Post Syndicated from original https://lwn.net/Articles/834785/rss

The seccomp()
system call allows user space to load one or more (classic) BPF programs
to be run whenever the calling process invokes a system call. Those
programs can examine (to an extent) the
arguments to each call and inform the kernel whether the call should be
allowed to proceed or not. This feature is used in a number of
containerization solutions (and beyond) as a way of reducing the kernel’s
attack surface. In some situations, though, using seccomp() can result
in a significant performance reduction. There are currently two patch sets
in circulation that are aimed at reducing the overhead of
seccomp() for one common use case.