You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm working on a sandbox on Linux, what I want to achieve is to intercept syscalls and return emulated value or change registers/pointers and execute the syscall with modified value.
I would like to achieve this from the same process, my code is already injected into the target process during startup.
Is it possible to do with seccomp?
If you have some example would be helpful or any other recommendations, maybe there is a better way to achieve same
The text was updated successfully, but these errors were encountered:
pcmoore
changed the title
Intercept syscalls
Q: intercept syscalls from same process
May 19, 2021
It is probably worth mentioning that attempting to intercept syscalls as a form of sandboxing from within the same address space as the process being sandboxed is going to be prone to failure. A malicious application could find a way to detect that it is being sandboxed and take action against the sandboxing code running in its address space.
A better option would be to go with a more traditional static syscall filter as is done by a large number of sandboxing tools or create a supervisor process to monitor and intercept syscalls using the notification capabilities added to seccomp/libseccomp.
I'm pretty new to seccomp, day before even didn't knew about it's existence, if I understood correctly recent addition of notifications gives us ability to handle syscalls from usermode.
Do you have a code I can use as a reference for this task (seccomp notif. to intercept syscalls) ?
I'm working on a sandbox on Linux, what I want to achieve is to intercept syscalls and return emulated value or change registers/pointers and execute the syscall with modified value.
I would like to achieve this from the same process, my code is already injected into the target process during startup.
Is it possible to do with seccomp?
If you have some example would be helpful or any other recommendations, maybe there is a better way to achieve same
The text was updated successfully, but these errors were encountered: