Posts

Seccomp filters system calls with cBPF code. One can blacklist certain system call numbers or even make a decision based on call arguments. Both Docker and Chromium use seccomp to protect host from malicious or misbehaving programs.

With seccomp we can make a syscall fail consistently. We can’t make a syscall fail with a certain probability though. How hard could it be to extend seccomp for a complete kernel newbie?

Working with ebpf, the technology to safely execute custom code inside Linux kernel, can get interesting. Today we find out why dereference of modified context pointer makes verifier unhappy and how to fix it.