minijail0: Add flag to allow speculative execution on seccomp enabled processes
By default, speculative execution is disabled on seccomp processes to
mitigate against speculative execution based attacks. However, this
comes at a significant performance penalty on some CPUs. By adding a
flag to allow speculative execution, we can tune the
performance/security tradeoff for certain processes.
Bug: 170247420
Test: Deploy to grunt and add flag to cras. See reduced CPU usage of
switch_mm_irqs_off() kernel function during meet call.
Change-Id: Id162a0ab9d8084b8023fa76e93ce91613e48f115
diff --git a/minijail0_cli.c b/minijail0_cli.c
index 94d8578..fb556d2 100644
--- a/minijail0_cli.c
+++ b/minijail0_cli.c
@@ -620,7 +620,9 @@
" E.g., '-S /usr/share/filters/<prog>.$(uname -m).bpf'.\n"
" Requires -n when not running as root.\n"
" The user is responsible for ensuring that the binary\n"
- " was compiled for the correct architecture / kernel version.\n");
+ " was compiled for the correct architecture / kernel version.\n"
+ " --allow-speculative-execution:Allow speculative execution and disable "
+ " mitigations for speculative execution attacks.\n");
/* clang-format on */
}
@@ -673,6 +675,7 @@
{"preload-library", required_argument, 0, 132},
{"seccomp-bpf-binary", required_argument, 0, 133},
{"add-suppl-group", required_argument, 0, 134},
+ {"allow-speculative-execution", no_argument, 0, 135},
{0, 0, 0, 0},
};
/* clang-format on */
@@ -957,6 +960,9 @@
suppl_group_add(&suppl_gids_count, &suppl_gids,
optarg);
break;
+ case 135:
+ minijail_set_seccomp_filter_allow_speculation(j);
+ break;
default:
usage(argv[0]);
exit(opt == 'h' ? 0 : 1);
