Brauner: The Seccomp Notifier – New Frontiers in Unprivileged Container Development

Christian Brauner has posted anovella-length description of the seccomp notifier mechanism and theproblems it is meant to solve."So from the section above it should be clear that seccomp provides afew desirable properties that make it a natural candidate to look at to helpsolve our mknod(2) and mount(2) problem. Since seccomp intercepts syscallsearly in the syscall path it already gives us a hook into the syscall pathof a given task. What is missing though is a way to bring another tasksuch as the LXD container manager into the picture. Somehow we need tomodify seccomp in a way that makes it possible for a container manager tonot just be informed when a task inside the container performs a syscall itwants to be informed about but also how can to make it possible to blockthe task until the container manager instructs the kernel to allow it toproceed."