5bacd7805a
kprobe example that demonstrates how future seccomp programs may look like.
It attaches to seccomp_phase1() function and tail-calls other BPF programs
depending on syscall number.
Existing optimized classic BPF seccomp programs generated by Chrome look like:
if (sd.nr < 121) {
if (sd.nr < 57) {
if (sd.nr < 22) {
if (sd.nr < 7) {
if (sd.nr < 4) {
if (sd.nr < 1) {
check sys_read
} else {
if (sd.nr < 3) {
check sys_write and sys_open
} else {
check sys_close
}
}
} else {
} else {
} else {
} else {
} else {
}
the future seccomp using native eBPF may look like:
bpf_tail_call(&sd, &syscall_jmp_table, sd.nr);
which is simpler, faster and leaves more room for per-syscall checks.
Usage:
$ sudo ./tracex5
<...>-366 [001] d... 4.870033: : read(fd=1, buf=00007f6d5bebf000, size=771)
<...>-369 [003] d... 4.870066: : mmap
<...>-369 [003] d... 4.870077: : syscall=110 (one of get/set uid/pid/gid)
<...>-369 [003] d... 4.870089: : syscall=107 (one of get/set uid/pid/gid)
sh-369 [000] d... 4.891740: : read(fd=0, buf=00000000023d1000, size=512)
sh-369 [000] d... 4.891747: : write(fd=1, buf=00000000023d3000, size=512)
sh-369 [000] d... 4.891747: : read(fd=1, buf=00000000023d3000, size=512)
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
55 lines
1.7 KiB
Makefile
55 lines
1.7 KiB
Makefile
# kbuild trick to avoid linker error. Can be omitted if a module is built.
|
|
obj- := dummy.o
|
|
|
|
# List of programs to build
|
|
hostprogs-y := test_verifier test_maps
|
|
hostprogs-y += sock_example
|
|
hostprogs-y += sockex1
|
|
hostprogs-y += sockex2
|
|
hostprogs-y += tracex1
|
|
hostprogs-y += tracex2
|
|
hostprogs-y += tracex3
|
|
hostprogs-y += tracex4
|
|
hostprogs-y += tracex5
|
|
|
|
test_verifier-objs := test_verifier.o libbpf.o
|
|
test_maps-objs := test_maps.o libbpf.o
|
|
sock_example-objs := sock_example.o libbpf.o
|
|
sockex1-objs := bpf_load.o libbpf.o sockex1_user.o
|
|
sockex2-objs := bpf_load.o libbpf.o sockex2_user.o
|
|
tracex1-objs := bpf_load.o libbpf.o tracex1_user.o
|
|
tracex2-objs := bpf_load.o libbpf.o tracex2_user.o
|
|
tracex3-objs := bpf_load.o libbpf.o tracex3_user.o
|
|
tracex4-objs := bpf_load.o libbpf.o tracex4_user.o
|
|
tracex5-objs := bpf_load.o libbpf.o tracex5_user.o
|
|
|
|
# Tell kbuild to always build the programs
|
|
always := $(hostprogs-y)
|
|
always += sockex1_kern.o
|
|
always += sockex2_kern.o
|
|
always += tracex1_kern.o
|
|
always += tracex2_kern.o
|
|
always += tracex3_kern.o
|
|
always += tracex4_kern.o
|
|
always += tracex5_kern.o
|
|
always += tcbpf1_kern.o
|
|
|
|
HOSTCFLAGS += -I$(objtree)/usr/include
|
|
|
|
HOSTCFLAGS_bpf_load.o += -I$(objtree)/usr/include -Wno-unused-variable
|
|
HOSTLOADLIBES_sockex1 += -lelf
|
|
HOSTLOADLIBES_sockex2 += -lelf
|
|
HOSTLOADLIBES_tracex1 += -lelf
|
|
HOSTLOADLIBES_tracex2 += -lelf
|
|
HOSTLOADLIBES_tracex3 += -lelf
|
|
HOSTLOADLIBES_tracex4 += -lelf -lrt
|
|
HOSTLOADLIBES_tracex5 += -lelf
|
|
|
|
# point this to your LLVM backend with bpf support
|
|
LLC=$(srctree)/tools/bpf/llvm/bld/Debug+Asserts/bin/llc
|
|
|
|
$(obj)/%.o: $(src)/%.c
|
|
clang $(NOSTDINC_FLAGS) $(LINUXINCLUDE) $(EXTRA_CFLAGS) \
|
|
-D__KERNEL__ -Wno-unused-value -Wno-pointer-sign \
|
|
-O2 -emit-llvm -c $< -o -| $(LLC) -march=bpf -filetype=obj -o $@
|