Problem
sandlock currently has several Linux runtime paths that assume the x86_64 syscall
ABI. This prevents the sandbox from building or running correctly on Linux
arm64/aarch64 environments.
Examples of x86_64-specific assumptions include:
- hard-coded syscall numbers
- x86_64 seccomp audit architecture
- x86_64 raw syscall register convention
- unconditional use of legacy non-*at path syscalls such as SYS_open/SYS_stat
- hand-packed x86_64 struct stat layout in COW stat virtualization
- x86_64 ptrace register capture through PTRACE_GETREGS
- x86_64 vDSO symbol names and syscall stubs
Linux arm64 also does not expose several legacy path syscalls. The equivalent
ABI is usually the *at form, such as openat(AT_FDCWD, ...).
Expected Behavior
sandlock should support Linux arm64/aarch64 for the same seccomp-based sandbox
features covered by the current runtime test suite, while preserving existing
x86_64 behavior.
At minimum, arm64 should support:
- seccomp filter installation with the correct audit architecture
- seccomp notification dispatch using arm64 syscall numbers
- COW filesystem interception
- chroot path interception for raw path syscall equivalents
- deterministic time and directory behavior
- checkpoint register capture
- Python and Rust integration tests without architecture-specific skips for
supported behavior
Proposed Approach
Introduce a small architecture abstraction for syscall numbers and ABI-specific
helpers, then update runtime paths to avoid x86_64-only assumptions.
Specific areas to update:
- syscall constants and optional legacy syscall registration
- raw syscall wrappers
- seccomp BPF arch checks
- COW stat/getcwd/getdents handling
- checkpoint ptrace register capture
- vDSO time stubs
- rootfs helper and tests for arm64 raw *at syscall equivalents
Notes
This should not add a new sandbox mode. The goal is to make the existing Linux
seccomp runtime architecture-aware and keep x86_64 behavior unchanged.
Problem
sandlock currently has several Linux runtime paths that assume the x86_64 syscall
ABI. This prevents the sandbox from building or running correctly on Linux
arm64/aarch64 environments.
Examples of x86_64-specific assumptions include:
Linux arm64 also does not expose several legacy path syscalls. The equivalent
ABI is usually the *at form, such as openat(AT_FDCWD, ...).
Expected Behavior
sandlock should support Linux arm64/aarch64 for the same seccomp-based sandbox
features covered by the current runtime test suite, while preserving existing
x86_64 behavior.
At minimum, arm64 should support:
supported behavior
Proposed Approach
Introduce a small architecture abstraction for syscall numbers and ABI-specific
helpers, then update runtime paths to avoid x86_64-only assumptions.
Specific areas to update:
Notes
This should not add a new sandbox mode. The goal is to make the existing Linux
seccomp runtime architecture-aware and keep x86_64 behavior unchanged.