You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+14-2Lines changed: 14 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ COPYCAT="/tmp/a /tmp/b" copycat -- cat /tmp/a # this will print "b"
12
12
```
13
13
14
14
Internally `copycat` uses a modern [Seccomp Notifier](https://man7.org/linux/man-pages/man2/seccomp_unotify.2.html) implementation to reliably intercept system calls.
15
-
This is cleaner and much faster than usual `ptrace`-based implementations. However due to this relatively new Linux Kernel feature, `copycat` only works on **Linux 5.9** or higher.
15
+
This is more elegant and much faster than usual `ptrace`-based implementations. However due to this relatively new Linux Kernel feature, `copycat` only works on **Linux 5.9** or higher.
16
16
17
17
# Building
18
18
@@ -36,7 +36,7 @@ Historically, system call interception was done using `ptrace()`. This has the d
36
36
Using this method it is also incredibly cumbersome to overwrite system call arguments, and one quickly has to deal with architecture-specific quirks.
37
37
38
38
Recent advancements in the [Seccomp Notifier](https://people.kernel.org/brauner/the-seccomp-notifier-cranking-up-the-crazy-with-bpf) API have made it possible to intercept any system call in a much more elegant way.
39
-
This also offers significant speed improvements, now the performance impact is more like running the application in a container (with `seccomp`) instead of running in a debugger (with `ptrace`).
39
+
This also offers significant speed improvements, now the performance impact is closer to running the application in a container.
40
40
41
41
# Rules format
42
42
@@ -56,3 +56,15 @@ Otherwise the rule matches source literally, i.e. the rule matches only the sing
56
56
# Redirect all files and folders in /tmp/f to the single file /etc/f
57
57
/tmp/f/ /etc/f
58
58
```
59
+
60
+
# Caveats
61
+
62
+
Not all `open()`-style syscalls have been implemented yet.
Note that if programs use the glibc wrapper for `open` system calls, they often go through an actual `openat()` system call, so it might sometimes seem like more system calls are intercepted than are actually implemented.
0 commit comments