Optimize cowfs: skip path read for read-only ops before first write

congwang-mk · congwang-mk · commit 56060f79b835 · 2026-03-16T12:46:40.000-07:00
Signed-off-by: Cong Wang &lt;cwang@multikernel.io&gt;
diff --git a/src/sandlock/_notif.py b/src/sandlock/_notif.py
@@ -652,6 +652,10 @@ def _dispatch(self, notif: SeccompNotif) -> None:
         nr_getdents = _SYSCALL_NR.get("getdents")
 
         if nr in (nr_getdents64, nr_getdents) and self._cow_handler is not None:
+            # Fast path: no changes yet → kernel handles readdir correctly
+            if not self._cow_handler._branch.has_changes:
+                self._respond_continue(notif.id)
+                return
             child_fd_num = notif.data.args[0] & 0xFFFFFFFF
             try:
                 target = os.readlink(f"/proc/{pid}/fd/{child_fd_num}")
@@ -701,6 +705,15 @@ def _dispatch(self, notif: SeccompNotif) -> None:
             # Special arg layouts
             cow_special_nrs = {nr_symlinkat, nr_symlink,
                                nr_linkat, nr_link} - {None}
+            # Read-only COW syscalls — can skip when no changes yet
+            cow_readonly_nrs = {nr_newfstatat, nr_statx, nr_faccessat,
+                                nr_stat, nr_lstat, nr_access,
+                                nr_readlinkat, nr_readlink} - {None}
+
+            # Fast path: read-only COW syscalls with no changes → let kernel handle
+            if nr in cow_readonly_nrs and not self._cow_handler._branch.has_changes:
+                self._respond_continue(notif.id)
+                return
 
             # symlink/link have special arg layouts — handle separately
             if nr in cow_special_nrs:
@@ -900,6 +913,12 @@ def _dispatch(self, notif: SeccompNotif) -> None:
 
         # --- COW: redirect opens under workdir to upper dir ---
         if self._cow_handler is not None and self._cow_handler.matches(path):
+            # Fast path: read-only open with no changes → kernel handles it
+            from .cowfs._handler import _WRITE_FLAGS, O_DIRECTORY
+            is_read_only = not (flags & (_WRITE_FLAGS | O_DIRECTORY))
+            if is_read_only and not self._cow_handler._branch.has_changes:
+                self._respond_continue(notif.id)
+                return
             self._handle_cow_open(notif, path, flags)
             return
 
diff --git a/src/sandlock/cowfs/_branch.py b/src/sandlock/cowfs/_branch.py
@@ -24,6 +24,7 @@ def __init__(self, workdir: Path, storage: Path | None = None):
         self._branch_id: str | None = None
         self._finished = False
         self._deleted: set[str] = set()  # relative paths deleted by sandbox
+        self._has_changes = False  # True after first write or delete
 
     @property
     def workdir(self) -> Path:
@@ -60,9 +61,15 @@ def is_deleted(self, rel_path: str) -> bool:
         """Check if a path has been deleted in this branch."""
         return rel_path in self._deleted
 
+    @property
+    def has_changes(self) -> bool:
+        """True after any write, delete, or metadata change."""
+        return self._has_changes
+
     def mark_deleted(self, rel_path: str) -> None:
         """Mark a path as deleted."""
         self._deleted.add(rel_path)
+        self._has_changes = True
 
     def ensure_cow_copy(self, rel_path: str) -> Path:
         """Ensure a COW copy exists in upper. Returns the upper path.
@@ -72,6 +79,7 @@ def ensure_cow_copy(self, rel_path: str) -> Path:
         Clears any deletion mark for this path.
         """
         self._deleted.discard(rel_path)
+        self._has_changes = True
 
         upper_file = self.upper_dir / rel_path
         lower_file = self._workdir / rel_path
