Core concept behind ujail
Registered by
Stephan Peijnik
This blueprint should give an overview of the core concept behind ujail.
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Essential
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- New
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
Whiteboard
ujail's main concept is using ptrace to intercept "interesting" system calls and either emulate them or pass them on to the kernel.
"Interesting" is defined on a per-application level, and could for example be all socket-related system calls, file I/O system calls and so on.
Basically the ujail library should enable one to create a full sandbox and intercept *any* syscalls made whilst keeping its own resource usage and thus its overhead low.
It is not ujail's goal to fully emulate a kernel, but, as described, intercept only system calls that are interesting in the individual use case.
(?)
