pkg/seccomp: use sync.Once to speed up IsEnabled

kolyshkin · kolyshkin · commit 3292ea586276 · 2021-04-16T15:52:35.000-07:00
It does not make sense to check if seccomp is supported by the kernel
more than once per runtime, so let's use sync.Once to speed it up.

A quick benchmark (old implementation, before this commit, after):

BenchmarkIsEnabledOld-4           37183            27971 ns/op
BenchmarkIsEnabled-4            1252161              947 ns/op
BenchmarkIsEnabledOnce-4      666274008             2.14 ns/op

Signed-off-by: Kir Kolyshkin &lt;kolyshkin@gmail.com&gt;
diff --git a/pkg/seccomp/seccomp_linux.go b/pkg/seccomp/seccomp_linux.go
@@ -33,9 +33,16 @@
 package seccomp
 
 import (
+	"sync"
+
 	"golang.org/x/sys/unix"
 )
 
+var (
+	enabled     bool
+	enabledOnce sync.Once
+)
+
 // isEnabled returns whether the kernel has been configured to support seccomp
 // (including the check for CONFIG_SECCOMP_FILTER kernel option).
 func isEnabled() bool {
@@ -65,5 +72,9 @@ func isEnabled() bool {
 	// EFAULT). IOW, EINVAL means "seccomp not supported", any other error
 	// means it is supported.
 
-	return unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0) != unix.EINVAL
+	enabledOnce.Do(func() {
+		enabled = unix.Prctl(unix.PR_SET_SECCOMP, unix.SECCOMP_MODE_FILTER, 0, 0, 0) != unix.EINVAL
+	})
+
+	return enabled
 }
