libshim wrapper around containers using bpf?

[petersilva]

while we can intercept calls using a shim library in programs running on a traditional linux server, sometimes code arrives that meant to be deployed as an opaque binary container. It could be impractical to insert the shared library into containers like that, and it might be a lot more elegant to use container mechanisms instead.

reading materials:

• https://kinvolk.io/blog/2022/03/bringing-seccomp-notify-to-runc-and-kubernetes/
• https://www.man7.org/linux/man-pages/man2/seccomp.2.html

So... the gist is that we might be able to use bpf filtering around containers, usually used for security, to intercept calls to underlying disks, and map the calls to the existing libsr3shim, or something very like it, to create posts of files written by the container.