From: Oleg Nesterov <oleg@redhat.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Kees Cook <keescook@chromium.org>,
LKML <linux-kernel@vger.kernel.org>,
"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>,
Alexei Starovoitov <ast@plumgrid.com>,
Andrew Morton <akpm@linux-foundation.org>,
Daniel Borkmann <dborkman@redhat.com>,
Will Drewry <wad@chromium.org>, Julien Tinnes <jln@chromium.org>,
David Drysdale <drysdale@google.com>,
Linux API <linux-api@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
linux-mips@linux-mips.org,
linux-arch <linux-arch@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v8 5/9] seccomp: split mode set routines
Date: Fri, 27 Jun 2014 21:55:59 +0200 [thread overview]
Message-ID: <20140627195559.GA31661@redhat.com> (raw)
In-Reply-To: <CALCETrVbJqfG6oBaZEjj7H3pPa1oVJx6QXAYc5zZ6o-niV=WKQ@mail.gmail.com>
On 06/27, Andy Lutomirski wrote:
>
> On Fri, Jun 27, 2014 at 12:27 PM, Oleg Nesterov <oleg@redhat.com> wrote:
> > On 06/27, Kees Cook wrote:
> >>
> >> It looks like SMP ARM issues dsb for rmb, which seems a bit expensive.
> >> http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204g/CIHJFGFE.htm
> >>
> >> ...
> >>
> >> I really want to avoid adding anything to the secure_computing()
> >> execution path. :(
> >
> > I must have missed something but I do not understand your concerns.
> >
> > __secure_computing() is not trivial, and we are going to execute the
> > filters. Do you really think rmb() can add the noticeable difference?
> >
> > Not to mention that we can only get here if we take the slow syscall
> > enter path due to TIF_SECCOMP...
> >
>
> On my box, with my fancy multi-phase seccomp patches, the total
> seccomp overhead for a very short filter is about 13ns. Adding a full
> barrier would add several ns, I think.
I am just curious, does this 13ns overhead include the penalty from the
slow syscall enter path triggered by TIF_SECCOMP ?
> Admittedly, this is x86, not ARM, so comparisons here are completely
> bogus. And that read memory barrier doesn't even need an instruction
> on x86. But still, let's try to keep this fast.
Well, I am not going to insist...
But imo it would be better to make it correct in a most simple way, then
we can optimize this code and see if there is a noticeable difference.
Not only we can change the ordering, we can remove the BUG_ON's and just
accept the fact the __secure_computing() can race with sys_seccomp() from
another thread.
If nothing else, it would be much simpler to discuss this patch if it comes
as a separate change.
Oleg.
WARNING: multiple messages have this Message-ID (diff)
From: oleg@redhat.com (Oleg Nesterov)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v8 5/9] seccomp: split mode set routines
Date: Fri, 27 Jun 2014 21:55:59 +0200 [thread overview]
Message-ID: <20140627195559.GA31661@redhat.com> (raw)
In-Reply-To: <CALCETrVbJqfG6oBaZEjj7H3pPa1oVJx6QXAYc5zZ6o-niV=WKQ@mail.gmail.com>
On 06/27, Andy Lutomirski wrote:
>
> On Fri, Jun 27, 2014 at 12:27 PM, Oleg Nesterov <oleg@redhat.com> wrote:
> > On 06/27, Kees Cook wrote:
> >>
> >> It looks like SMP ARM issues dsb for rmb, which seems a bit expensive.
> >> http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204g/CIHJFGFE.htm
> >>
> >> ...
> >>
> >> I really want to avoid adding anything to the secure_computing()
> >> execution path. :(
> >
> > I must have missed something but I do not understand your concerns.
> >
> > __secure_computing() is not trivial, and we are going to execute the
> > filters. Do you really think rmb() can add the noticeable difference?
> >
> > Not to mention that we can only get here if we take the slow syscall
> > enter path due to TIF_SECCOMP...
