1

In the document for gvisor, it is explained that "the sentry stores the effective mapping from virtual address to host file in a host VMA by invoking the mmap system call", so that the containerized application process has the information it needs to translate and access the virtual address it requested.

Here the sentry refers to the hypervisor process that is ptrace-ing the containerized child application process it spawns.

My question is, how exactly does the sentry call mmap() for the application process? If it is calling from its own process, doesn't this modify its own VMA table instead of that of the application process?

sqd
  • 1,485
  • 13
  • 23
  • 1
    When you ptrace a process you can make the process execute system calls. – Barmar May 28 '20 at 14:31
  • Or execute any other code. That's how a debugger can call functions in the context of the process being debugged. – Barmar May 28 '20 at 14:32
  • @Barmar Is there a ptrace-native non-hacky way? All methods I found online involve some kind of code injection. – sqd May 28 '20 at 15:18
  • I'm not sure what you mean. `ptrace` is the way that one process can monitor and control another process. What makes it hacky? – Barmar May 28 '20 at 15:19

1 Answers1

0

Barmar is correct in the comments above. ptrace does not provide a direct mechanism to make a system call in the tracee. The core of gVisor's implementation can be found here. We pick a tracee thread, set the registers with RIP at the known location of a SYSCALL + trap instruction and argument registers set as desired, and then allow execution to continue through the syscall and stopping again at the trap.

prattmic
  • 423
  • 1
  • 4
  • 10