Limiting system calls via control groups?
Posted Oct 22, 2011 17:20 UTC (Sat) by alonz
In reply to: Limiting system calls via control groups?
Parent article: Limiting system calls via control groups?
Unfortunately, the “personality” mechanism (used for SCO emulation) hinges on the difference in syscall ABIs between Linux and SCO (specifically: Linux uses sysenter/syscall instructions, while SCO used lcall7).
The existing seccomp uses the trace path, which is a nice compromise—it requires a single hook in the (performance-critical) system-call-entry code for any non-standard behavior, which translates to either tracing or seccomp-limitation of the system calls. To be workable, any solution will need to maintain this level of performance (= nearly zero impact when disabled).
to post comments)