On Fri, Feb 7, 2025 at 5:20 PM Eyal Birger <eyal.birger@xxxxxxxxx> wrote: > On Fri, Feb 7, 2025 at 7:27 AM Jann Horn <jannh@xxxxxxxxxx> wrote: > > > > On Sun, Feb 2, 2025 at 5:29 PM Eyal Birger <eyal.birger@xxxxxxxxx> wrote: > > > uretprobe(2) is an performance enhancement system call added to improve > > > uretprobes on x86_64. > > > > > > Confinement environments such as Docker are not aware of this new system > > > call and kill confined processes when uretprobes are attached to them. > > > > FYI, you might have similar issues with Syscall User Dispatch > > (https://docs.kernel.org/admin-guide/syscall-user-dispatch.html) and > > potentially also with ptrace-based sandboxes, depending on what kinda > > processes you inject uprobes into. For Syscall User Dispatch, there is > > already precedent for a bypass based on instruction pointer (see > > syscall_user_dispatch()). > > Thanks. This is interesting. > > Do you know of confinement environments using this? Not for Syscall User Dispatch; I think that was mostly intended for stuff like emulating Windows syscalls in WINE. I'm not sure who actually uses it, I just know a bit about the kernel side of it.