> >
>
> On my box, with my fancy multi-phase seccomp patches, the total
> seccomp overhead for a very short filter is about 13ns. Adding a full
> barrier would add several ns, I think.
I am just curious, does this 13ns overhead include the penalty from the
slow syscall enter path triggered by TIF_SECCOMP ?
> Admittedly, this is x86, not ARM, so comparisons here are completely
> bogus. And that read memory barrier doesn't even need an instruction
> on x86. But still, let's try to keep this fast.
Well, I am not going to insist...
But imo it would be better to make it correct in a most simple way, then
we can optimize this code and see if there is a noticeable difference.
Not only we can change the ordering, we can remove the BUG_ON's and just
accept the fact the __secure_computing() can race with sys_seccomp() from
another thread.
If nothing else, it would be much simpler to discuss this patch if it comes
as a separate change.
Oleg.
next prev parent reply other threads:[~2014-06-27 19:55 UTC|newest]
Thread overview: 118+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-24 20:48 [PATCH v8 0/9] seccomp: add thread sync ability Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 1/9] seccomp: create internal mode-setting function Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 2/9] seccomp: split filter prep from check and apply Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 3/9] seccomp: introduce writer locking Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 14:03 ` Oleg Nesterov
2014-06-25 14:03 ` Oleg Nesterov
2014-06-25 18:07 ` Oleg Nesterov
2014-06-25 18:07 ` Oleg Nesterov
2014-06-25 18:29 ` Oleg Nesterov
2014-06-25 18:29 ` Oleg Nesterov
2014-06-27 17:27 ` Kees Cook
2014-06-27 17:27 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 4/9] sched: move no_new_privs into new atomic flags Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 13:43 ` Oleg Nesterov
2014-06-25 13:43 ` Oleg Nesterov
2014-06-25 14:44 ` Kees Cook
2014-06-25 14:44 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 5/9] seccomp: split mode set routines Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 13:51 ` Oleg Nesterov
2014-06-25 13:51 ` Oleg Nesterov
2014-06-25 14:51 ` Kees Cook
2014-06-25 14:51 ` Kees Cook
2014-06-25 16:10 ` Andy Lutomirski
2014-06-25 16:10 ` Andy Lutomirski
2014-06-25 16:54 ` Kees Cook
2014-06-25 16:54 ` Kees Cook
[not found] ` <CAGXu5j+J11zJnuFR8bYKAXizAHhCx4R+uJE_QH6zC3q2udkpaQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-25 17:03 ` Andy Lutomirski
2014-06-25 17:03 ` Andy Lutomirski
2014-06-25 17:03 ` Andy Lutomirski
2014-06-25 17:32 ` Oleg Nesterov
2014-06-25 17:32 ` Oleg Nesterov
[not found] ` <20140625173245.GA17695-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-25 17:38 ` Andy Lutomirski
2014-06-25 17:38 ` Andy Lutomirski
2014-06-25 17:38 ` Andy Lutomirski
2014-06-25 17:51 ` Oleg Nesterov
2014-06-25 17:51 ` Oleg Nesterov
2014-06-25 18:00 ` Kees Cook
2014-06-25 18:00 ` Kees Cook
[not found] ` <CAGXu5jL17k6=GXju6x+eLU20FMwBHhnuRiHoQD1Bzj_EmpiKjg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-25 18:07 ` Andy Lutomirski
2014-06-25 18:07 ` Andy Lutomirski
2014-06-25 18:07 ` Andy Lutomirski
2014-06-27 18:33 ` Kees Cook
2014-06-27 18:33 ` Kees Cook
