[PATCH RFC 0/4] Seccomp-assisted syscall filtering
Paul Chaignon
paul.chaignon at gmail.com
Sat Jul 13 10:22:01 UTC 2019
This patchset introduces syscall filtering in the kernel using
seccomp-bpf. The first patch exports the trace_set set required to build
the BPF filtering program. The second patch implements the main logic to
reduce the number of tracer stops. The third let's strace skip the
seccomp-bpf setup when there aren't any syscalls to filter. The last
patch adds tests.
Seccomp filtering is only enabled with the -n option. The BPF program
implements a simple linear match of syscalls which can be improved in the
future without impacting user-observable behavior.
I am sending this as an RFC for several reasons. First, I'd like to bring
attention to several design decisions:
- When using the -n option, the state (enabled/disabled) of seccomp
filtering is printed at startup. Is that okay?
- -n currently required -f. Should -n imply -f instead?
Second, I would like to add more tests for the BPF program, but I am not
quite sure how to proceed. In particular, I would like to add a test with
a large (largest?) number of filtered syscalls.
Chen Jingpiao (3):
filter_qualify: export trace_set set
Introduce seccomp-assisted syscall filtering
tests: add check for seccomp-assisted syscall filtering
Paul Chaignon (1):
filter_seccomp: skip seccomp setup when there's nothing to filter
Makefile.am | 2 +
NEWS | 1 +
filter_qualify.c | 2 +-
filter_seccomp.c | 452 ++++++++++++++++++++++++++++++++++++++++
filter_seccomp.h | 57 +++++
number_set.c | 13 ++
number_set.h | 5 +
strace.1.in | 10 +
strace.c | 38 +++-
tests/Makefile.am | 1 +
tests/filter_seccomp.in | 2 +
tests/gen_tests.in | 2 +
tests/init.sh | 5 +
trace_event.h | 5 +
14 files changed, 591 insertions(+), 4 deletions(-)
create mode 100644 filter_seccomp.c
create mode 100644 filter_seccomp.h
create mode 100644 tests/filter_seccomp.in
--
2.17.1
More information about the Strace-devel
mailing list