Optimize COW fork: bypass seccomp notif via raw fork(2) syscall

Signed-off-by: Cong Wang <cwang@multikernel.io>

Author: congwang-mk

src/sandlock/_checkpoint.py

@@ -412,14 +412,38 @@ def start_child_listener(
 TRIGGER_FORK = b"\x03"
 
 
+import ctypes as _ctypes
+import ctypes.util as _ctypes_util
+import platform as _platform
+
+_libc = _ctypes.CDLL(_ctypes_util.find_library("c"), use_errno=True)
+_libc.syscall.restype = _ctypes.c_long
+_NR_FORK = 57 if _platform.machine() == "x86_64" else None
+
+
+def _raw_fork() -> int:
+    """Raw fork(2) syscall, bypassing glibc clone() wrapper.
+
+    Python's ``os.fork()`` uses ``clone``, which seccomp intercepts
+    via USER_NOTIF for process counting.  The ``fork`` syscall (NR 57)
+    is NOT intercepted, so it goes straight through BPF.
+    """
+    if _NR_FORK is None:
+        return os.fork()
+    pid = _libc.syscall(_ctypes.c_long(_NR_FORK))
+    if pid < 0:
+        err = _ctypes.get_errno()
+        raise OSError(err, os.strerror(err))
+    return pid
+
+
 def clone_ready_loop(control_fd: int, work_fn: "Callable") -> None:
     """Main-thread loop: wait for fork commands, fork and run work_fn.
 
     After init_fn returns, the main thread enters this loop.  It blocks
     on ``os.read()`` (GIL released), so no CPU is wasted.  When the
-    parent sends TRIGGER_FORK, the main thread calls ``os.fork()`` —
-    giving the clone a full COW copy of all memory (including
-    everything init_fn set up in globals/heap).
+    parent sends TRIGGER_FORK, the main thread calls raw ``fork(2)``
+    (not ``os.fork()``), bypassing the seccomp USER_NOTIF round-trip.
 
     Args:
         control_fd: Child's end of the control socket.
@@ -450,7 +474,7 @@ def clone_ready_loop(control_fd: int, work_fn: "Callable") -> None:
                 pass
 
             try:
-                pid = os.fork()
+                pid = _raw_fork()
             except OSError:
                 os.write(control_fd, struct.pack(">I", 0))
                 continue

src/sandlock/_context.py

@@ -97,10 +97,15 @@ def _notif_syscall_names(notif: "NotifPolicy") -> list[str]:
     names = ["openat"]
     if "open" in _SYSCALL_NR:
         names.append("open")
-    # Always intercept clone/fork/vfork/clone3 — the supervisor checks
-    # namespace flags (which BPF can't inspect for clone3) and tracks
-    # process creation.
-    names.extend(["clone", "clone3", "fork", "vfork"])
+    # Intercept clone/clone3/vfork via USER_NOTIF for namespace flag
+    # checks and process counting.  Clone namespace flags are also
+    # blocked by a BPF arg filter as defense in depth.
+    #
+    # The raw fork syscall (NR 57) is NOT intercepted.  It takes no
+    # flags and cannot create namespaces.  The COW fork template uses
+    # raw fork(2) via ctypes to bypass the seccomp notif round-trip.
+    # User code uses os.fork() which calls clone (intercepted).
+    names.extend(["clone", "clone3", "vfork"])
     if notif is not None and notif.allowed_ips:
         names.extend(["connect", "sendto"])
     if notif is not None and notif.port_remap:

src/sandlock/_seccomp.py

@@ -285,16 +285,25 @@ def _build_arg_filters() -> bytes:
     These filters check specific arguments rather than blocking the
     syscall entirely:
 
-    - ioctl(2): Block TIOCSTI (terminal input injection).  Normal
-      terminal I/O and isatty() still work.
-
-    Note: clone/clone3 namespace flag checks are handled in the
-    supervisor via USER_NOTIF, not here.
+    - clone(2): Block namespace flags (CLONE_NEW*) with ERRNO.
+      Plain forks fall through to the main filter (USER_NOTIF if
+      clone is in the notif list, or ALLOW if not).
+    - ioctl(2): Block TIOCSTI (terminal input injection).
     """
     insns = bytearray()
 
-    # --- clone/clone3: handled via USER_NOTIF (namespace flag checks
-    #     and process tracking done in supervisor) ---
+    # --- clone: block namespace creation flags ---
+    nr_clone = _SYSCALL_NR.get("clone")
+    if nr_clone is not None:
+        # Load syscall number
+        insns += _bpf_stmt(BPF_LD | BPF_W | BPF_ABS, OFFSET_NR)
+        # if nr != clone, skip this block (3 instructions ahead)
+        insns += _bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, nr_clone, 0, 3)
+        # Load clone flags (arg0, low 32 bits)
+        insns += _bpf_stmt(BPF_LD | BPF_W | BPF_ABS, OFFSET_ARGS0_LO)
+        # Test: flags & NS_FLAGS → ERRNO if set, fall through if not
+        insns += _bpf_jump(BPF_JMP | BPF_JSET | BPF_K, _CLONE_NS_FLAGS, 0, 1)
+        insns += _bpf_stmt(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | ERRNO_EPERM)
 
     # --- ioctl: block TIOCSTI (terminal input injection) ---
     # Load syscall number

tests/test_clone.py

@@ -95,5 +95,58 @@ def child_side():
             child.close()
 
 
+class TestMaxProcessesInClone(unittest.TestCase):
+    """Verify that max_processes is enforced inside COW clones.
+
+    The template uses raw fork(2) to bypass seccomp USER_NOTIF, but
+    clones inherit the seccomp filter that intercepts clone (os.fork).
+    Process limits must still be enforced in work().
+    """
+
+    def test_clone_inherits_process_limit(self):
+        """work() cannot fork more than max_processes allows."""
+        import sys
+        import tempfile
+
+        marker = tempfile.mktemp(prefix="sandlock_test_maxproc_")
+
+        def init():
+            pass
+
+        def work():
+            count = 0
+            for _ in range(20):
+                try:
+                    pid = os.fork()
+                    if pid == 0:
+                        os._exit(0)
+                    os.waitpid(pid, 0)
+                    count += 1
+                except OSError:
+                    break
+            with open(marker, "w") as f:
+                f.write(str(count))
+
+        policy = Policy(
+            fs_writable=["/tmp"],
+            fs_readable=[sys.prefix, "/usr", "/lib", "/etc", "/proc", "/dev"],
+            max_processes=5,
+        )
+
+        with Sandbox(policy, init, work) as sb:
+            sb.fork().wait(timeout=10)
+
+        self.assertTrue(os.path.exists(marker))
+        count = int(open(marker).read())
+        os.unlink(marker)
+
+        # max_processes=5: the template's raw fork counts as 1 (via
+        # the supervisor tracking clone3/vfork), so the clone can
+        # fork at most 4 more times.  The exact count depends on
+        # how the supervisor counts, but it must be less than 20.
+        self.assertLess(count, 20, "max_processes not enforced in clone")
+        self.assertGreater(count, 0, "clone couldn't fork at all")
+
+
 if __name__ == "__main__":
     unittest.main()