Forwarding syscalls to userspace

C1 | Tue 22 Jan | 1:55 p.m.–2:20 p.m.

Presented by

  • Tycho Andersen

    Tycho is an engineer at Cisco working Linux platforms. He holds degrees from the University of Wisconsin--Madison and Iowa State University, and has co-authored several peer-reviewed papers. In his spare time he rides bikes and does improv comedy.


Containers are ever popular, and are increasingly presented as an alternative to virtual machines. However, there are some obvious gaps in the API available to containers vs. what's available to root on the host. For example, containers cannot safely load kernel modules, or mount arbitrary filesystems. In this talk, Tycho will present a kernel patchset in development for passing syscalls off to a userspace handler, which can perform actions on behalf of the task that performed the syscall. For example, if a container tries to load a kernel module, the userspace daemon might check that the module is in a whitelist, and load the host's version of the module instead. The container is safely allowed to load kernel modules, whereas before it was not.