[GSoC][RFC]: seccomp-assisted syscall filtering

Eugene Syromiatnikov esyr at redhat.com
Mon Mar 12 13:29:36 UTC 2018

On Mon, Mar 12, 2018 at 10:38:37AM +0800, Chen Jingpiao wrote:
> Hi.
> I want to apply GSoC again. I am interested in seccomp-assisted syscall
> filtering project.
> I introduce myself again.
> My name is Chen Jingpiao, a junior student in Guangdong Pharmaceutical
> University, majoring in Computer Science and Technology. I am familiar with C,
> Linux and tools (Git, vim, gdb, find, grep, diff, makefile etc.)
> I have accepted strace GSoC 2017 netlink socket parsers project.
> I will prepare the work according to the following step:
> 1. Understand how strace trace a program (or attach a process)
> 2. How seccomp work
> 3. How to handle special case:
> 	* architecture
> 	* personality
> 	* -f option
> 	* subcall
> 4. How introduce seccomp filter in strace
> I'm happy to hear your suggestions or get your help.
> Thank you.

Please note that there is already some (seemingly abandoned) patch
available that tries to introduce the functionality in question[1],
as mentioned on strace's GSoC wiki page[2] (do you plan to use it in
your work or will do everything from scratch?).  I'm looking forward
to a more elaborate description of the proposal (for example, what are
expected limitations of seccomp filter (like its size) and what
functionality can be achieved there, how it integrates with other
features like path filtering and the upcoming filtering engine, what
are possibilities regarding optimizing BPF code for size).  In addition,
I have a concern regarding conflicts with already set seccomp filters
or attempts to do so, what solutions could you propose in that regard?

[1] https://github.com/shinh/strace/commit/92db747699773b8b9be42ecb27ab969eeb649825
[2] https://strace.io/wiki/GoogleSummerOfCode2018#seccomp-assisted_syscall_filtering

More information about the Strace-devel mailing list