]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit - kernel/sys.c
projects / mirror_ubuntu-jammy-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1d7637d) | patch
kernel: Implement selective syscall userspace redirection
authorGabriel Krisman Bertazi <krisman@collabora.com>
Fri, 27 Nov 2020 19:32:34 +0000 (14:32 -0500)
committerThomas Gleixner <tglx@linutronix.de>
Wed, 2 Dec 2020 14:07:56 +0000 (15:07 +0100)
commit1446e1df9eb183fdf81c3f0715402f1d7595d4cb
tree8fc9c46b1260c7c0e3a04934955fb78f73eb5233tree
parent1d7637d89cfce54a4f4a41c2325288c2f47470e8commit | diff
kernel: Implement selective syscall userspace redirection

Introduce a mechanism to quickly disable/enable syscall handling for a
specific process and redirect to userspace via SIGSYS.  This is useful
for processes with parts that require syscall redirection and parts that
don't, but who need to perform this boundary crossing really fast,
without paying the cost of a system call to reconfigure syscall handling
on each boundary transition.  This is particularly important for Windows
games running over Wine.

The proposed interface looks like this:

  prctl(PR_SET_SYSCALL_USER_DISPATCH, <op>, <off>, <length>, [selector])

The range [<offset>,<offset>+<length>) is a part of the process memory
map that is allowed to by-pass the redirection code and dispatch
syscalls directly, such that in fast paths a process doesn't need to
disable the trap nor the kernel has to check the selector.  This is
essential to return from SIGSYS to a blocked area without triggering
another SIGSYS from rt_sigreturn.

selector is an optional pointer to a char-sized userspace memory region
that has a key switch for the mechanism. This key switch is set to
either PR_SYS_DISPATCH_ON, PR_SYS_DISPATCH_OFF to enable and disable the
redirection without calling the kernel.

The feature is meant to be set per-thread and it is disabled on
fork/clone/execv.

Internally, this doesn't add overhead to the syscall hot path, and it
requires very little per-architecture support.  I avoided using seccomp,
even though it duplicates some functionality, due to previous feedback
that maybe it shouldn't mix with seccomp since it is not a security
mechanism.  And obviously, this should never be considered a security
mechanism, since any part of the program can by-pass it by using the
syscall dispatcher.

For the sysinfo benchmark, which measures the overhead added to
executing a native syscall that doesn't require interception, the
overhead using only the direct dispatcher region to issue syscalls is
pretty much irrelevant.  The overhead of using the selector goes around
40ns for a native (unredirected) syscall in my system, and it is (as
expected) dominated by the supervisor-mode user-address access.  In
fact, with SMAP off, the overhead is consistently less than 5ns on my
test box.

Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20201127193238.821364-4-krisman@collabora.com
fs/exec.c diff | blob | blame | history
include/linux/sched.h diff | blob | blame | history
include/linux/syscall_user_dispatch.h [new file with mode: 0644] blob
include/linux/thread_info.h diff | blob | blame | history
include/uapi/linux/prctl.h diff | blob | blame | history
kernel/entry/Makefile diff | blob | blame | history
kernel/entry/common.h [new file with mode: 0644] blob
kernel/entry/syscall_user_dispatch.c [new file with mode: 0644] blob
kernel/fork.c diff | blob | blame | history
kernel/sys.c diff | blob | blame | history
Ubuntu Jammy Linux kernel mirror