> Hello!

Hi,

>    So I've been spending some time in UML (among other virtualization
> technologies).  There's some interesting security and performance models it
> possibly allows, even in this era of containers and hypervisors.  Ptrace is
> being something of a problem though; it's a little hairy and difficult to
> scope.  It is unfortunately breaking many things I'm trying to do.
>
>     So I'm curious.  There is another option -- seccomp-bpf can trap on
> arbitrary syscalls.  Is there a reason anyone sees why UML couldn't be
> routed through it?

I had a look at this and I think it could work.

But what mode would you suggest?

a.) SECCOMP_RET_TRAP
Each usermode process would receive an SIGSYS and forward it to the 
kernel process somehow? and continue afterwards.

b.) SECCOMP_RET_TRACE
the kernel process would still ptrace each usermode process and 
intercept all syscalls?
What would be the difference to the current mode of operation? what 
would we gain here?

with kind regards
thomas




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
User-mode-linux-user mailing list
User-mode-linux-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-user

Reply via email to