SECCOMP Filters Get A Very Nice Speed-Up With Linux 5.11
The SECCOMP updates for Linux 5.11 include the addition of constant-action bitmaps to reduce the overhead for many real-world syscall filters from O(N) to O(1). The filters benefiting the most are for allow/reject-only system call handling. This constant action bitmaps is also faster than BPF call optimization.
This constant-action bitmaps implementation has been in the works for several months and is yielding significantly faster performance for SECCOMP filters. This cover letter for one of the earlier patch series goes into more details about the implementation. The necessary architecture tracking has been implemented for all major Linux CPU architectures.