uretprobe(2) is an performance enhancement system call added to improve uretprobes on x86_64. Confinement environments such as Docker are not aware of this new system call and kill confined processes when uretprobes are attached to them. Since uretprobe is a "kernel implementation detail" system call which is not used by userspace application code directly, pass this system call through seccomp without forcing existing userspace confinement environments to be changed. To: Kees Cook <kees@xxxxxxxxxx> To: Andy Lutomirski <luto@xxxxxxxxxxxxxx> To: Will Drewry <wad@xxxxxxxxxxxx> To: Oleg Nesterov <oleg@xxxxxxxxxx> To: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx> To: Jiri Olsa <jolsa@xxxxxxxxxx> To: Andrii Nakryiko <andrii@xxxxxxxxxx> Cc: linux-kernel@xxxxxxxxxxxxxxx Signed-off-by: Eyal Birger <eyal.birger@xxxxxxxxx> Eyal Birger (2): seccomp: passthrough uretprobe systemcall without filtering selftests/seccomp: validate uretprobe syscall passes through seccomp kernel/seccomp.c | 24 ++- tools/testing/selftests/seccomp/seccomp_bpf.c | 195 ++++++++++++++++++ 2 files changed, 216 insertions(+), 3 deletions(-) -- 2.43.0
