github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

pkg/seccomp: use sync.Once to speed up IsEnabled

Browse Source 
It does not make sense to check if seccomp is supported by the kernel
more than once per runtime, so let's use sync.Once to speed it up.

A quick benchmark (old implementation, before this commit, after):

BenchmarkIsEnabledOld-4           37183            27971 ns/op
BenchmarkIsEnabled-4            1252161              947 ns/op
BenchmarkIsEnabledOnce-4      666274008             2.14 ns/op

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This commit is contained in:
Kir Kolyshkin 2021-03-24 13:56:06 -07:00
parent 00b5c99b1a
commit 3292ea5862
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
pkg/seccomp/seccomp_linux.go
View File

@ -33,9 +33,16 @@
package seccomp
import (
"sync"
"golang.org/x/sys/unix"
)
var (
enabled bool
enabledOnce sync.Once
)
// isEnabled returns whether the kernel has been configured to support seccomp
// (including the check for CONFIG_SECCOMP_FILTER kernel option).
func isEnabled() bool {
@ -65,5 +72,9 @@ func isEnabled() bool {
// EFAULT). IOW, EINVAL means "seccomp not supported", any other error
// means it is supported.
return unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0) != unix.EINVAL
enabledOnce.Do(func() {
enabled = unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0) != unix.EINVAL
})
return enabled
}