It's kind of lame some syscalls cannot be patched ends up handling by the tracer (regardless early syscalls before LD_PRELOAD), it forces us to write two different versions of the same logic, hence it would be necessary to force syscall to be trapped by the tracee instead. This can be done by:
install another RET_TRAP seccomp filter in LD_PRELOAD;
replace syscall instruction with predefined reserved x86 instructions, and handle it in tracee's signal handler
Both methods can trap the syscalls we cannot handle at this moment, even they wouldn't be as fast as patched syscalls, they wouldn't be any slower than handle syscalls in tracer either.
It's kind of lame some syscalls cannot be patched ends up handling by the tracer (regardless early syscalls before LD_PRELOAD), it forces us to write two different versions of the same logic, hence it would be necessary to force syscall to be trapped by the tracee instead. This can be done by:
RET_TRAPseccomp filter inLD_PRELOAD;syscallinstruction with predefined reserved x86 instructions, and handle it in tracee's signal handlerBoth methods can trap the syscalls we cannot handle at this moment, even they wouldn't be as fast as patched syscalls, they wouldn't be any slower than handle syscalls in tracer either.