[bpf-next,0/6] bpf: Add seccomp program type

Message ID	20231031012407.51371-1-hengqi.chen@gmail.com (mailing list archive)
Headers	show Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C94CBDF65 for <bpf@vger.kernel.org>; Tue, 31 Oct 2023 06:01:12 +0000 (UTC) From: Hengqi Chen <hengqi.chen@gmail.com> To: bpf@vger.kernel.org Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, keescook@chromium.org, luto@amacapital.net, wad@chromium.org, hengqi.chen@gmail.com Subject: [PATCH bpf-next 0/6] bpf: Add seccomp program type Date: Tue, 31 Oct 2023 01:24:01 +0000 Message-Id: <20231031012407.51371-1-hengqi.chen@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	bpf: Add seccomp program type \| expand [bpf-next,0/6] bpf: Add seccomp program type [bpf-next,1/6] bpf: Introduce BPF_PROG_TYPE_SECCOMP [bpf-next,2/6] bpf: Add test_run support for seccomp program type [bpf-next,3/6] seccomp: Refactor filter copy/create for reuse [bpf-next,4/6] seccomp: Support attaching BPF_PROG_TYPE_SECCOMP progs [bpf-next,5/6] selftests/bpf: Add seccomp verifier tests [bpf-next,6/6] selftests/bpf: Test BPF_PROG_TYPE_SECCOMP

Message ID

20231031012407.51371-1-hengqi.chen@gmail.com (mailing list archive)

Headers

From: Hengqi Chen <hengqi.chen@gmail.com>
To: bpf@vger.kernel.org
Cc: ast@kernel.org,
	daniel@iogearbox.net,
	andrii@kernel.org,
	keescook@chromium.org,
	luto@amacapital.net,
	wad@chromium.org,
	hengqi.chen@gmail.com
Subject: [PATCH bpf-next 0/6] bpf: Add seccomp program type
Date: Tue, 31 Oct 2023 01:24:01 +0000
Message-Id: <20231031012407.51371-1-hengqi.chen@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

bpf: Add seccomp program type | expand

Message

Hengqi Chen Oct. 31, 2023, 1:24 a.m. UTC

This patchset introduces seccomp program type which can be
used to attach to the existing seccomp framework.

The motivation is to enable sharing of seccomp filter through
bpf prog fd and bpffs. With this in place, we can eliminate
a hot path of JITing cBPF program (seccomp filter) where we apply
the same seccomp filter to thousands of micro VMs on a bare metal
instance.

This also allows us to write seccomp filter in an intuitive way,
see selftests for reference.

Hengqi Chen (6):
  bpf: Introduce BPF_PROG_TYPE_SECCOMP
  bpf: Add test_run support for seccomp program type
  seccomp: Refactor filter copy/create for reuse
  seccomp: Support attaching BPF_PROG_TYPE_SECCOMP progs
  selftests/bpf: Add seccomp verifier tests
  selftests/bpf: Test BPF_PROG_TYPE_SECCOMP

 include/linux/bpf.h                           |   3 +
 include/linux/bpf_types.h                     |   4 +
 include/linux/seccomp.h                       |   3 +-
 include/uapi/linux/bpf.h                      |   1 +
 include/uapi/linux/seccomp.h                  |   2 +
 kernel/seccomp.c                              | 142 ++++++++++++++--
 net/bpf/test_run.c                            |  27 +++
 tools/include/uapi/linux/bpf.h                |   1 +
 tools/include/uapi/linux/seccomp.h            |   2 +
 tools/lib/bpf/libbpf.c                        |   2 +
 tools/lib/bpf/libbpf_probes.c                 |   1 +
 .../selftests/bpf/prog_tests/seccomp.c        |  40 +++++
 .../selftests/bpf/prog_tests/verifier.c       |   2 +
 .../selftests/bpf/progs/test_seccomp.c        |  24 +++
 .../selftests/bpf/progs/verifier_seccomp.c    | 154 ++++++++++++++++++
 15 files changed, 390 insertions(+), 18 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/seccomp.c
 create mode 100644 tools/testing/selftests/bpf/progs/test_seccomp.c
 create mode 100644 tools/testing/selftests/bpf/progs/verifier_seccomp.c