We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Supervising and emulating syscalls

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
10
 Cite
 Share
 Related Material
 Download Purchase
Logo of FOSDEM VZWFOSDEM VZW
 Brauner, Christian

Formal Metadata

Title
Supervising and emulating syscalls
Title of Series
Number of Parts
490
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
Recently the kernel landed seccomp support for SECCOMPRETUSER_NOTIF which enables a process (supervisee) to retrieve a fd for its seccomp filter. This fd can then be handed to another (usually more privileged) process (supervisor). The supervisor will then be able to receive seccomp messages about the syscalls having been performed by the supervisee. We have integrated this feature into userspace and currently make heavy use of this to intercept mknod(), mount(), and other syscalls in user namespaces aka in containers. For example, if the mknod() syscall matches a device in a pre-determined whitelist the privileged supervisor will perform the mknod syscall in lieu of the unprivileged supervisee and report back to the supervisee on the success or failure of its attempt. If the syscall does not match a device in a whitelist we simply report an error. This talk is going to show how this works and what limitations we run into and what future improvements we plan on doing in the kernel.
00:00
Canonical ensembleKernel (computing)Arrow of timePhysical systemIntercept theoremPhysical systemSystem callCartesian coordinate systemDivisorSpacetimeQuicksortDisk read-and-write headDependent and independent variablesParameter (computer programming)Set (mathematics)Run time (program lifecycle phase)Process (computing)Profil (magazine)Block (periodic table)NumberMobile appKernel (computing)ExistenceComputer fileIntercept theoremTable (information)Similarity (geometry)MereologyCASE <Informatik>WritingDifferent (Kate Ryan album)Multiplication signElectronic mailing listLimit (category theory)Form (programming)CuboidRight angleBit2 (number)Roundness (object)Computer architecturePresentation of a groupExtension (kinesiology)Computer animation
05:12
Kernel (computing)Kernel (computing)Profil (magazine)Process (computing)System callFile systemRevision controlOperator (mathematics)BitImplementationComputer fileMessage passingSpacetimeParameter (computer programming)Game theoryCASE <Informatik>NamespaceBlock (periodic table)Right angleMedical imagingTable (information)Demo (music)Limit (category theory)Data managementPower (physics)Functional (mathematics)RandomizationQuicksortCartesian coordinate systemMultiplication signEvent horizonSubsetStructural loadMetropolitan area networkScripting languageOptical disc driveHypermediaAuthorizationDecision theoryComa Berenices2 (number)Physical systemSemiconductor memoryHoaxForm (programming)WorkloadMilitary baseVideo game consoleTask (computing)Workstation <Musikinstrument>Computer animation
10:17
Kernel (computing)CompilerState of matterData typePhysical systemProjective planeComputer animationXML
10:53
RootStatisticsPhysical systemMessage passingPrincipal ideal domainPrinciple of maximum entropyBefehlsprozessorGastropod shellUser profileMilitary operationPatch (Unix)Information securityScripting languageBeer steinTotal S.A.MathematicsLink (knot theory)Block (periodic table)Computer fileFile systemParameter (computer programming)Configuration spaceKernel (computing)Electronic mailing listProfil (magazine)Message passingFluid staticsGroup actionCompilation albumMereologyEmulatorMultilaterationCASE <Informatik>Metropolitan area networkSpacetimeComputer clusterRevision controlVideo game consoleSystem callLie groupDemo (music)Limit (category theory)Computer animation
13:44
RootLink (knot theory)MathematicsStatisticsBlock (periodic table)Total S.A.User profileLoginInformation securityGastropod shellDemo (music)Goodness of fitType theoryState of matterCASE <Informatik>File systemWindowRight angleSystem callRootHoaxComputer animation
15:34
Default (computer science)Computer-generated imageryInformation securitySerial portAnnulus (mathematics)Electric currentGastropod shellRootLoginKernel (computing)Computer fileDefault (computer science)Limit (category theory)Medical imagingSource codeComputer animation
16:26
RootLocal GroupTotal S.A.FirmwareKernel (computing)Physical systemInformation securityRead-only memoryEvent horizonLoginSystem callLatent heatLogicImplementationDemo (music)Multiplication signOperator (mathematics)Semiconductor memorySpacetimeMechanism designTable (information)Thread (computing)PrototypeKernel (computing)Information securityComputer configurationComputer fileParameter (computer programming)Cartesian coordinate systemEqualiser (mathematics)Limit (category theory)Point (geometry)Different (Kate Ryan album)Condition numberPatch (Unix)Stack (abstract data type)Task (computing)Category of beingRandom number generationSocket-SchnittstelleType theoryFile systemInformation retrievalBridging (networking)Event horizonDecision theoryPhysical systemGroup actionProcess (computing)Cone penetration testFamilyThermal expansionNumberPersonal digital assistantCodeWorkloadComputer animation
21:44
Point cloudFacebookOpen source
Transcript: English(auto-generated)