[PATCH v3 0/2] seccomp: pass uretprobe system call through seccomp

From: Eyal Birger
Date: Sun Feb 02 2025 - 11:29:51 EST

Next message: Eyal Birger: "[PATCH v3 1/2] seccomp: passthrough uretprobe systemcall without filtering"
Previous message: Eyal Birger: "Re: [PATCH v2] seccomp: passthrough uretprobe systemcall without filtering"
Next in thread: Eyal Birger: "[PATCH v3 1/2] seccomp: passthrough uretprobe systemcall without filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

uretprobe(2) is an performance enhancement system call added to improve
uretprobes on x86_64.

Confinement environments such as Docker are not aware of this new system
call and kill confined processes when uretprobes are attached to them.

Since uretprobe is a "kernel implementation detail" system call which is
not used by userspace application code directly, pass this system call
through seccomp without forcing existing userspace confinement environments
to be changed.

To: Kees Cook <kees@xxxxxxxxxx>
To: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
To: Will Drewry <wad@xxxxxxxxxxxx>
To: Oleg Nesterov <oleg@xxxxxxxxxx>
To: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>
To: Jiri Olsa <jolsa@xxxxxxxxxx>
To: Andrii Nakryiko <andrii@xxxxxxxxxx>
Cc: linux-kernel@xxxxxxxxxxxxxxx
Signed-off-by: Eyal Birger <eyal.birger@xxxxxxxxx>

Eyal Birger (2):
seccomp: passthrough uretprobe systemcall without filtering
selftests/seccomp: validate uretprobe syscall passes through seccomp

kernel/seccomp.c | 24 ++-
tools/testing/selftests/seccomp/seccomp_bpf.c | 195 ++++++++++++++++++
2 files changed, 216 insertions(+), 3 deletions(-)

--
2.43.0

Next message: Eyal Birger: "[PATCH v3 1/2] seccomp: passthrough uretprobe systemcall without filtering"
Previous message: Eyal Birger: "Re: [PATCH v2] seccomp: passthrough uretprobe systemcall without filtering"
Next in thread: Eyal Birger: "[PATCH v3 1/2] seccomp: passthrough uretprobe systemcall without filtering"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]