Skip to content

More thread separation#43

Merged
ngc92 merged 6 commits intomasterfrom
thread
Mar 28, 2026
Merged

More thread separation#43
ngc92 merged 6 commits intomasterfrom
thread

Conversation

@ngc92
Copy link
Copy Markdown
Collaborator

@ngc92 ngc92 commented Mar 27, 2026

Not any strong protection, but adds more nuisances to trying to access "protected" memory:
Python call stack is completely invisible from python; We also protect the benchmark manager during warmup calls.

@ngc92 ngc92 requested a review from Copilot March 27, 2026 17:30
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to increase isolation against adversarial kernels by moving sensitive Python execution into separate threads (to obscure the Python call stack) and tightening memory-related behavior during kernel import/warmup.

Changes:

  • Add a new seccomp filter helper intended to block memory-mapping syscalls for warmup/benchmark threads.
  • Refactor kernel import + warmup into a protected/threaded path and split reporting/cleanup into separate BenchmarkManager methods.
  • Run benchmark setup + execution on a spawned C++ thread from the nanobind binding layer.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
csrc/seccomp.cpp Adds seccomp_install_memory_block() helper to deny mmap/mprotect-family syscalls.
csrc/manager.h Exposes send_report() / clean_up(), adds mTestOrder + mMedianEventTime, adjusts result message signature.
csrc/manager.cpp Refactors initial kernel setup into a worker thread, stores test order/event overhead in members, splits reporting/cleanup.
csrc/landlock.cpp Removes an outdated TODO/commented-out seccomp rules block.
csrc/binding.cpp Wraps benchmark execution in a new std::thread with explicit GIL release/acquire.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ngc92 ngc92 mentioned this pull request Mar 27, 2026
Closed
@ngc92 ngc92 requested a review from Copilot March 27, 2026 23:03
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ngc92 ngc92 requested a review from Copilot March 27, 2026 23:52
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ngc92 ngc92 merged commit a208909 into master Mar 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ngc92