Hermit launches linux x86_64 programs in a special, hermetically isolated sandbox to control their execution. Hermit translates normal, nondeterministic behavior, into deterministic, repeatable behavior. This can be used for various applications, including replay-debugging, reproducible artifacts, chaos mode concurrency testing and bug analysis.
This is a currently unhandled piece of Linux functionality that we just "let through". But it introduces nondeterminism in the key_serial_t identifiers that come back.
Basic plan:
virtualize the key serials just like with other IDs (e.g. inodes)
make sure that our container setup keeps the process tree's keys separate from anything else on the system
Specific steps for virtualizating IDs would include:
[ ] add a new global state RPC for adding/resolving key serial numbers
[ ] have local handlers for add_key establish the new virtual mapping, and return the virtual serial ID to the guest, which probably starts at a constant and counts up by +1
[ ] have request_key and keyctl calls resolve virtual serial numbers before issuing to Linux
This is a currently unhandled piece of Linux functionality that we just "let through". But it introduces nondeterminism in the
key_serial_t
identifiers that come back.Basic plan:
Specific steps for virtualizating IDs would include:
Relevant manpages: