Sysinfo syscall intercept (problem with LiteSpeed licence)

Adam_Sz · October 13, 2023, 4:54pm

Is the LXC community planning to implement an option similar to
“security.syscalls.intercept.sysinfo” in LXD?

At this point the syscall sysinfo() shows the amount of memory on the host, instead of that allocated/limited to the LXC container.

This causes a problem, for example, with the LiteSpeed server license (the price of license depends on the amount of memory in the server). I use LXCFS and it emulates /proc/meminfo properly but it doesn’t solve the problem (LiteSpeed uses a kernel syscall function called sysinfo()).

Or maybe there is a solution to this situation?

Thanks and best regards!

stgraber · October 13, 2023, 5:56pm

LXD/Incus use LXC, so it’s definitely possible with LXC, but this kind of interception is rather tricky, so you’ll have to write some custom code that can handle the seccomp notifications from LXC and then return the correct value for the system call.

lxc.seccomp.notify.proxy and lxc.seccomp.notify.cookie are the keys on the LXC side to handle this, along with having you profile (lxc.seccomp.profile) use the notify target for the system call that you wish to intercept in userspace.