mirror of
https://chromium.googlesource.com/crosvm/crosvm
synced 2024-11-28 17:44:10 +00:00
6d2a834827
Add a frequency file that teaches the seccomp compiler to weight the comparison tree in favor of the most frequenctly called syscalls. This frequency file was created by running strace against vm_conciege's pid (e.g., "strace -p PID -ff -e raw=all -o /tmp/strace") when performing a start and stop of a VM, deleting the trace files that weren't for a crosvm process, passing the files to minijail's tools/generate_seccomp_policy.py (using the -frequency option), and combining the results of the frequency file. I rounded the #s to the nearest multiple of 5 and only retained the syscalls that had at least 10 calls. BUG=None TEST=Local build and deploy. Verified that crostini VM still boots and shuts down properly. Used scmp_bpf_disasm to disassemble a few bpf files before and after this change to confirm that with the frequency file the first comparision is "jge 2" (to quickly whitelist syscalls 0 and 1 ['read' and 'write']) instead of a comparison around the middle of the range of syscall numbers that are used. Change-Id: Icace2b5cdbcae6e51cfd67a3034a1a17fdb6d59e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2005793 Commit-Queue: Matt Delco <delco@chromium.org> Commit-Queue: Stephen Barber <smbarber@chromium.org> Tested-by: Matt Delco <delco@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Auto-Submit: Matt Delco <delco@chromium.org> Reviewed-by: Stephen Barber <smbarber@chromium.org>
45 lines
663 B
Text
45 lines
663 B
Text
# Copyright 2020 The Chromium OS Authors. All rights reserved.
|
|
# Use of this source code is governed by a BSD-style license that can be
|
|
# found in the LICENSE file.
|
|
|
|
capget: 30
|
|
capset: 30
|
|
chdir: 30
|
|
chroot: 15
|
|
clone: 30
|
|
close: 1185
|
|
dup: 50
|
|
dup2: 160
|
|
epoll_ctl: 25
|
|
epoll_wait: 90
|
|
eventfd2: 75
|
|
exit: 15
|
|
exit_group: 15
|
|
fchdir: 30
|
|
fstat: 90
|
|
futex: 20
|
|
getdents: 55
|
|
ioctl: 350
|
|
mmap: 95
|
|
mount: 45
|
|
mprotect: 45
|
|
openat: 515
|
|
pipe: 15
|
|
pivot_root: 15
|
|
prctl: 570
|
|
prlimit64: 15
|
|
read: 82415
|
|
recvmsg: 85
|
|
restart_syscall: 15
|
|
rt_sigaction: 20
|
|
rt_sigreturn: 15
|
|
seccomp: 25
|
|
sendmsg: 390
|
|
setsockopt: 30
|
|
socket: 20
|
|
socketpair: 30
|
|
stat: 30
|
|
umount2: 15
|
|
unshare: 30
|
|
wait4: 20
|
|
write: 56100
|