0

Has this patch been merged or rejected? Or the discussion has just ended without evolving? Maybe the fact that seccomp filters can be rewritten as binary trees is enough to don't add hash maps support for seccomp?

https://groups.google.com/forum/#!msg/libseccomp/pX6QkVF0F74/ZUJlwI5qAwAJ

Yes, I struggle to follow kernel patches discussions and to understand if they are merged or not XD :(

Maicake
  • 1,046
  • 10
  • 34

1 Answers1

2

That patch has not been merged. seccomp-bpf still doesn't support eBPF bytecode or even just maps. It seems unlikely that seccomp-bpf will ever rely on eBPF instead of cBPF.

Binary trees were indeed considered a good enough solution for anyone who needs very high seccomp-bpf performance. Although I don't think libseccomp supports binary trees yet.

pchaigno
  • 11,313
  • 2
  • 29
  • 54
  • Ok so (correct me) the patch would enable ebpf (also with maps) seccomp at the kernel level (so I imagine I could use ebpf seccomp also without libseccomp) and accordingly modify libseccomp interaface. But this won't happen because the maintainer doesn't want to bring ebpf to unprivileged users. So the one I reported in this topic and this https://lists.linuxfoundation.org/pipermail/containers/2018-February/038477.html are the only two attempts to bring ebpf to seccomp (just to have an idea). Thanks – Maicake Sep 17 '19 at 14:58
  • 1
    Yes. Another reason for not wanting seccomp-ebpf is that seccomp is a very critical piece of code and the maintainers prefer to stay conservative in bringing new features (eBPF has had many more bugs than cBPF). And yes, they're the only seccomp-ebpf patches I know too. – pchaigno Sep 17 '19 at 20:29
  • Is possible apply the patch to the kernel and make some tests? To which kernel version should I apply the patch? – Maicake Sep 19 '19 at 15:18
  • 1
    Looks like Sargun's patch is based on net-next, so you'd have to checkout a net-next version from around that date. It might also work on the latest net-next. For Tom's patch, I don't know on which subsystem it's based. You could try mainline, seccomp's, and bpf's maybe. – pchaigno Sep 19 '19 at 15:29
  • Reading again the Sargun patch (the one I linked in the comments) it seems to me (not a kernel guy) that, roughly, the main changes are related to: add the new bpf seccomp program type, add the related verifier structs and add the code related to prepare the extended filter. But would at the end the ebpf program work like if it receive a packet (like in cbpf)? – Maicake Nov 28 '19 at 15:42