Is it possible to write a seccomp-BPF program to filter on the system call instruction pointer? For example, to kill the process where there is a system call instruction executed not from the libc.
Based on @Qeole's comment, I implemented that BPF program like this:
/* https://github.com/redpig/seccomp/blob/master/tests/resumption.c */
unsigned long lib_start = 0x700000000000;
struct sock_filter filter[] = {
/* [0] Load higher 4 bytes of the instruction pointer. */
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, instruction_pointer)) + sizeof(int)),
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, ((__u32*)&lib_start)[1], 0, 1),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
};