News: 0000826897

Christian Brauner has posted [1]a novella-length description of the seccomp notifier mechanism and the problems it is meant to solve. " So from the section above it should be clear that seccomp provides a few desirable properties that make it a natural candidate to look at to help solve our mknod(2) and mount(2) problem. Since seccomp intercepts syscalls early in the syscall path it already gives us a hook into the syscall path of a given task. What is missing though is a way to bring another task such as the LXD container manager into the picture. Somehow we need to modify seccomp in a way that makes it possible for a container manager to not just be informed when a task inside the container performs a syscall it wants to be informed about but also how can to make it possible to block the task until the container manager instructs the kernel to allow it to proceed. "



[1] https://people.kernel.org/brauner/the-seccomp-notifier-new-frontiers-in-unprivileged-container-development