diff options
| author | Matt Delco <delco@chromium.org> | 2020-01-16 12:41:06 -0800 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-03-19 07:24:56 +0000 |
| commit | 6d2a83482737cac0e5777a00e27d34e704eedb71 (patch) | |
| tree | 32dee862e67672356d22bf774cd32923fc54f61d /seccomp | |
| parent | 5934305f37a765f8c611d9a24d9d5f012845d39b (diff) | |
| download | crosvm-6d2a83482737cac0e5777a00e27d34e704eedb71.tar crosvm-6d2a83482737cac0e5777a00e27d34e704eedb71.tar.gz crosvm-6d2a83482737cac0e5777a00e27d34e704eedb71.tar.bz2 crosvm-6d2a83482737cac0e5777a00e27d34e704eedb71.tar.lz crosvm-6d2a83482737cac0e5777a00e27d34e704eedb71.tar.xz crosvm-6d2a83482737cac0e5777a00e27d34e704eedb71.tar.zst crosvm-6d2a83482737cac0e5777a00e27d34e704eedb71.zip | |
seccomp: add frequency file to x86_64
Add a frequency file that teaches the seccomp compiler to weight the comparison tree in favor of the most frequenctly called syscalls. This frequency file was created by running strace against vm_conciege's pid (e.g., "strace -p PID -ff -e raw=all -o /tmp/strace") when performing a start and stop of a VM, deleting the trace files that weren't for a crosvm process, passing the files to minijail's tools/generate_seccomp_policy.py (using the -frequency option), and combining the results of the frequency file. I rounded the #s to the nearest multiple of 5 and only retained the syscalls that had at least 10 calls. BUG=None TEST=Local build and deploy. Verified that crostini VM still boots and shuts down properly. Used scmp_bpf_disasm to disassemble a few bpf files before and after this change to confirm that with the frequency file the first comparision is "jge 2" (to quickly whitelist syscalls 0 and 1 ['read' and 'write']) instead of a comparison around the middle of the range of syscall numbers that are used. Change-Id: Icace2b5cdbcae6e51cfd67a3034a1a17fdb6d59e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2005793 Commit-Queue: Matt Delco <delco@chromium.org> Commit-Queue: Stephen Barber <smbarber@chromium.org> Tested-by: Matt Delco <delco@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Auto-Submit: Matt Delco <delco@chromium.org> Reviewed-by: Stephen Barber <smbarber@chromium.org>
Diffstat (limited to 'seccomp')
| -rw-r--r-- | seccomp/x86_64/common_device.frequency | 45 | ||||
| -rw-r--r-- | seccomp/x86_64/common_device.policy | 1 |
2 files changed, 46 insertions, 0 deletions
diff --git a/seccomp/x86_64/common_device.frequency b/seccomp/x86_64/common_device.frequency new file mode 100644 index 0000000..618c44d --- /dev/null +++ b/seccomp/x86_64/common_device.frequency @@ -0,0 +1,45 @@ +# Copyright 2020 The Chromium OS Authors. All rights reserved. +# Use of this source code is governed by a BSD-style license that can be +# found in the LICENSE file. + +capget: 30 +capset: 30 +chdir: 30 +chroot: 15 +clone: 30 +close: 1185 +dup: 50 +dup2: 160 +epoll_ctl: 25 +epoll_wait: 90 +eventfd2: 75 +exit: 15 +exit_group: 15 +fchdir: 30 +fstat: 90 +futex: 20 +getdents: 55 +ioctl: 350 +mmap: 95 +mount: 45 +mprotect: 45 +openat: 515 +pipe: 15 +pivot_root: 15 +prctl: 570 +prlimit64: 15 +read: 82415 +recvmsg: 85 +restart_syscall: 15 +rt_sigaction: 20 +rt_sigreturn: 15 +seccomp: 25 +sendmsg: 390 +setsockopt: 30 +socket: 20 +socketpair: 30 +stat: 30 +umount2: 15 +unshare: 30 +wait4: 20 +write: 56100 diff --git a/seccomp/x86_64/common_device.policy b/seccomp/x86_64/common_device.policy index 8464c4b..453719d 100644 --- a/seccomp/x86_64/common_device.policy +++ b/seccomp/x86_64/common_device.policy @@ -2,6 +2,7 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. +@frequency ./common_device.frequency brk: 1 clone: arg0 & CLONE_THREAD close: 1 |