Speed up seccomp with priority list. Allow to provide a list of prioritized syscalls (e.g., syscalls that we know occur often) which are checked before other syscalls in seccomp. When constructing the bpf seccomp filter, traverse prioritized syscalls in a linear list before checking all other syscalls in a binary tree. Bug: 156732794 Test: make, inspect generated *_system_policy.cpp files Test: simpleperf on futex/ioctl-heavy app seems to show 5-10% less time spent in seccomp call Change-Id: I509343bcd32ada90c0591785ab5cb12d2a38c31e (cherry picked from commit ce84677733c18bc442f7f1b2f1840117c904db70)

commit: acadd09c66e1e5966ac771cb338f1ad660aed4c0 [log] [tgz]
author: Bram Bonné <brambonne@google.com> Wed May 06 13:49:55 2020 +0200
committer: Bram Bonné <brambonne@google.com> Mon May 18 11:20:30 2020 +0200
tree: bc11de4fe811b802c698f972cb1eb16ac09ddd0c
parent: 57a1c3908ff5a2e427f5d45992d0b463fd71b87a [diff] [blame]
diff --git a/libc/SECCOMP_PRIORITY.TXT b/libc/SECCOMP_PRIORITY.TXT
new file mode 100644
index 0000000..fb5ad4a
--- /dev/null
+++ b/libc/SECCOMP_PRIORITY.TXT

@@ -0,0 +1,10 @@
+# This file is used to populate seccomp's whitelist policy in combination with SYSCALLS.TXT.
+# Note that the resultant policy is applied only to zygote spawned processes.
+#
+# This file is processed by a python script named genseccomp.py.
+#
+# The syscalls below are prioritized above other syscalls when checking seccomp policy, in
+# the order of appearance in this file.
+
+futex
+ioctl
\ No newline at end of file
commit	acadd09c66e1e5966ac771cb338f1ad660aed4c0	[log] [tgz]
author	Bram Bonné <brambonne@google.com>	Wed May 06 13:49:55 2020 +0200
committer	Bram Bonné <brambonne@google.com>	Mon May 18 11:20:30 2020 +0200
tree	bc11de4fe811b802c698f972cb1eb16ac09ddd0c
parent	57a1c3908ff5a2e427f5d45992d0b463fd71b87a [diff] [blame]