commit | 7a21ffee7cba39e3f8fa69c72bcf9d48691e46b1 | [log] [tgz] |
---|---|---|
author | Luis Hector Chavez <lhchavez@google.com> | Wed Dec 05 16:54:30 2018 -0800 |
committer | Luis Hector Chavez <lhchavez@google.com> | Mon Mar 25 17:02:26 2019 -0700 |
tree | c008a2e83c4a644e4d33ec5de86a289e165c3335 | |
parent | 29c72343333ef5218d5ed3cdab2ab21e51458056 [diff] |
tools/compile_seccomp_policy: Add a new optimizing compiler This change introduces a new optimizing compiler. Since this new compiler uses a better intermediate representation, it is able to cut down a lot of unnecessary unconditional jumps and some families of unnecessary loads. This alone removes ~20% overhead compared to the in-process Minijail compiler (with regards to the number of comparisons/jumps, which correlates linearly with the in-kernel filter evaluation time). This compiler also has an optimizing mode that can produce a biased Binary Search Tree (instead of a linear chain of comparisons), that can save an additional ~10% overhead (number of comparisons/jumps) This new compiler also understands a couple more language additions: * The introduction of the '~' unary operator, which performs a bitwise complement of the constant that follows it. This will be backported into the in-process compiler. * The relaxation of the '|' binary operator while parsing. Spaces can now be added around this operator. * The introduction of metadata attributes. For now, only the 'frequency' attribute is supported, and is used to inform the compiler about the costs of each individual syscall. Support for ignoring this will be added into the in-process compiler. Bug: chromium:856315 Test: ./tools/compiler_unittest.py Test: ./tools/compile_seccomp_policy.py --optimization-strategy=bst \ test/seccomp.policy test/seccomp.optimized.bpf Test: ./tools/compile_seccomp_policy.py --optimization-strategy=linear \ test/seccomp.policy test/seccomp.optimized.bpf Test: minijail0 --seccomp-bpf-binary=test/seccomp.optimized.bpf \ ./test_program Change-Id: I03909c382aa2136a6db3b2e1a418f081396f535b
The Minijail homepage and main repo is https://android.googlesource.com/platform/external/minijail/.
There might be other copies floating around, but this is the official one!
Minijail is a sandboxing and containment tool used in Chrome OS and Android. It provides an executable that can be used to launch and sandbox other programs, and a library that can be used by code to sandbox itself.
You're one git clone
away from happiness.
$ git clone https://android.googlesource.com/platform/external/minijail $ cd minijail
Releases are tagged as linux-vXX
: https://android.googlesource.com/platform/external/minijail/+refs
See the HACKING.md document for more details.
See the RELEASE.md document for more details.
We've got a couple of contact points.
The following talk serves as a good introduction to Minijail and how it can be used.
The Chromium OS project has a comprehensive sandboxing document that is largely based on Minijail.
After you play with the simple examples below, you should check that out.
# id uid=0(root) gid=0(root) groups=0(root),128(pkcs11) # minijail0 -u jorgelo -g 5000 /usr/bin/id uid=72178(jorgelo) gid=5000(eng) groups=5000(eng)
# minijail0 -u jorgelo -c 3000 -- /bin/cat /proc/self/status Name: cat ... CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000000000003000