Ali Polatel <pola...@gmail.com> writes: > [...] Basically sydbox intercepts some system calls and checks > their arguments. Using ptrace, however, it's not possible to stop > the children only at the entry of system calls we are interested in > but we have to stop them at _every_ system call and check for the > system call number. [...]
This is because, at the point where the relevant utrace hooks exists, it does not matter what system call is being run. There is only one hook, and it takes all syscalls off of the normal path, so by nature someone must demultiplex after the fact. The utrace way is to make that someone be the utrace-engine client. If you want to instrument system calls individually, you may need to use another technology. (In systemtap we support per-syscall but system-wide kprobes, and per-thread but syscall-wide utrace probes.) Per-process per-syscall tracepoint widgetry is under construction but I don't think it's widely available yet, but that could be your target. All of this involves kernel-side (module) programming, by the way. - FChE