Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1535887pxk; Fri, 25 Sep 2020 18:26:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzUGLTggWX6Qjq7umVBbfpZDVqFd96CUPqvZ71FIvXiWwNtnUk8wKElUuWI96O7q6Dw75jM X-Received: by 2002:a50:a418:: with SMTP id u24mr4169707edb.193.1601083608840; Fri, 25 Sep 2020 18:26:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601083608; cv=none; d=google.com; s=arc-20160816; b=HB757F3K2/uxb0af8/uRJvjZJBKXApAaEa/a1e169Atc0moJRTeKzEyd6M+mr4y8b6 h/Q1rpVeZoyMkn4mhNjkkCOsLdO1CPRxIfnVRwYz7tsfxf5DWZSaPAsBL1iMiyh7vw9U qJjR3gV8pF5ggnbnqcLWK17oWK+3QW9FC8y00wZFjUABXATvGkYgVjkrWf/gZP7DJE7V WN/uUZ5nrPIYBn7UmL3kxCFIVCzVyeKw77ANlotO+7eLXk1kC2OFMlUV99vlBG+5aQ/n 0aFUcIvYhnRd8lXz/5yzcbze5SDDPpMWWebXykoOb2t3D5PrSmy+9wO9iqt8StKMHM/K 9Qxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=gjsiX96TOZRrX+VWB5R73a/e4ejGDQtJ92tP2rTnjOs=; b=jgscuEIgEWdTXqaw7a3iVb+3ZxHP+2sR+bxWIYqMsbyR8Q6Bp8Vq5o3TvPgyBRlgwV NjBpOkTSF3i7/ZGwrz5WIwZ447Q8fPI8CXJWqu5yUWgX8JB0Btcg8bW44oHQSVJuwIG8 XIQplr/Y5fEOHc8TL9gLs8Q3vJ4fHVa2ZjzXqSP8Swr/msXHnYYFvuApn3dw/Qq7M/Zk fEr8ZKfkXc+tXZqngwwpmZTaGo2gG43HWbGyNrJeRxBI0Gi+YwTjAVLUlHJJe2dyFrp7 9sFwbWJiMl46Vegq161sP3rR8+TbdMstu77j4kb4yGG3/tDayrP7cq0ksv/4MCav53yN 2SYw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Imh+a54p; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i3si3137436edj.574.2020.09.25.18.26.26; Fri, 25 Sep 2020 18:26:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Imh+a54p; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729822AbgIZBXn (ORCPT + 99 others); Fri, 25 Sep 2020 21:23:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42604 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729057AbgIZBXn (ORCPT ); Fri, 25 Sep 2020 21:23:43 -0400 Received: from mail-pj1-x1043.google.com (mail-pj1-x1043.google.com [IPv6:2607:f8b0:4864:20::1043]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F0D40C0613CE; Fri, 25 Sep 2020 18:23:42 -0700 (PDT) Received: by mail-pj1-x1043.google.com with SMTP id t7so355940pjd.3; Fri, 25 Sep 2020 18:23:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gjsiX96TOZRrX+VWB5R73a/e4ejGDQtJ92tP2rTnjOs=; b=Imh+a54pvSI9sfrjTL6vFP9BP8aCNTez3j81G7yDGDS59MGe4mxIsT5JeEXn51ynmf wGIDMu7h37nNhagccGZt84pZgsS7AIKEs40qYkX+MHQvkVfOZnoakZdz9M8u4vdlGb5P 8yQBq6S01sczjE5nT0niD5iVgLXYHTUBp939DUYIPIZ879aB1GcXRZUeBdlAUbyC7Cwv Ruy2U3hxVwfr9jds0Vmo66h6zEqsxKqrQaYwuXyW6bIR73SwpKlLTyTsnpk6LVgFZAn+ Idqwu5WQx3/qfn2BlC4gVXLpxxMbuXM3P/UHb4FqM95OyYoD0Mhuvp9ibx5dstPe7H1G +hUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gjsiX96TOZRrX+VWB5R73a/e4ejGDQtJ92tP2rTnjOs=; b=K0yYy9z5ixroqP9VKrjyubskWP17lt/iDJ58S7j3oclpeBVU/rMr2iP5p2qNFcYgxB e+vvURV2S55QdmLld5vsHq1ft2tuS/vw1Nkoe7VSSbZz0EP5r1ar1H99g5/xbjyPV75m 3WHIVrSkFrY1w2USVydmTbwGH5Rs5itpKvkw4gx7OcUzcYxnOM5gxuXBiv+kgyUsXHLK QRPtthwJAnRWhhoS7LjHsxSR3rvRHxpL6/qc3Zjf5+YHnEpY7pPVxCSvHZT6KHUTO+1I /J907avbe7XEQ98NgD64wxKYnkYhwG4e6+ROhBORhVqO6cnmt2EmpZQ/piSfDkYs00v/ ajzA== X-Gm-Message-State: AOAM533IvuITJ8YWwmzgZzirtVeXkIDi7QNf7DkyVEB0tEEXF2lHgtOU KQKvQ++FzKu269bliHhSr/KKNUYLd+csyOiHoeM= X-Received: by 2002:a17:902:778e:b029:d2:8046:efe2 with SMTP id o14-20020a170902778eb02900d28046efe2mr172074pll.44.1601083422286; Fri, 25 Sep 2020 18:23:42 -0700 (PDT) MIME-Version: 1.0 References: <202009251223.8E46C831E2@keescook> <2FA23A2E-16B0-4E08-96D5-6D6FE45BBCF6@amacapital.net> <202009251332.24CE0C58@keescook> In-Reply-To: From: YiFei Zhu Date: Fri, 25 Sep 2020 20:23:30 -0500 Message-ID: Subject: Re: [PATCH v2 seccomp 3/6] seccomp/cache: Add "emulator" to check if filter is arg-dependent To: Andy Lutomirski Cc: Kees Cook , Linux Containers , YiFei Zhu , bpf , kernel list , Aleksa Sarai , Andrea Arcangeli , Dimitrios Skarlatos , Giuseppe Scrivano , Hubertus Franke , Jack Chen , Jann Horn , Josep Torrellas , Tianyin Xu , Tobin Feldman-Fitzthum , Tycho Andersen , Valentin Rothberg , Will Drewry Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 25, 2020 at 4:07 PM Andy Lutomirski wrote: > We'd need at least three states per syscall: unknown, always-allow, > and need-to-run-filter. > > The downsides are less determinism and a bit of an uglier > implementation. The upside is that we don't need to loop over all > syscalls at load -- instead the time that each operation takes is > independent of the total number of syscalls on the system. And we can > entirely avoid, say, evaluating the x32 case until the task tries an > x32 syscall. I was really afraid of multiple tasks writing to the bitmaps at once, hence I used bitmap-per-task. Now I think about it, if this stays lockless, the worst thing that can happen is that a write undo a bit set by another task. In this case, if the "known" bit is cleared then the worst would be the emulation is run many times. But if the "always allow" is cleared but not "known" bit then we have an issue: the syscall will always be executed in BPF. Is it worth holding a spinlock here? Though I'll try to get the benchmark numbers for the emulator later tonight. YiFei Zhu