmM87QufY0A6wP2DA+oXiT2ZqHkTndASIQuYtnQC yWJeaMrjsqmmGbcITU6xzvwF3lqulxa815xAcblHqm0edkltJgC7ty+psrs8Lp3xR1L4 t/Ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :in-reply-to:date:references:organization:subject:cc:to:from; bh=dnkZ9AoPXLgr9F32s7ZKMUYrbWX+5ikVtqUV2YHLIBU=; b=eljcQnVLKptcd6dsFbpFdNz/X+MzLw1Vs+4qhyUa9v9OgOMuv5QEPItJ8KNHsjixqo Nxym3G0eHY2tfAasX9EctyQERFC1wfHxvL3tKGOPmK6bKaQVHeAl2M8rQuxYVZbXzLdN sJgrTwCzFnYA4eKYpYJ4YooZYpGdQLZSH7Jfnc4GtY9WDFr0CtCBCgFqDG561rw9qCNg Q0QP9uZAbZLxpBb+yaYTEofwUEupfUrUzXGISVOAc1FFpTANSdZbZrFrwztIlqajs56r TQyBq665hOPRzv8ce1GNaQX5IcTIKz1PplmSJ9TWqSynxWMsltbt3zZoAU6idlsibWEB Xu5A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s18si11140870eji.430.2020.09.07.22.00.47; Mon, 07 Sep 2020 22:01:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728137AbgIHE7z (ORCPT + 99 others); Tue, 8 Sep 2020 00:59:55 -0400 Received: from bhuna.collabora.co.uk ([46.235.227.227]:47178 "EHLO bhuna.collabora.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726279AbgIHE7z (ORCPT ); Tue, 8 Sep 2020 00:59:55 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: krisman) with ESMTPSA id 2488328F7E8 From: Gabriel Krisman Bertazi To: Christian Brauner Cc: luto@kernel.org, tglx@linutronix.de, keescook@chromium.org, x86@kernel.org, linux-kernel@vger.kernel.org, linux-api@vger.kernel.org, willy@infradead.org, linux-kselftest@vger.kernel.org, shuah@kernel.org, kernel@collabora.com Subject: Re: [PATCH v6 1/9] kernel: Support TIF_SYSCALL_INTERCEPT flag Organization: Collabora References: <20200904203147.2908430-1-krisman@collabora.com> <20200904203147.2908430-2-krisman@collabora.com> <20200907101608.ldfhhvcy3vmrkg6b@wittgenstein> Date: Tue, 08 Sep 2020 00:59:49 -0400 In-Reply-To: <20200907101608.ldfhhvcy3vmrkg6b@wittgenstein> (Christian Brauner's message of "Mon, 7 Sep 2020 12:16:08 +0200") Message-ID: <87wo14n9ru.fsf@collabora.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Christian Brauner writes: > On Fri, Sep 04, 2020 at 04:31:39PM -0400, Gabriel Krisman Bertazi wrote: >> index afe01e232935..3511c98a7849 100644 >> --- a/include/linux/sched.h >> +++ b/include/linux/sched.h >> @@ -959,7 +959,11 @@ struct task_struct { >> kuid_t loginuid; >> unsigned int sessionid; >> #endif >> - struct seccomp seccomp; >> + >> + struct { >> + unsigned int syscall_intercept; >> + struct seccomp seccomp; >> + }; > > If there's no specific reason to do this I'd not wrap this in an > anonymous struct. It doesn't really buy anything and there doesn't seem > to be precedent in struct task_struct right now. Also, if this somehow > adds padding it seems you might end up increasing the size of struct > task_struct more than necessary by accident? (I might be wrong > though.) Hi Christian, Thanks for your review on this and on the other patches of this series. I wrapped these to prevent struct layout randomization from separating the flags field from seccomp, as they are going to be used together and I was trying to reduce overhead to seccomp entry due to two cache misses when reading this structure. Measuring it seccomp_benchmark didn't show any difference with the unwrapped version, so perhaps it was a bit of premature optimization? >> diff --git a/include/linux/syscall_intercept.h b/include/linux/syscall_intercept.h >> new file mode 100644 >> index 000000000000..725d157699da >> --- /dev/null >> +++ b/include/linux/syscall_intercept.h >> @@ -0,0 +1,70 @@ >> +/* SPDX-License-Identifier: GPL-2.0 */ >> +/* >> + * Copyright (C) 2020 Collabora Ltd. >> + */ >> +#ifndef _SYSCALL_INTERCEPT_H >> +#define _SYSCALL_INTERCEPT_H >> + >> +#include >> +#include >> +#include >> + >> +#define SYSINT_SECCOMP 0x1 > > > > Can we maybe use a better name for this? I noone minds the extra > characters I'd suggest: > SYSCALL_INTERCEPT_SECCOMP > or > SYS_INTERCEPT_SECCOMP > > > will do. Thanks, -- Gabriel Krisman Bertazi