uretprobe(2) is an performance enhancement system call added to improve uretprobes on x86_64.
Confinement environments such as Docker are not aware of this new system call and kill confined processes when uretprobes are attached to them. Since uretprobe is a "kernel implementation detail" system call which is not used by userspace application code directly, pass this system call through seccomp without forcing existing userspace confinement environments to be changed. To: Kees Cook <[email protected]> To: Andy Lutomirski <[email protected]> To: Will Drewry <[email protected]> To: Oleg Nesterov <[email protected]> To: Masami Hiramatsu (Google) <[email protected]> To: Jiri Olsa <[email protected]> To: Andrii Nakryiko <[email protected]> Cc: [email protected] Signed-off-by: Eyal Birger <[email protected]> Eyal Birger (2): seccomp: passthrough uretprobe systemcall without filtering selftests/seccomp: validate uretprobe syscall passes through seccomp kernel/seccomp.c | 24 ++- tools/testing/selftests/seccomp/seccomp_bpf.c | 195 ++++++++++++++++++ 2 files changed, 216 insertions(+), 3 deletions(-) -- 2.43.0
