mirror of
https://chromium.googlesource.com/crosvm/crosvm
synced 2024-12-04 06:33:54 +00:00
6d2a834827
Add a frequency file that teaches the seccomp compiler to weight the comparison tree in favor of the most frequenctly called syscalls. This frequency file was created by running strace against vm_conciege's pid (e.g., "strace -p PID -ff -e raw=all -o /tmp/strace") when performing a start and stop of a VM, deleting the trace files that weren't for a crosvm process, passing the files to minijail's tools/generate_seccomp_policy.py (using the -frequency option), and combining the results of the frequency file. I rounded the #s to the nearest multiple of 5 and only retained the syscalls that had at least 10 calls. BUG=None TEST=Local build and deploy. Verified that crostini VM still boots and shuts down properly. Used scmp_bpf_disasm to disassemble a few bpf files before and after this change to confirm that with the frequency file the first comparision is "jge 2" (to quickly whitelist syscalls 0 and 1 ['read' and 'write']) instead of a comparison around the middle of the range of syscall numbers that are used. Change-Id: Icace2b5cdbcae6e51cfd67a3034a1a17fdb6d59e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2005793 Commit-Queue: Matt Delco <delco@chromium.org> Commit-Queue: Stephen Barber <smbarber@chromium.org> Tested-by: Matt Delco <delco@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Auto-Submit: Matt Delco <delco@chromium.org> Reviewed-by: Stephen Barber <smbarber@chromium.org>
46 lines
815 B
Text
46 lines
815 B
Text
# Copyright 2019 The Chromium OS Authors. All rights reserved.
|
|
# Use of this source code is governed by a BSD-style license that can be
|
|
# found in the LICENSE file.
|
|
|
|
@frequency ./common_device.frequency
|
|
brk: 1
|
|
clone: arg0 & CLONE_THREAD
|
|
close: 1
|
|
dup2: 1
|
|
dup: 1
|
|
epoll_create1: 1
|
|
epoll_ctl: 1
|
|
epoll_wait: 1
|
|
eventfd2: 1
|
|
exit: 1
|
|
exit_group: 1
|
|
futex: 1
|
|
getpid: 1
|
|
gettid: 1
|
|
gettimeofday: 1
|
|
kill: 1
|
|
madvise: arg2 == MADV_DONTNEED || arg2 == MADV_DONTDUMP || arg2 == MADV_REMOVE
|
|
mmap: arg2 in ~PROT_EXEC
|
|
mprotect: arg2 in ~PROT_EXEC
|
|
mremap: 1
|
|
munmap: 1
|
|
nanosleep: 1
|
|
pipe2: 1
|
|
poll: 1
|
|
ppoll: 1
|
|
prctl: arg0 == PR_SET_NAME
|
|
read: 1
|
|
readv: 1
|
|
recvfrom: 1
|
|
recvmsg: 1
|
|
restart_syscall: 1
|
|
rt_sigaction: 1
|
|
rt_sigprocmask: 1
|
|
rt_sigreturn: 1
|
|
sched_getaffinity: 1
|
|
sendmsg: 1
|
|
sendto: 1
|
|
set_robust_list: 1
|
|
sigaltstack: 1
|
|
write: 1
|
|
writev: 1
|