Dear friends,
this patch series adds support for nested seccomp listeners. It allows container runtimes and other sandboxing software to install seccomp listeners on top of existing ones, which is useful for nested LXC containers and other similar use-cases.
I decided to go with conservative approach and limit the maximum number of nested listeners to 8 per seccomp filter chain (MAX_LISTENERS_PER_PATH). This is done to avoid dynamic memory allocations in the very hot __seccomp_filter() function, where we use a preallocated static array on the stack to track matched listeners. 8 nested listeners should be enough for almost any practical scenarios.
Expecting potential discussions around this patch series, I'm going to present a talk at LPC 2025 about the design and implementation details of this feature [1].
Git tree (based on for-next/seccomp): v1: https://github.com/mihalicyn/linux/commits/seccomp.mult.listeners.v1 current: https://github.com/mihalicyn/linux/commits/seccomp.mult.listeners
Link: https://lpc.events/event/19/contributions/2241/ [1]
Cc: linux-doc@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-kselftest@vger.kernel.org Cc: bpf@vger.kernel.org Cc: Kees Cook kees@kernel.org Cc: Andy Lutomirski luto@amacapital.net Cc: Will Drewry wad@chromium.org Cc: Jonathan Corbet corbet@lwn.net Cc: Shuah Khan shuah@kernel.org Cc: Tycho Andersen tycho@tycho.pizza Cc: Andrei Vagin avagin@gmail.com Cc: Christian Brauner brauner@kernel.org Cc: Stéphane Graber stgraber@stgraber.org
Alexander Mikhalitsyn (6): seccomp: remove unused argument from seccomp_do_user_notification seccomp: prepare seccomp_run_filters() to support more than one listener seccomp: limit number of listeners in seccomp tree seccomp: handle multiple listeners case seccomp: relax has_duplicate_listeners check tools/testing/selftests/seccomp: test nested listeners
.../userspace-api/seccomp_filter.rst | 6 + include/linux/seccomp.h | 3 +- include/uapi/linux/seccomp.h | 13 +- kernel/seccomp.c | 99 +++++++++-- tools/include/uapi/linux/seccomp.h | 13 +- tools/testing/selftests/seccomp/seccomp_bpf.c | 162 ++++++++++++++++++ 6 files changed, 269 insertions(+), 27 deletions(-)