2014-06-27 18:39 ` Andy Lutomirski
2014-06-27 18:39 ` Andy Lutomirski
[not found] ` <CALCETrUPxTxseJ=sOhD9CyJPtOqCR5sL8yx7KezLmLZcFSFNMA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-27 18:52 ` Kees Cook
2014-06-27 18:52 ` Kees Cook
2014-06-27 18:52 ` Kees Cook
2014-06-27 18:56 ` Andy Lutomirski
2014-06-27 18:56 ` Andy Lutomirski
2014-06-27 19:04 ` Kees Cook
2014-06-27 19:04 ` Kees Cook
[not found] ` <CAGXu5jL5rN6=2-SwHiiEVuGVain-T7Ucg2PsN7u08vQ5Rxz6Mg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-06-27 19:11 ` Andy Lutomirski
2014-06-27 19:11 ` Andy Lutomirski
2014-06-27 19:11 ` Andy Lutomirski
2014-06-27 19:27 ` Oleg Nesterov
2014-06-27 19:27 ` Oleg Nesterov
[not found] ` <20140627192753.GA30752-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-27 19:31 ` Andy Lutomirski
2014-06-27 19:31 ` Andy Lutomirski
2014-06-27 19:31 ` Andy Lutomirski
2014-06-27 19:55 ` Oleg Nesterov [this message]
2014-06-27 19:55 ` Oleg Nesterov
[not found] ` <20140627195559.GA31661-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-27 20:08 ` Andy Lutomirski
2014-06-27 20:08 ` Andy Lutomirski
2014-06-27 20:08 ` Andy Lutomirski
2014-06-27 20:56 ` Kees Cook
2014-06-27 20:56 ` Kees Cook
2014-06-27 20:56 ` Kees Cook
2014-06-25 17:00 ` Oleg Nesterov
2014-06-25 17:00 ` Oleg Nesterov
2014-06-24 20:48 ` [PATCH v8 6/9] seccomp: add "seccomp" syscall Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 7/9] ARM: add seccomp syscall Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 8/9] MIPS: " Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-24 20:48 ` [PATCH v8 9/9] seccomp: implement SECCOMP_FILTER_FLAG_TSYNC Kees Cook
2014-06-24 20:48 ` Kees Cook
2014-06-25 14:21 ` Oleg Nesterov
2014-06-25 14:21 ` Oleg Nesterov
2014-06-25 15:08 ` Kees Cook
2014-06-25 15:08 ` Kees Cook
2014-06-25 16:52 ` Oleg Nesterov
2014-06-25 16:52 ` Oleg Nesterov
[not found] ` <20140625165209.GA14720-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-25 17:09 ` Kees Cook
2014-06-25 17:09 ` Kees Cook
2014-06-25 17:09 ` Kees Cook
2014-06-25 17:24 ` Oleg Nesterov
2014-06-25 17:24 ` Oleg Nesterov
2014-06-25 17:40 ` Andy Lutomirski
2014-06-25 17:40 ` Andy Lutomirski
2014-06-25 17:57 ` Kees Cook
2014-06-25 17:57 ` Kees Cook
2014-06-25 18:09 ` Andy Lutomirski
2014-06-25 18:09 ` Andy Lutomirski
2014-06-25 18:25 ` Kees Cook
2014-06-25 18:25 ` Kees Cook
2014-06-25 18:20 ` Oleg Nesterov
2014-06-25 18:20 ` Oleg Nesterov
[not found] ` <20140625182012.GA19437-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2014-06-25 18:31 ` Kees Cook
2014-06-25 18:31 ` Kees Cook
2014-06-25 18:31 ` Kees Cook
2014-06-24 20:56 ` [PATCH v8 1/1] man-pages: seccomp.2: document syscall Kees Cook
2014-06-24 20:56 ` Kees Cook
2014-06-25 13:04 ` One Thousand Gnomes
2014-06-25 13:04 ` One Thousand Gnomes
2014-06-25 15:10 ` Kees Cook
2014-06-25 15:10 ` Kees Cook
2014-06-25 17:54 ` Michael Kerrisk (man-pages)
2014-06-25 17:54 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140627195559.GA31661@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ast@plumgrid.com \
--cc=dborkman@redhat.com \
--cc=drysdale@google.com \
--cc=jln@chromium.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
--cc=wad@chromium.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.