app/instance/common: optimise ops allocation

Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-04-13 03:46:07 +09:00 · 2025-04-13 03:46:07 +09:00 · 15011c4173
commit 15011c4173
parent 31b7ddd122
2 changed files with 13 additions and 9 deletions
--- a/internal/app/instance/common/container.go
+++ b/internal/app/instance/common/container.go
@ -6,7 +6,6 @@ import (
 	"io/fs"
 	"maps"
 	"path"
 	"slices"
 	"syscall"
 	"git.gensokyo.uk/security/fortify/dbus"
@ -16,6 +15,10 @@ import (
 	"git.gensokyo.uk/security/fortify/sandbox/seccomp"
 )
 // in practice there should be less than 30 entries added by the runtime;
 // allocating slightly more as a margin for future expansion
 const preallocateOpsCount = 1 << 5
 // NewContainer initialises [sandbox.Params] via [fst.ContainerConfig].
 // Note that remaining container setup must be queued by the caller.
 func NewContainer(s *fst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox.Params, map[string]string, error) {
@ -25,19 +28,18 @@ func NewContainer(s *fst.ContainerConfig, os sys.State, uid, gid *int) (*sandbox
 	container := &sandbox.Params{
 		Hostname: s.Hostname,
 		Ops:      new(sandbox.Ops),
 		Seccomp:  s.Seccomp,
 	}
 	{
 		ops := make(sandbox.Ops, 0, preallocateOpsCount+len(s.Filesystem)+len(s.Link)+len(s.Cover))
 		container.Ops = &ops
 	}
 	if s.Multiarch {
 		container.Seccomp |= seccomp.FilterMultiarch
 	}
 	/* this is only 4 KiB of memory on a 64-bit system,
 	permissive defaults on NixOS results in around 100 entries
 	so this capacity should eliminate copies for most setups */
 	*container.Ops = slices.Grow(*container.Ops, 1<<8)
 	if s.Devel {
 		container.Flags |= sandbox.FAllowDevel
 	}
--- a/internal/app/internal/setuid/seal.go
+++ b/internal/app/internal/setuid/seal.go
@ -529,8 +529,10 @@ func (seal *outcome) finalise(ctx context.Context, sys sys.State, config *fst.Co
 	}
 	slices.Sort(seal.container.Env)
-	fmsg.Verbosef("created application seal for uid %s (%s) groups: %v, argv: %s",
+	if fmsg.Load() {
-		seal.user.uid, seal.user.username, config.Groups, seal.container.Args)
+		fmsg.Verbosef("created application seal for uid %s (%s) groups: %v, argv: %s, ops: %d",
 			seal.user.uid, seal.user.username, config.Groups, seal.container.Args, len(*seal.container.Ops))
 	}
 	return nil
 }