News: 0000826897

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Brauner: The Seccomp Notifier – New Frontiers in Unprivileged Container Development

([Kernel] Jul 23, 2020 19:54 UTC (Thu) (corbet))


Christian Brauner has posted [1]a novella-length description of the seccomp notifier mechanism and the problems it is meant to solve. " So from the section above it should be clear that seccomp provides a few desirable properties that make it a natural candidate to look at to help solve our mknod(2) and mount(2) problem. Since seccomp intercepts syscalls early in the syscall path it already gives us a hook into the syscall path of a given task. What is missing though is a way to bring another task such as the LXD container manager into the picture. Somehow we need to modify seccomp in a way that makes it possible for a container manager to not just be informed when a task inside the container performs a syscall it wants to be informed about but also how can to make it possible to block the task until the container manager instructs the kernel to allow it to proceed. "



[1] https://people.kernel.org/brauner/the-seccomp-notifier-new-frontiers-in-unprivileged-container-development

Mankind's yearning to engage in sports is older than recorded history,
dating back to the time millions of years ago, when the first primitive man
picked up a crude club and a round rock, tossed the rock into the air, and
whomped the club into the sloping forehead of the first primitive umpire.

What inner force drove this first athlete? Your guess is as good as
mine. Better, probably, because you haven't had four beers.
-- Dave Barry, "Sports is a Drag"