core: turn on higher optimization level in seccomp

This mirrors what d75615f398a0fbf986cf03924462863ca6ee2f9f did for nspawn.

It isn't really a fatal failure if we can't set that, so ignore it in libseccomp
cannot set the attribute.

 line  OP   JT   JF   K
=================================
 0000: 0x20 0x00 0x00 0x00000004   ld  $data[4]
 0001: 0x15 0x00 0xb7 0x40000003   jeq 1073741827 true:0002 false:0185
 0002: 0x20 0x00 0x00 0x00000000   ld  $data[0]
 0003: 0x15 0xb5 0x00 0x00000000   jeq 0    true:0185 false:0004
 0004: 0x15 0xb4 0x00 0x00000001   jeq 1    true:0185 false:0005
 0005: 0x15 0xb3 0x00 0x00000002   jeq 2    true:0185 false:0006
 0006: 0x15 0xb2 0x00 0x00000003   jeq 3    true:0185 false:0007
 0007: 0x15 0xb1 0x00 0x00000004   jeq 4    true:0185 false:0008
 0008: 0x15 0xb0 0x00 0x00000005   jeq 5    true:0185 false:0009
 0009: 0x15 0xaf 0x00 0x00000006   jeq 6    true:0185 false:0010
 ...
 0438: 0x15 0x03 0x00 0x000001be   jeq 446  true:0442 false:0439
 0439: 0x15 0x02 0x00 0x000001bf   jeq 447  true:0442 false:0440
 0440: 0x15 0x01 0x00 0x000001c0   jeq 448  true:0442 false:0441
 0441: 0x06 0x00 0x00 0x00050026   ret ERRNO(38)
 0442: 0x06 0x00 0x00 0x7fff0000   ret ALLOW

 line  OP   JT   JF   K
=================================
 0000: 0x20 0x00 0x00 0x00000004   ld  $data[4]
 0001: 0x15 0x00 0x27 0x40000003   jeq 1073741827 true:0002 false:0041
 0002: 0x20 0x00 0x00 0x00000000   ld  $data[0]
 0003: 0x25 0x01 0x00 0x000000b5   jgt 181  true:0005 false:0004
 0004: 0x05 0x00 0x00 0x00000143   jmp 0328
 0005: 0x25 0x00 0xa1 0x00000139   jgt 313  true:0006 false:0167
 0006: 0x25 0x00 0x51 0x00000179   jgt 377  true:0007 false:0088
 0007: 0x25 0x00 0x29 0x000001a0   jgt 416  true:0008 false:0049
 0008: 0x25 0x00 0x13 0x000001b0   jgt 432  true:0009 false:0028
 0009: 0x25 0x00 0x09 0x000001b8   jgt 440  true:0010 false:0019
 ...
 0551: 0x15 0x03 0x00 0x00000002   jeq 2    true:0555 false:0552
 0552: 0x15 0x02 0x01 0x00000001   jeq 1    true:0555 false:0554
 0553: 0x15 0x01 0x00 0x00000000   jeq 0    true:0555 false:0554
 0554: 0x06 0x00 0x00 0x00050026   ret ERRNO(38)
 0555: 0x06 0x00 0x00 0x7fff0000   ret ALLOW

The program is longer but hopefully faster because of the binary search.

diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
index 34a8627848259986c349865aaa35a4a6d4df91a4..fa05a8a5b4f443e98d933a250bfb1a84db7d789d 100644 (file)
--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
@@ -169,7 +169,7 @@ static int add_syscall_filters(
         /* We have a large filter here, so let's turn on the binary tree mode if possible. */
         r = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
         if (r < 0)
-                return r;
+                log_warning_errno(r, "Failed to set SCMP_FLTATR_CTL_OPTIMIZE, ignoring: %m");
 #endif
 
         return 0;

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index d85275dbc61e3b3dbee20d7beeeeb8ee5c663bd4..cd30e72ad53758bd3baabffb655ee2219e8df1e4 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1183,6 +1183,13 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* filter
                                                        name, id);
                 }
 
+#if (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 5) || SCMP_VER_MAJOR > 2
+                /* We have a large filter here, so let's turn on the binary tree mode if possible. */
+                r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_OPTIMIZE, 2);
+                if (r < 0)
+                        log_warning_errno(r, "Failed to set SCMP_FLTATR_CTL_OPTIMIZE, ignoring: %m");
+#endif
+
                 r = seccomp_load(seccomp);
                 if (ERRNO_IS_NEG_SECCOMP_FATAL(r))
                         return r;