Re: [RFC v2 09/10] landlock: Handle cgroups (performance)
From: Mickaël Salaün <mic@digikod.net>
Date: 2016-08-27 21:15:46
Also in:
cgroups, linux-api, lkml
On 27/08/2016 22:43, Alexei Starovoitov wrote:
On Sat, Aug 27, 2016 at 09:35:14PM +0200, Mickaël Salaün wrote:quoted
On 27/08/2016 20:06, Alexei Starovoitov wrote:quoted
On Sat, Aug 27, 2016 at 04:06:38PM +0200, Mickaël Salaün wrote:quoted
As said above, Landlock will not run an eBPF programs when not strictly needed. Attaching to a cgroup will have the same performance impact as attaching to a process hierarchy.Having a prog per cgroup per lsm_hook is the only scalable way I could come up with. If you see another way, please propose. current->seccomp.landlock_prog is not the answer.Hum, I don't see the difference from a performance point of view between a cgroup-based or a process hierarchy-based system. Maybe a better option should be to use an array of pointers with N entries, one for each supported hook, instead of a unique pointer list?yes, clearly array dereference is faster than link list walk. Now the question is where to keep this prog_array[num_lsm_hooks] ? Since we cannot keep it inside task_struct, we have to allocate it. Every time the task is creted then. What to do on the fork? That will require changes all over. Then the obvious optimization would be to share this allocated array of prog pointers across multiple tasks... and little by little this new facility will look like cgroup. Hence the suggestion to put this array into cgroup from the start.
I see your point :)
quoted
Anyway, being able to attach an LSM hook program to a cgroup thanks to the new BPF_PROG_ATTACH seems a good idea (while keeping the possibility to use a process hierarchy). The downside will be to handle an LSM hook program which is not triggered by a seccomp-filter, but this should be needed anyway to handle interruptions.what do you mean 'not triggered by seccomp' ? You're not suggesting that this lsm has to enable seccomp to be functional? imo that's non starter due to overhead.
Yes, for now, it is triggered by a new seccomp filter return value RET_LANDLOCK, which can take a 16-bit value called cookie. This must not be needed but could be useful to bind a seccomp filter security policy with a Landlock one. Waiting for Kees's point of view…
Attachments
- signature.asc [application/pgp-signature] 455 bytes