Rewriting Every Syscall in a Linux Binary at Load Time
1 points by emschwartz
1 points by emschwartz
Why even bother with patching syscall instructions, if you then run the code in a VM with a custom syscall trap handler anyway? Just move all your int3 trap handling code to the syscall trap handler function and skip the patching? Was this designed entirely by AI?
This seems written by an AI and not even proofread. There is a table in the middle with no formatting at all:
Requirement ptrace seccomp eBPF Binary rewrite Low overhead per syscall No (~10-20µs) Yes Yes Yes Inspect pointer arguments (filenames, buffers) Yes (slow) No Read-only Yes Modify return values Yes (slow) No No Yes Gracefully deny (return -EPERM, process continues) Yes (slow) Partial (ERRNO mode) No Yes Emulate the syscall entirely Yes (slow) No No Yes No kernel module required Yes Yes Yes Yes