From 1a7a8228584959439e0d8e0167736310a8eb3192 Mon Sep 17 00:00:00 2001 From: Adrian Ratiu Date: Wed, 13 Jul 2022 18:01:19 +0300 Subject: [PATCH] seccomp: allow rseq syscall Starting with v4.18, the Linux kernel provides the rseq syscall which is a mechanism for fast userspace task synchronization. Starting with v2.35 glibc uses the new syscall, if it exists, to gain some performance improvements, so we need to update the policy files to allow it. Even on older kernels where rseq is not supported, glibc will still probe for its existence by expecting an -ENOSYS response. BUG=b:235960683 TEST=Local builds against glibc 2.35 Change-Id: I704f2fbf2b058c3a4c3269c7441c3a7324012f8a Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/3763901 Commit-Queue: Manoj Gupta Owners-Override: Dominick Ng Reviewed-by: Allen Webb Reviewed-by: Dennis Kempin Tested-by: Manoj Gupta --- seccomp/aarch64/common_device.policy | 3 +++ seccomp/aarch64/gpu_common.policy | 4 ++++ seccomp/arm/common_device.policy | 3 +++ seccomp/arm/gpu_common.policy | 4 ++++ seccomp/x86_64/common_device.policy | 4 ++++ seccomp/x86_64/gpu_common.policy | 4 ++++ 6 files changed, 22 insertions(+) diff --git a/seccomp/aarch64/common_device.policy b/seccomp/aarch64/common_device.policy index c8a1088488..9a2a1d1095 100644 --- a/seccomp/aarch64/common_device.policy +++ b/seccomp/aarch64/common_device.policy @@ -2,6 +2,9 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. +# rseq should be first due to frequency and purpose to decrease nptl latency +rseq: 1 + brk: 1 clock_gettime: 1 clone: arg0 & CLONE_THREAD diff --git a/seccomp/aarch64/gpu_common.policy b/seccomp/aarch64/gpu_common.policy index 6e10393c4f..bed7f444bd 100644 --- a/seccomp/aarch64/gpu_common.policy +++ b/seccomp/aarch64/gpu_common.policy @@ -4,6 +4,10 @@ # Rules from common_device.policy with some rules removed because they block certain flags needed # for gpu. + +# rseq should be first due to frequency and purpose to decrease nptl latency +rseq: 1 + brk: 1 clock_gettime: 1 close: 1 diff --git a/seccomp/arm/common_device.policy b/seccomp/arm/common_device.policy index 9d84bc44aa..b114b72a45 100644 --- a/seccomp/arm/common_device.policy +++ b/seccomp/arm/common_device.policy @@ -2,6 +2,9 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. +# rseq should be first due to frequency and purpose to decrease nptl latency +rseq: 1 + brk: 1 clock_gettime: 1 clock_gettime64: 1 diff --git a/seccomp/arm/gpu_common.policy b/seccomp/arm/gpu_common.policy index 79b62fe1ee..424e20eab4 100644 --- a/seccomp/arm/gpu_common.policy +++ b/seccomp/arm/gpu_common.policy @@ -4,6 +4,10 @@ # Rules from common_device.policy with some rules removed because they block certain flags needed # for gpu. + +# rseq should be first due to frequency and purpose to decrease nptl latency +rseq: 1 + brk: 1 close: 1 dup2: 1 diff --git a/seccomp/x86_64/common_device.policy b/seccomp/x86_64/common_device.policy index 1f677ea4a2..abad4f6922 100644 --- a/seccomp/x86_64/common_device.policy +++ b/seccomp/x86_64/common_device.policy @@ -3,6 +3,10 @@ # found in the LICENSE file. @frequency ./common_device.frequency + +# rseq should be first due to frequency and purpose to decrease nptl latency +rseq: 1 + brk: 1 clock_gettime: 1 clone: arg0 & CLONE_THREAD diff --git a/seccomp/x86_64/gpu_common.policy b/seccomp/x86_64/gpu_common.policy index 18c713c607..a615ca2cb1 100644 --- a/seccomp/x86_64/gpu_common.policy +++ b/seccomp/x86_64/gpu_common.policy @@ -4,6 +4,10 @@ # Rules from common_device.policy with some rules removed because they block certain flags needed # for gpu. + +# rseq should be first due to frequency and purpose to decrease nptl latency +rseq: 1 + brk: 1 clock_gettime: 1 close: 1