core: turn on higher optimization level in seccomp

keszybz · keszybz · commit e6c5386dee48 · 2023-12-02T01:21:53.000+01:00
This mirrors what d75615f did for nspawn. It isn't really a fatal failure if we can't set that, so ignore it in libseccomp cannot set the attribute. line OP JT JF K ================================= 0000: 0x20 0x00 0x00 0x00000004 ld $data[4] 0001: 0x15 0x00 0xb7 0x40000003 jeq 1073741827 true:0002 false:0185 0002: 0x20 0x00 0x00 0x00000000 ld $data[0] 0003: 0x15 0xb5 0x00 0x00000000 jeq 0 true:0185 false:0004 0004: 0x15 0xb4 0x00 0x00000001 jeq 1 true:0185 false:0005 0005: 0x15 0xb3 0x00 0x00000002 jeq 2 true:0185 false:0006 0006: 0x15 0xb2 0x00 0x00000003 jeq 3 true:0185 false:0007 0007: 0x15 0xb1 0x00 0x00000004 jeq 4 true:0185 false:0008 0008: 0x15 0xb0 0x00 0x00000005 jeq 5 true:0185 false:0009 0009: 0x15 0xaf 0x00 0x00000006 jeq 6 true:0185 false:0010 ... 0438: 0x15 0x03 0x00 0x000001be jeq 446 true:0442 false:0439 0439: 0x15 0x02 0x00 0x000001bf jeq 447 true:0442 false:0440 0440: 0x15 0x01 0x00 0x000001c0 jeq 448 true:0442 false:0441 0441: 0x06 0x00 0x00 0x00050026 ret ERRNO(38) 0442: 0x06 0x00 0x00 0x7fff0000 ret ALLOW line OP JT JF K ================================= 0000: 0x20 0x00 0x00 0x00000004 ld $data[4] 0001: 0x15 0x00 0x27 0x40000003 jeq 1073741827 true:0002 false:0041 0002: 0x20 0x00 0x00 0x00000000 ld $data[0] 0003: 0x25 0x01 0x00 0x000000b5 jgt 181 true:0005 false:0004 0004: 0x05 0x00 0x00 0x00000143 jmp 0328 0005: 0x25 0x00 0xa1 0x00000139 jgt 313 true:0006 false:0167 0006: 0x25 0x00 0x51 0x00000179 jgt 377 true:0007 false:0088 0007: 0x25 0x00 0x29 0x000001a0 jgt 416 true:0008 false:0049 0008: 0x25 0x00 0x13 0x000001b0 jgt 432 true:0009 false:0028 0009: 0x25 0x00 0x09 0x000001b8 jgt 440 true:0010 false:0019 ... 0551: 0x15 0x03 0x00 0x00000002 jeq 2 true:0555 false:0552 0552: 0x15 0x02 0x01 0x00000001 jeq 1 true:0555 false:0554 0553: 0x15 0x01 0x00 0x00000000 jeq 0 true:0555 false:0554 0554: 0x06 0x00 0x00 0x00050026 ret ERRNO(38) 0555: 0x06 0x00 0x00 0x7fff0000 ret ALLOW The program is longer but hopefully faster because of the binary search.
diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
@@ -169,7 +169,7 @@ static int add_syscall_filters(
         /* We have a large filter here, so let's turn on the binary tree mode if possible. */
         r = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
         if (r < 0)
-                return r;
+                log_warning_errno(r, "Failed to set SCMP_FLTATR_CTL_OPTIMIZE, ignoring: %m");
 #endif
 
         return 0;
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
@@ -1183,6 +1183,13 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter
                                                        name, id);
                 }
 
+#if (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 5) || SCMP_VER_MAJOR > 2
+                /* We have a large filter here, so let's turn on the binary tree mode if possible. */
+                r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_OPTIMIZE, 2);
+                if (r < 0)
+                        log_warning_errno(r, "Failed to set SCMP_FLTATR_CTL_OPTIMIZE, ignoring: %m");
+#endif
+
                 r = seccomp_load(seccomp);
                 if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
                         return r;
