Libseccomp: Q: intercept syscalls from same process

Created on 20 May 2021 · 3Comments · Source: seccomp/libseccomp

I'm working on a sandbox on Linux, what I want to achieve is to intercept syscalls and return emulated value or change registers/pointers and execute the syscall with modified value.

I would like to achieve this from the same process, my code is already injected into the target process during startup.

Is it possible to do with seccomp?
If you have some example would be helpful or any other recommendations, maybe there is a better way to achieve same

question

Source

grubeli

Most helpful comment

You could always check the test below, it's rather simple but it should give you a basic idea on how to use it:

https://github.com/seccomp/libseccomp/blob/main/tests/58-live-tsync_notify.c

I'm going to close this issue as I think the question has been resolved, but if you disagree feel free to reopen/comment.

pcmoore on 20 May 2021

❤1 👍1

All 3 comments

It is probably worth mentioning that attempting to intercept syscalls as a form of sandboxing from within the same address space as the process being sandboxed is going to be prone to failure. A malicious application could find a way to detect that it is being sandboxed and take action against the sandboxing code running in its address space.

A better option would be to go with a more traditional static syscall filter as is done by a large number of sandboxing tools or create a supervisor process to monitor and intercept syscalls using the notification capabilities added to seccomp/libseccomp.

pcmoore on 20 May 2021

❤1

I'm pretty new to seccomp, day before even didn't knew about it's existence, if I understood correctly recent addition of notifications gives us ability to handle syscalls from usermode.
Do you have a code I can use as a reference for this task (seccomp notif. to intercept syscalls) ?

grubeli on 20 May 2021

You could always check the test below, it's rather simple but it should give you a basic idea on how to use it: