hybrid mode via seccomp

[sporksmith]

Hybrid mode on the dev branch (currently e48ca0d) is very slow.

Hybrid mode attempts to be faster than ptrace mode by avoiding a syscall (and therefore a ptrace-stop) in communication between Shadow and the shim. This only happens when the plugin's request to shadow is responded to before the plugin reaches it's spin limit and falls back to a blocking sem_wait. If the plugin ends up calling sem_wait, then it'll end up making a futex syscall, which will result in a ptrace-stop. When that happens, the syscall ends up having strictly more overhead than in ptrace mode, since now it has to deal with the ptrace-stop hybrid mode was meant to avoid in the first place and handle the IPC request from the shim.

In hybrid mode's current form, this problem will be exacerbated in the configuration we now believe to be most performant: using as many workers as (non-hyperthreaded) CPUs, with plugin processes pinned to the same CPU as its worker. In this case the Shadow worker won't get a chance to run to serve an IPC request until either the plugin process is pre-empted by the kernel (which will never happen if using sched_fifo), or it falls back to the blocking sem_wait. i.e. in this configuration hybrid mode will never be faster than ptrace mode.

[sporksmith]

In DetTrace, they use seccomp to allow a tracee to make some syscalls without a ptrace stop.

IIUC such policies can examine syscall arguments, so we could for example allow writes to a pipe of a specific file descriptor.

From ptrace(2):

   PTRACE_EVENT_SECCOMP stops (since Linux 4.8)
       Starting with Linux 4.8, the PTRACE_EVENT_SECCOMP stop was reordered to occur between syscall-entry-stop  and  syscall-exit-stop.
       Note  that  seccomp  no  longer  runs  (and  no  PTRACE_EVENT_SECCOMP  will  be  reported)  if  the system call is skipped due to
       PTRACE_SYSEMU.

       Functionally, a PTRACE_EVENT_SECCOMP stop functions comparably to a syscall-entry-stop (i.e., continuations using  PTRACE_SYSCALL
       will  cause  syscall-exit-stops, the system call number may be changed and any other modified registers are visible to the to-be-
       executed system call as well).  Note that there may be, but need not have been a preceding syscall-entry-stop.

       After a PTRACE_EVENT_SECCOMP stop, seccomp will be rerun, with a SECCOMP_RET_TRACE rule  now  functioning  the  same  as  a  SEC‐
       COMP_RET_ALLOW.   Specifically,  this  means  that if registers are not modified during the PTRACE_EVENT_SECCOMP stop, the system
       call will then be allowed.

[sporksmith]

We should do something about this for the next release. I suspect that something will be to either remove hybrid mode entirely or hide it behind an unstable command line flag.