B2G/Architecture/System Security/Seccomp
From MozillaWiki
< B2G | Architecture | System Security
Seccomp sandboxing notes
Whitelist performance optimizations
Samples for system call count per app. Samples are currently made with "strace -S calls -c -p <app pid>". Samples are taken for 10 or more seconds, while the app is running and being used.
This is not a reproducible result, albeit the results should be pretty consistent and thus very useable. We should come up with a better way to measure the call count in the future. Most used calls should generally be at the top of the seccomp whitelist, for performance.
2013-09-24 - B2G 1.2.0.0-prerelease
Homescreen
% time seconds usecs/call calls errors syscall ------ ----------- ----------- --------- --------- ---------------- 2.81 0.386898 84 4617 msgget 1.98 0.271861 87 3141 gettimeofday 0.46 0.062669 81 778 354 read 3.52 0.483559 624 775 62 recv 87.97 12.096285 19231 629 semget 0.72 0.099575 258 386 ioctl 1.87 0.256738 810 317 write 0.03 0.004641 26 176 44 close 0.22 0.030588 251 122 getdents64 0.15 0.019961 190 105 sigprocmask 0.02 0.002405 26 92 getpid 0.06 0.007876 151 52 lseek 0.05 0.006930 151 46 munmap 0.13 0.018315 398 46 mmap2 0.02 0.002383 54 44 open 0.00 0.000335 28 12 getrusage ------ ----------- ----------- --------- --------- ---------------- 100.00 13.751019 11338 460 total
Gallery
% time seconds usecs/call calls errors syscall ------ ----------- ----------- --------- --------- ---------------- 0.26 0.070634 45 1570 msgget 0.16 0.044170 65 676 gettimeofday 0.07 0.020210 49 416 200 read 99.24 27.032134 73258 369 semget 0.16 0.042235 189 224 3 recv 0.01 0.001650 83 20 ioctl 0.06 0.017363 965 18 write 0.01 0.003144 524 6 sigprocmask 0.02 0.005769 1442 4 lseek 0.00 0.000488 163 3 mmap2 0.00 0.000062 31 2 getpid 0.01 0.001618 809 2 getdents64 0.00 0.000092 46 2 open 0.00 0.000092 92 1 clone 0.00 0.000031 31 1 mprotect ------ ----------- ----------- --------- --------- ---------------- 100.00 27.239692 3314 203 total
Browser (one tab)
% time seconds usecs/call calls errors syscall ------ ----------- ----------- --------- --------- ---------------- 2.32 0.667662 86 7741 msgget 2.61 0.751175 100 7493 gettimeofday 0.95 0.273277 47 5859 689 read 0.85 0.244491 61 3992 lseek 4.99 1.438347 795 1809 99 recv 82.44 23.768248 21127 1125 semget 3.41 0.984107 1020 965 write 0.81 0.233528 293 797 ioctl 0.33 0.095441 122 781 sigprocmask 0.28 0.079464 167 477 getdents64 0.04 0.012026 30 405 100 close 0.11 0.032896 95 346 getpid 0.24 0.069226 380 182 munmap 0.37 0.106594 679 157 mmap2 0.23 0.067234 494 136 writev 0.02 0.006437 61 106 open 0.00 0.000707 27 26 getrusage 0.00 0.000642 32 20 mprotect 0.00 0.000457 76 6 fstat64 0.00 0.000335 84 4 clone 0.00 0.000061 31 2 dup 0.00 0.000062 31 2 brk ------ ----------- ----------- --------- --------- ---------------- 100.00 28.832417 32431 888 total
