seccomp how to handle ptrace events

680 Views Asked by At

I am using seccomp filters to restrict system calls made by a process. Up to using whitelist of system calls to allow and disallow system call is understandable. I stuck on concept of ptrace events generated by seccomp rules. For example I can disallow open but I want to generate ptrace event on open system call so that I can determine whether process can open that file or not. My specific question is how to catch ptrace event generated by seccomp? Any help or reference will be a great blessing.

I googled in my humble capacity but did not find any help and running example.

1

There are 1 best solutions below

0
On

You need to have a separate program which traces the inferior. This tracer shall call

    ptrace(PTRACE_SETOPTIONS, tracee_pid, 0, PTRACE_O_TRACESECCOMP);

to request notifications, and call

    waitpid(tracee_pid, &status, __WALL);

to be notified. When waitpid returns, analyze status, and retrieve notification via

    unsigned long data;
    ptrace(PTRACE_GETEVENTMSG, tracee_pid, 0, &data);