You mentioned SECCOMP_RET_TRACE, but there is also SECCOMP_RET_TRAP[1] which appears to perform better. There is also KVM. Both of these are options for gVisor: <https://github.com/google/gvisor>

[1] <https://github.com/google/gvisor/blob/master/pkg/sentry/plat...>

▲

monocasa 6 hours ago | parent [-]

There's also SECCOMP_RET_USER_NOTIF, which is typically used by container runtimes for their sandboxing.

▲

coppsilgold 6 hours ago | parent [-]

SECCOMP_RET_USER_NOTIF seems to involve sending a struct over an fd on each syscall. Do they really use it? Performance ought to suffer.

Also gVisor (aka runsc) is a container runtime as well. And it doesn't gatekeep syscalls but chooses to re-implement them in userland.

	▲	xuhu 2 hours ago \| parent [-]
		SECCOMP_RET_USER_NOTIF appears to switch between the tracee and tracer processes for each syscall. Using SECCOMP_RET_TRAP to trigger a SIGSYS for every syscall in IO intensive apps introduces 5% overhead (and avoids a separate tracer). I wonder if there's any mechanism that works for intercepting static ELF's like Go programs and such.