• Abstract

    SECCOMP_RET_TRACE seccomp API could be used to implement a more efficient syscall filtering. Using this technique, tracees will be stopped on entering filtered syscalls only instead of all syscalls.

  • What is done

    • Check at runtime whether seccomp implement or not
    • Check at runtime whether the kernel implements 4.8+ or older seccomp
    • Construct BPF code according to trace_set set
    • Update the ptrace restart option in order to make seccomp hook work

  • TODO

    • Clean up the code
    • Support other architecture
    • Enhance the test

  • Conclusion

    seccomp filter make strace run faster. But in the following case, we should not enable seccomp filter:

    • strace -p: only when use execve to execute a program can we initialize seccomp
    • strace -einject: seccomp stop can not inject signal
    • strace TRACER(like strace): if enable seccomp filter, we will trace the tracee’s child process, so the tracee’s child process call ptrace(PTRACE_TRACEME) fail

  • Learnings

    I learned the related knowledge seccomp, ptrace and BPF etc. I have read seccomp and ptrace kernel code, which improved my ability to read the source code. And my ability to debug has improved.

  • More