💡 Dual-Mode Syscall Monitoring Explained

cella provides two complementary approaches to syscall monitoring: passive observation and active blocking.

Why Two Modes?

Monitoring and enforcement are different goals. You might want to observe what a container does without interfering (profiling, compliance auditing), or you might want to block dangerous operations in real time (security hardening). cella supports both.

Mode 1: Passive Monitoring (bpftrace)

Activated with t. Uses bpftrace to attach to the kernel's tracepoint for syscall entry, filtered by the container's cgroup ID.

How It Works

cella spawns a bpftrace process with a script that traces tracepoint:raw_syscalls:sys_enter
The script filters by the container's cgroup ID to capture only that container's syscalls
Output is parsed line by line and categorized into 7 families
Statistics are maintained in a ring buffer for sparkline rendering

Syscall Families

Family	Examples
file-io	read, write, open, close, stat, fstat, lstat, lseek
network	socket, connect, bind, listen, accept, sendto, recvfrom
process	fork, clone, execve, wait4, exit_group
memory	mmap, mprotect, munmap, brk, mremap
signals	rt_sigaction, rt_sigprocmask, kill, tgkill
ipc	pipe, futex, eventfd, epoll_ctl
system	ioctl, prctl, sysinfo, getrandom

Key Properties

Non-intrusive: No performance impact on the container
Comprehensive: Sees all syscalls, not just blocked ones
Feeds seccomp generation: The observed syscall set becomes the allowlist for the generated profile

Mode 2: Active Blocking (LXD BPF Deny)

Activated with Z. Uses LXD's security.syscalls.deny config, which leverages the kernel's BPF mechanism to block specific syscalls at the container level.

How It Works

cella sets security.syscalls.deny via the LXD API
LXD configures a BPF program that returns EPERM for the listed syscalls
If bpftrace detects an attempt to call a blocked syscall, cella shows an operator approval overlay

Blocked Syscalls

The default deny list targets high-risk syscalls: ptrace, mount, umount2, bpf, kexec_load, kexec_file_load, reboot, init_module, finit_module, delete_module.

Key Properties

Enforcement: Actually prevents the syscall from executing
LXD-only: Relies on LXD's BPF integration; not available for Docker containers
Operator-in-the-loop: The approval overlay allows real-time decision-making

Using Both Together

The recommended workflow:

Start with passive monitoring (t) to understand the container's normal behavior
Generate a seccomp profile (G) from observed traffic
Enable active blocking (Z) to enforce restrictions
Use the approval overlay to handle edge cases

← Home