Struct SyscallEvent 

pub struct SyscallEvent {
    pub syscall: String,
    pub category: SyscallCategory,
    pub pid: u32,
    pub parent_pid: Option<u32>,
    pub host: Option<IpAddr>,
    pub port: Option<u16>,
    pub size: Option<u64>,
    pub argv: Option<Vec<String>>,
    pub denied: bool,
}

An intercepted syscall event observed by the seccomp supervisor.

TOCTOU and string-typed fields

Path strings are deliberately absent. Per seccomp_unotify(2), the kernel re-reads user-memory pointers after a Continue response, so any path-string-based decision is racy in a multi-threaded child. Path-based access control belongs in static Landlock rules (fs_read / fs_write / fs_deny); see issue #27.

argv is exposed for execve/execveat and is TOCTOU-safe by construction: with policy_fn active, fork-like syscalls are traced for one ptrace creation event, so children are registered in ProcessIndex before they can run user code. Before the supervisor exposes argv to policy_fn or returns Continue for an execve, it then PTRACE_SEIZE+PTRACE_INTERRUPTs every task that could write the memory — both sibling threads of the calling tid (same TGID, share mm_struct) and peer threads in other TGIDs that may alias argv pages via MAP_SHARED mappings or share mm_struct via clone(CLONE_VM). The kernel’s post-Continue re-read therefore sees the same memory the supervisor inspected. Siblings are killed by the kernel during execve’s de_thread step; peer threads are detached after NOTIF_SEND and resume normally. See crate::freeze.

Network fields (host, port) are TOCTOU-safe because the supervisor performs connect/sendto/bind on-behalf via pidfd_getfd and the kernel never re-reads child memory for those.

Fields

syscall: String

Syscall name (e.g., “connect”, “openat”, “execve”, “clone”).

category: SyscallCategory

High-level category.

pid: u32

PID of the process that made the syscall.

parent_pid: Option<u32>

Parent PID (read from /proc/{pid}/stat).

host: Option<IpAddr>

Destination IP address (for connect, sendto). TOCTOU-safe.

port: Option<u16>

Destination port (for connect, sendto, bind). TOCTOU-safe.

size: Option<u64>

Size argument (for mmap, brk).

argv: Option<Vec<String>>

Command arguments for execve/execveat. TOCTOU-safe: every task in ProcessIndex (caller’s siblings and peer processes) is frozen before argv is read for this event and before the kernel re-reads argv from child memory; fork-like syscalls register children before they can run user code while policy_fn is active.

denied: bool

Whether the supervisor denied this syscall.

Implementations

impl SyscallEvent

pub fn argv_contains(&self, s: &str) -> bool

Returns true if any argv element contains the given substring. Only meaningful for execve/execveat events (where argv is populated).

Trait Implementations

impl Clone for SyscallEvent

fn clone(&self) -> SyscallEvent

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for SyscallEvent

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.