From 7b96cd6ded2668b04c908737ff393b805d34cc5c Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Sat, 25 Jan 2025 13:19:38 +0900
Subject: [PATCH] helper/seccomp: do not call F_println if not verbose

This (slightly) improves performance.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 helper/bwrap/{seccomp-resolve.go => seccomp.go} |  0
 helper/seccomp/seccomp-export.c                 |  2 +-
 helper/seccomp/seccomp-export.h                 | 17 +++++++++--------
 helper/seccomp/seccomp.go                       |  7 +++++++
 4 files changed, 17 insertions(+), 9 deletions(-)
 rename helper/bwrap/{seccomp-resolve.go => seccomp.go} (100%)

diff --git a/helper/bwrap/seccomp-resolve.go b/helper/bwrap/seccomp.go
similarity index 100%
rename from helper/bwrap/seccomp-resolve.go
rename to helper/bwrap/seccomp.go
diff --git a/helper/seccomp/seccomp-export.c b/helper/seccomp/seccomp-export.c
index 78d27e0..855c3bf 100644
--- a/helper/seccomp/seccomp-export.c
+++ b/helper/seccomp/seccomp-export.c
@@ -28,7 +28,7 @@ struct f_syscall_act {
 #define LEN(arr) (sizeof(arr) / sizeof((arr)[0]))
 
 #define SECCOMP_RULESET_ADD(ruleset) do {                                                                      \
-  F_println("adding seccomp ruleset \"" #ruleset "\"");                                                        \
+  if (opts & F_VERBOSE) F_println("adding seccomp ruleset \"" #ruleset "\"");                                  \
   for (int i = 0; i < LEN(ruleset); i++) {                                                                     \
     assert(ruleset[i].m_errno == EPERM || ruleset[i].m_errno == ENOSYS);                                       \
                                                                                                                \
diff --git a/helper/seccomp/seccomp-export.h b/helper/seccomp/seccomp-export.h
index 90640d8..3a28b12 100644
--- a/helper/seccomp/seccomp-export.h
+++ b/helper/seccomp/seccomp-export.h
@@ -8,14 +8,15 @@
 #endif
 
 typedef enum {
-  F_EXT        = 1 << 0,
-  F_DENY_NS    = 1 << 1,
-  F_DENY_TTY   = 1 << 2,
-  F_DENY_DEVEL = 1 << 3,
-  F_MULTIARCH  = 1 << 4,
-  F_LINUX32    = 1 << 5,
-  F_CAN        = 1 << 6,
-  F_BLUETOOTH  = 1 << 7,
+  F_VERBOSE    = 1 << 0,
+  F_EXT        = 1 << 1,
+  F_DENY_NS    = 1 << 2,
+  F_DENY_TTY   = 1 << 3,
+  F_DENY_DEVEL = 1 << 4,
+  F_MULTIARCH  = 1 << 5,
+  F_LINUX32    = 1 << 6,
+  F_CAN        = 1 << 7,
+  F_BLUETOOTH  = 1 << 8,
 } f_syscall_opts;
 
 extern void F_println(char *v);
diff --git a/helper/seccomp/seccomp.go b/helper/seccomp/seccomp.go
index b329467..ed13118 100644
--- a/helper/seccomp/seccomp.go
+++ b/helper/seccomp/seccomp.go
@@ -28,6 +28,7 @@ var resErr = [...]error{
 type SyscallOpts = C.f_syscall_opts
 
 const (
+	flagVerbose   SyscallOpts = C.F_VERBOSE
 	FlagExt       SyscallOpts = C.F_EXT
 	FlagDenyNS    SyscallOpts = C.F_DENY_NS
 	FlagDenyTTY   SyscallOpts = C.F_DENY_TTY
@@ -64,6 +65,12 @@ func exportFilter(fd uintptr, opts SyscallOpts) error {
 		multiarch = C.SCMP_ARCH_ARM
 	}
 
+	// this removes repeated transitions between C and Go execution
+	// when producing log output via F_println and CPrintln is nil
+	if CPrintln != nil {
+		opts |= flagVerbose
+	}
+
 	res, err := C.f_export_bpf(C.int(fd), arch, multiarch, opts)
 	if re := resErr[res]; re != nil {
 		if err == nil {