I'm interested to write a kernel program that can have all possible controls on syscalls, such as intersection, filtering, and make changes in their arguments.
I look up for two goals:
- read system calls and their arguments and decide to block or allow them according to a policy.
- have access to change their argument and pass them to the user.
In fact (I do not know if this allegory is true or not?), I want to do something like simple virtualization for a process that can change its view to the kernel and its system calling (like it requested a file in "/tmp/new_folder/foo.txt" by open syscall and we return "/tmp/another_folder/foo2.txt" instead).
I insist that this be done with ebpf. But if there is another way, I would welcome it.
Also, I should say, I know the usage of bcc in this case. it seems to designed for tracing but not filtering and influencing. as well as I tried seccomp and it is better than bcc, but seccomp can't be used for access arguments and it is an important factor for me. so I think my answer may be in something like lsm. but I don't know how and didn't find any good doc for it.
Thanks for any help.
