seccomp: Provide matching filter for introspection
authorKees Cook <keescook@chromium.org>
Wed, 2 Aug 2017 22:00:40 +0000 (15:00 -0700)
committerKees Cook <keescook@chromium.org>
Mon, 14 Aug 2017 20:46:42 +0000 (13:46 -0700)
commitdeb4de8b31bc5bf21efb6ac31150a01a631cd647
tree71ba73a95233cd80446c01105e5242598d22feb2
parentf3f6e30669c048f47d51ea59df9946a91f551c4c
seccomp: Provide matching filter for introspection

Both the upcoming logging improvements and changes to RET_KILL will need
to know which filter a given seccomp return value originated from. In
order to delay logic processing of result until after the seccomp loop,
this adds a single pointer assignment on matches. This will allow both
log and RET_KILL logic to work off the filter rather than doing more
expensive tests inside the time-critical run_filters loop.

Running tight cycles of getpid() with filters attached shows no measurable
difference in speed.

Suggested-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
kernel/seccomp.c