| commit | 7a21ffee7cba39e3f8fa69c72bcf9d48691e46b1 | [log] [tgz] |
|---|---|---|
| author | Luis Hector Chavez <lhchavez@google.com> | Wed Dec 05 16:54:30 2018 -0800 |
| committer | Luis Hector Chavez <lhchavez@google.com> | Mon Mar 25 17:02:26 2019 -0700 |
| tree | c008a2e83c4a644e4d33ec5de86a289e165c3335 | |
| parent | 29c72343333ef5218d5ed3cdab2ab21e51458056 [diff] |
tools/compile_seccomp_policy: Add a new optimizing compiler
This change introduces a new optimizing compiler. Since this new
compiler uses a better intermediate representation, it is able to cut
down a lot of unnecessary unconditional jumps and some families of
unnecessary loads. This alone removes ~20% overhead compared to the
in-process Minijail compiler (with regards to the number of
comparisons/jumps, which correlates linearly with the in-kernel filter
evaluation time).
This compiler also has an optimizing mode that can produce a biased
Binary Search Tree (instead of a linear chain of comparisons), that can
save an additional ~10% overhead (number of comparisons/jumps)
This new compiler also understands a couple more language additions:
* The introduction of the '~' unary operator, which performs a bitwise
complement of the constant that follows it. This will be backported
into the in-process compiler.
* The relaxation of the '|' binary operator while parsing. Spaces can
now be added around this operator.
* The introduction of metadata attributes. For now, only the 'frequency'
attribute is supported, and is used to inform the compiler about the
costs of each individual syscall. Support for ignoring this will be
added into the in-process compiler.
Bug: chromium:856315
Test: ./tools/compiler_unittest.py
Test: ./tools/compile_seccomp_policy.py --optimization-strategy=bst \
test/seccomp.policy test/seccomp.optimized.bpf
Test: ./tools/compile_seccomp_policy.py --optimization-strategy=linear \
test/seccomp.policy test/seccomp.optimized.bpf
Test: minijail0 --seccomp-bpf-binary=test/seccomp.optimized.bpf \
./test_program
Change-Id: I03909c382aa2136a6db3b2e1a418f081396f535b
The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.
There might be other copies floating around, but this is the official one!
Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.
You're one git clone away from happiness.
$ git clone https://android.googlesource.com/platform/external/minijail $ cd minijail
Releases are tagged as linux-vXX: https://android.googlesource.com/platform/external/minijail/+refs
See the HACKING.md document for more details.
See the RELEASE.md document for more details.
We've got a couple of contact points.
The following talk serves as a good introduction to Minijail and how it can be used.
The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.
After you play with the simple examples below, you should check that out.
# id uid=0(root) gid=0(root) groups=0(root),128(pkcs11) # minijail0 -u jorgelo -g 5000 /usr/bin/id uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status Name: cat ... CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000000000003000