From b265d1288faf33aad791f6241b569ad284ad909f Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Mon, 7 Mar 2022 19:24:08 -0800 Subject: [PATCH] libct/seccomp: enable binary tree optimization This makes libseccomp produce a BPF which uses a binary tree for syscalls (instead of linear set of if statements). It does not make sense to enable binary tree for small set of rules, so don't do that if we have less than 8 syscalls (the number is chosen arbitrarily). Signed-off-by: Kir Kolyshkin --- libcontainer/seccomp/seccomp_linux.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go index 59549f5b4..0cdb2f561 100644 --- a/libcontainer/seccomp/seccomp_linux.go +++ b/libcontainer/seccomp/seccomp_linux.go @@ -111,6 +111,20 @@ func InitSeccomp(config *configs.Seccomp) (int, error) { } } + // Enable libseccomp binary tree optimization for longer rulesets. + // + // The number below chosen semi-arbitrarily, considering the following: + // 1. libseccomp <= 2.5.4 misbehaves when binary tree optimization + // is enabled and there are 0 rules. + // 2. All known libseccomp versions (2.5.0 to 2.5.4) generate a binary + // tree with 4 syscalls per node. + if len(config.Syscalls) > 32 { + if err := filter.SetOptimize(2); err != nil { + // The error is not fatal and is probably means we have older libseccomp. + logrus.Debugf("seccomp binary tree optimization not available: %v", err) + } + } + // Unset no new privs bit if err := filter.SetNoNewPrivsBit(false); err != nil { return -1, fmt.Errorf("error setting no new privileges: %w", err)