Q: intercept syscalls from same process #325
Comments
|
It is probably worth mentioning that attempting to intercept syscalls as a form of sandboxing from within the same address space as the process being sandboxed is going to be prone to failure. A malicious application could find a way to detect that it is being sandboxed and take action against the sandboxing code running in its address space. A better option would be to go with a more traditional static syscall filter as is done by a large number of sandboxing tools or create a supervisor process to monitor and intercept syscalls using the notification capabilities added to seccomp/libseccomp. |
|
I'm pretty new to seccomp, day before even didn't knew about it's existence, if I understood correctly recent addition of notifications gives us ability to handle syscalls from usermode. |
|
You could always check the test below, it's rather simple but it should give you a basic idea on how to use it: I'm going to close this issue as I think the question has been resolved, but if you disagree feel free to reopen/comment. |
I'm working on a sandbox on Linux, what I want to achieve is to intercept syscalls and return emulated value or change registers/pointers and execute the syscall with modified value.
I would like to achieve this from the same process, my code is already injected into the target process during startup.
Is it possible to do with seccomp?
If you have some example would be helpful or any other recommendations, maybe there is a better way to achieve same
The text was updated successfully, but these errors were encountered: