README.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

<style>
.markdown-body {
  display: block;
  font-family: Roboto Mono, monospace;
  font-weight: 200;
  font-size: 13pt;
  line-height: 1.5;
}

div > ul {
  float: left;
}
</style>

<img src="/static/seitan.svg" alt="seitan diagram"
 style="object-fit: contain; width: 70%; float: left">

* **build-filter**
    * build BPF binary-search tree

* **build-table**
    * build transformation table

* **seitan-loader**
    * load BPF blob
    * attach filter
    * call blocking syscall
    * on return, start binary

* **seitan**
    * load transformation table blob
    * listen to netlink proc connector
    * look for seitan-loader, once found:
    * get seccomp notifier via pidfd_getfd()
    * listen to it, new syscall:
        * look up in transformation table
        * load args from memory
        * execute transformation, unblock, or block
        * return, optionally injecting context