Open wangbj opened 5 years ago
Do we want a full config file here, or just the ability to read in a text file list syscalls? (By what format names?)
When you say "filter" here that means intercept/trap/turn-into-an-event right? "Blacklist" means "intercept and then throw an error" right? And then I suppose "whitelist" means don't intercept at all, just let them through.
In your bullet (2), those are syscalls (e.g. nanosleep) which we may actually want to intercept, right? Filtering by seccomp = converting to signal right? So these are events we can subscribe to, but they are always expensive at runtime, is that correct?
We can use yml, you're right filter means we'll turn it into a (seccomp) event; for blacklist, there're some syscalls like clock_nanosleep
, can be filtered by seccomp, but it isn't safe to patch, because it has instruction sequences like:
syscall
label: xx
yyy
There're code in the same function (glibc wrapper of clock_nanosleep) jumps into the label
right after syscall
, patching it would cause SIGILL
if the jump happens.
clock_nanosleep
is not nanosleep
, the former provides more control such as which CLOCK
to sleep on. You're right seccomp is a lot slower.
It could be better if we can have a configuration file, so that we can determine which syscalls to filter. this might includes:
1) syscalls we don't want to filter at all, such as
getpid
2) blacklisted syscalls known to have problems with patching, but can be filtered byseccomp
, such asclock_nanosleep
,rt_sigreturn
.There're could be intersections between 1) & 2).