Does this approach work on a per process basis? I.e. do the restrictions apply to a particular process/thread while others are not impacted?
It's an engine - and as such it takes ASCII strings, turns them into a 'filter object' in essence which you can then attach to anything and pass in values to evaluate.
Note that there's nothing 'tracing' about that concept.
Right now we attach such filters to tracepoints - such as syscall tracepoints.
It could be attached via seccomp and to an untrusted process as well, with minimal amount of code, if there's interest to share this facility for such purposes.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds