| ▲ | coppsilgold 6 hours ago | |
SECCOMP_RET_USER_NOTIF seems to involve sending a struct over an fd on each syscall. Do they really use it? Performance ought to suffer. Also gVisor (aka runsc) is a container runtime as well. And it doesn't gatekeep syscalls but chooses to re-implement them in userland. | ||
| ▲ | xuhu 2 hours ago | parent [-] | |
SECCOMP_RET_USER_NOTIF appears to switch between the tracee and tracer processes for each syscall. Using SECCOMP_RET_TRAP to trigger a SIGSYS for every syscall in IO intensive apps introduces 5% overhead (and avoids a separate tracer). I wonder if there's any mechanism that works for intercepting static ELF's like Go programs and such. | ||