syscalls icon indicating copy to clipboard operation
syscalls copied to clipboard
verified publisher icon jasonwhite

Add predefined sets of syscalls

Open jasonwhite opened this issue 3 years ago • 0 comments

With SysnoSet, we can create a bitset of syscalls at compile time. Having predefined sets for various groups of related syscalls is useful for constructing seccomp filters. strace for example, categorizes syscalls in their syscall tables.

We could have SysnoSets for:

  • [ ] All syscalls that create file descriptors.
  • [ ] All syscalls that take file descriptors as parameters.
  • [ ] All network related syscalls.
  • [ ] All memory related syscalls.
  • [ ] All state-related syscalls.
  • [ ] All signal-related syscalls.
  • [ ] All syscalls that never fail (e.g., getpid, gettid).
  • [ ] All process-related syscalls.

The great thing about using a bitset for these is that they can be easily manipulated with set operations (e.g., union, intersection, difference).

These syscall sets should probably be behind a feature flag to avoid slowing down compilation for crates that only need basic functionality.

See also:

  • strace's x86_64 syscall table: https://github.com/strace/strace/blob/2c591a8976529fb1c5951d7d54dee2d0ace5b206/src/linux/x86_64/syscallent.h
  • strace's shorthand notation used in the table above: https://github.com/strace/strace/blob/df89e8bb642dbe63b3a6f82bb571d1b1139d1439/src/sysent_shorthand_defs.h#L38-L61

jasonwhite avatar Aug 04 '22 00:08 jasonwhite