On 4/22/24 3:41 PM, Benjamin Berg wrote:
> On Mon, 2024-04-22 at 10:35 +0800, Tiwei Bie wrote:
>> On 4/18/24 5:23 PM, benja...@sipsolutions.net wrote:
>>> From: Benjamin Berg <benjamin.b...@intel.com>
>>>
>>> This patchset reworks the stub syscall handling and also redos how page
>>> table updates are tracked and synchronized. Some of this originated in
>>> the SECCOMP patchset, but it became clear that these refactorings make
>>> sense independently as they result in a considerably fewer page faults.
>>
>> I saw your SECCOMP patchset. It's pretty cool! Just wondering if you're about
>> to post a new version soon. :)
>
> I am planning to work on it again, but it is not very high on my
> priority list. So, could be quite soon or some months :-)
>
> In the ARM support thread ("UML for arm64"), there were some ideas to
> use FD passing in order to protect memory mappings better. Doing that
> should allow the SECCOMP approach to scale to SMP and will also
> simplify the security model.
>
> Making those changes will take a bit of thought and experimentation.
> Nothing really big though, it pretty much boils down to using sockets
> for (some of) the synchronization and replacing mprotect with mmap so
> the FD can authorize the operation.
Cool. Thanks for the details! Looking forward to your new version. :)
Regards,
Tiwei
