libct/seccomp: enable binary tree optimization

This makes libseccomp produce a BPF which uses a binary tree for syscalls (instead of linear set of if statements). It does not make sense to enable binary tree for small set of rules, so don't do that if we have less than 8 syscalls (the number is chosen arbitrarily). Signed-off-by: Kir Kolyshkin <[email protected]>
opencontainers · Mar 31, 2022 · 8da1ba5 · 8da1ba5
1 parent 1aad11b
commit 8da1ba5
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go
@@ -86,6 +86,15 @@ func InitSeccomp(config *configs.Seccomp) (int, error) {
 		}
 	}
 
+	// Enable libseccomp binary tree optimization.
+	if len(config.Syscalls) > 8 {
+		err = filter.SetOptimize(2)
+		if err != nil {
+			// The error is not fatal and is probably means we have older libseccomp.
+			logrus.Debugf("seccomp binary tree optimization not available: %v", err)
+		}
+	}
+
 	// Unset no new privs bit
 	if err := filter.SetNoNewPrivsBit(false); err != nil {
 		return -1, fmt.Errorf("error setting no new privileges: %w", err)