[GSoC][RFC]: seccomp-assisted syscall filtering

Dmitry V. Levin ldv at altlinux.org
Tue Mar 13 11:26:43 UTC 2018


On Mon, Mar 12, 2018 at 02:29:36PM +0100, Eugene Syromiatnikov wrote:
> On Mon, Mar 12, 2018 at 10:38:37AM +0800, Chen Jingpiao wrote:
> > Hi.
> > 
> > I want to apply GSoC again. I am interested in seccomp-assisted syscall
> > filtering project.
> > 
> > I introduce myself again.
> > 
> > My name is Chen Jingpiao, a junior student in Guangdong Pharmaceutical
> > University, majoring in Computer Science and Technology. I am familiar with C,
> > Linux and tools (Git, vim, gdb, find, grep, diff, makefile etc.)
> > I have accepted strace GSoC 2017 netlink socket parsers project.
> > 
> > I will prepare the work according to the following step:
> > 
> > 1. Understand how strace trace a program (or attach a process)
> > 2. How seccomp work
> > 3. How to handle special case:
> > 	* architecture
> > 	* personality
> > 	* -f option
> > 	* subcall
> > 4. How introduce seccomp filter in strace
> > 
> > I'm happy to hear your suggestions or get your help.
> > Thank you.
> 
> Please note that there is already some (seemingly abandoned) patch
> available that tries to introduce the functionality in question[1],
> as mentioned on strace's GSoC wiki page[2] (do you plan to use it in
> your work or will do everything from scratch?).

Does this patch contain anything worth reusing?

> I'm looking forward
> to a more elaborate description of the proposal (for example, what are
> expected limitations of seccomp filter (like its size)

The limit on the number of instructions in seccomp filter is BPF_MAXINSNS,
it's much higher than the number of syscalls so there shouldn't be any
limitations assuming that the filter is sane.


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20180313/23850968/attachment.bin>


More information about the Strace-devel mailing list