% time seconds usecs/call calls errors syscall ------ ----------- ----------- --------- --------- ---------------- 0.88 0.143536 53 2697 msgget 0.93 0.151107 57 2657 gettimeofday 0.54 0.088590 40 2242 298 read 0.33 0.054133 34 1572 lseek 95.02 15.469455 28178 549 semget 0.80 0.130155 317 411 18 recv 1.17 0.190620 891 214 write 0.09 0.014561 85 172 sigprocmask 0.04 0.007227 110 66 getpid 0.05 0.008543 131 65 ioctl 0.01 0.002405 62 39 getdents64 0.06 0.010309 333 31 mprotect 0.01 0.000884 29 30 6 close 0.02 0.003268 131 25 mmap2 0.01 0.001160 73 16 1 open 0.01 0.001525 127 12 munmap 0.00 0.000580 48 12 getrusage 0.00 0.000279 35 8 7 access 0.00 0.000214 27 8 fstat64 0.00 0.000334 48 7 4 stat64 0.00 0.000152 38 4 writev 0.00 0.000214 71 3 clone 0.00 0.000093 31 3 brk 0.00 0.000091 30 3 prctl 0.00 0.000030 30 1 setuid32 0.00 0.000030 30 1 1 mkdir 0.00 0.000030 30 1 chdir 0.00 0.000031 31 1 setgid32 ------ ----------- ----------- --------- --------- ---------------- 100.00 16.279556 10850 335 total
Geoloc
% time seconds usecs/call calls errors syscall ------ ----------- ----------- --------- --------- ---------------- 0.50 0.119288 51 2357 gettimeofday 0.23 0.055355 54 1025 msgget 0.15 0.035792 49 726 99 read 0.16 0.038350 82 470 lseek 0.38 0.091701 385 238 9 recv 98.30 23.551602 116018 203 semget 0.23 0.055140 1103 50 write 0.01 0.002044 54 38 sigprocmask 0.00 0.000579 16 36 getpid 0.00 0.000943 38 25 mprotect 0.01 0.001523 76 20 ioctl 0.01 0.001281 75 17 mmap2 0.00 0.000761 76 10 1 open 0.00 0.000278 35 8 7 access 0.00 0.000397 50 8 getrusage 0.01 0.001892 270 7 close 0.00 0.000244 35 7 4 stat64 0.00 0.000151 30 5 fstat64 0.00 0.000215 72 3 clone 0.00 0.000091 30 3 _llseek 0.00 0.000091 30 3 prctl 0.00 0.000274 137 2 munmap 0.00 0.000182 91 2 brk 0.00 0.000030 30 1 chdir 0.00 0.000030 30 1 setgid32 0.00 0.000031 31 1 1 mkdir 0.00 0.000031 31 1 setuid32 ------ ----------- ----------- --------- --------- ---------------- 100.00 23.958296 5267 121 total
Crystal Skull
% time seconds usecs/call calls errors syscall ------ ----------- ----------- --------- --------- ---------------- 2.33 0.406040 58 6964 gettimeofday 1.58 0.275568 49 5669 msgget 50.14 8.738014 1944 4494 ioctl 17.15 2.989210 1546 1934 5 recv 0.40 0.070312 59 1201 580 read 0.72 0.126143 117 1075 mmap2 0.61 0.105569 107 990 munmap 24.95 4.347790 5539 785 semget 1.83 0.319358 540 591 write 0.16 0.027345 48 567 getpid 0.02 0.003075 41 75 mprotect 0.01 0.001439 42 34 22 stat64 0.01 0.001163 34 34 sigprocmask 0.01 0.000913 29 32 lseek 0.04 0.007262 250 29 7 open 0.01 0.002382 125 19 getdents64 0.01 0.001157 61 19 close 0.00 0.000791 44 18 13 access 0.00 0.000458 42 11 writev 0.00 0.000184 37 5 fstat64 0.00 0.000121 30 4 getrusage 0.00 0.000062 21 3 _llseek 0.00 0.000642 214 3 prctl 0.01 0.001220 407 3 clone 0.00 0.000061 61 1 chdir 0.00 0.000061 61 1 1 mkdir 0.00 0.000061 61 1 setuid32 0.00 0.000061 61 1 brk 0.00 0.000061 61 1 setgid32 ------ ----------- ----------- --------- --------- ---------------- 100.00 17.426523 24564 628 total
