The more I explore the inter­faces deeply hid­den in the linux ker­nel, the more a new world of oppor­tu­nity opens. Today, while tak­ing a look at the ptrace API, I found out the PTRACE_SYSEMU option.

But what is ptrace? It’s a ker­nel inter­face to check and manip­u­late the infor­ma­tion that crosses the user space-kernel space fron­tier. Its main... prin­ci­pal... only user is gdb usu­ally. The PTRACE_SYSEMU option is quite pecu­liar, it was imple­mented mainly for the user mode linux project. It allows not only to mon­i­tor the sys­tem calls invoked by a process, but also to replace the sys­tem call sematics.

So... how could this be use­ful? For exam­ple to exper­i­ment with dif­fer­ent auditing/sandboxing strate­gies, or to build com­patil­ity lay­ers at the sys­tem call level... but who knows what kind of funny things could be done!