On Tue, Jan 21, 2025 at 11:16:31AM -0500, Steven Rostedt wrote:
[ Watching this with popcorn from the sidelines, but I'll chime in anyway ]
On Tue, 21 Jan 2025 15:38:48 +0100 Jiri Olsa olsajiri@gmail.com wrote:
I'm still trying to come up with some other solution but wanted to exhaust all the options I could think of
I think this may have been mentioned, but is there a way that the kernel could know that this system call is being monitored by seccomp, and if so, just stick with the interrupt version? If not, enable the system call?
yes [1], the problem with that solution is that we install uretprobe trampoline at function's uprobe entry probe, so we won't catch case where seccomp is enabled in this probed function, like:
foo uprobe -> install uretprobe trampoline ... seccomp(SECCOMP_MODE_STRICT.. ... ret -> execute uretprobe trampoline with sys_uretprobe
I thought we could perhaps switch existing uretprobe trampoline to int3 when we are in sys_seccomp, but another user thread might be already executing the existing uretprobe trampoline, so I don't think we can do that
jirka
[1] https://lore.kernel.org/bpf/20250114123257.GD19816@redhat.com/