https://lwn.net/Articles/656307/ This is a special feed containing comments posted to the individual LWN article titled "A seccomp overview". en-us Wed, 30 Oct 2024 21:44:13 +0000 Wed, 30 Oct 2024 21:44:13 +0000 https://www.rssboard.org/rss-specification [email protected] https://lwn.net/Articles/805747/ https://lwn.net/Articles/805747/ krishnatayal <div class="FormattedComment"> Can we use eBPF with seccomp. We need to use map (key value pair) provided in eBPF.<br> </div> Thu, 28 Nov 2019 14:32:01 +0000 https://lwn.net/Articles/656988/ https://lwn.net/Articles/656988/ gebi <div class="FormattedComment"> oh nice, thx for the numbers with JIT enabled.<br> <p> ACK, about the absolute numbers, but it's imho nice that even for this fast syscall case JIT is faster.<br> <p> </div> Wed, 09 Sep 2015 16:18:47 +0000 https://lwn.net/Articles/656937/ https://lwn.net/Articles/656937/ mkerrisk <div class="FormattedComment"> <font class="QuotedText">&gt; Was the getppid() performance test with JIT enabled?</font><br> <p> No it was with the JIT compiler disabled. With the JIT compiler enabled, the cost of the filter was around 15%. <br> <p> But don't overread those numbers. They're just examples to indicate that there is overhead. The relative figures will vary according to the complexity/cost of the system call, the cost of the filter, and other factors. In some simple experiments that I ran with very large (but pretty "dumb") filters, the JIT compiler could improve performance by nearly 10x in some cases.<br> <p> My getppid() test program can be found at <a href="http://man7.org/tlpi/code/online/dist/seccomp/seccomp_perf.c.html">http://man7.org/tlpi/code/online/dist/seccomp/seccomp_per...</a><br> </div> Wed, 09 Sep 2015 12:22:23 +0000 https://lwn.net/Articles/656936/ https://lwn.net/Articles/656936/ nix <blockquote> It would be great if the article estimated the LOC of filter code vs the LOC of "surface" it is trying to protect </blockquote> Since this is protecting other processes from buggy userspace code, which can be any length, that's impossible. <p> (The disparity can be enormous -- e.g. perhaps the first thing ever sandboxed with seccomp was the Chromium renderer process: *part* of that is WebKit (now Blink) which takes about an hour just to compile...) Wed, 09 Sep 2015 10:44:43 +0000 https://lwn.net/Articles/656777/ https://lwn.net/Articles/656777/ gebi <div class="FormattedComment"> Was the getppid() performance test with JIT enabled?<br> </div> Mon, 07 Sep 2015 12:47:24 +0000 https://lwn.net/Articles/656737/ https://lwn.net/Articles/656737/ robert_s <div class="FormattedComment"> It is trying to do a very different thing from selinux though.<br> </div> Sun, 06 Sep 2015 21:49:12 +0000 https://lwn.net/Articles/656670/ https://lwn.net/Articles/656670/ kjp <div class="FormattedComment"> Well, at least it seems simpler than selinux. It would be great if the article estimated the LOC of filter code vs the LOC of "surface" it is trying to protect.<br> </div> Fri, 04 Sep 2015 19:27:46 +0000