Konstantin Bogomolov

Thanks a lot for the reproducer, I'll see if I can use it. As to why this is happening: you can look at previous issues we've had on this like...

I ran some tests with fastpath disabled (remove this line https://cs.opensource.google/gvisor/gvisor/+/master:pkg/sentry/platform/systrap/metrics.go;drc=abde965590349ca06d7cd526ec2d230c756f1697;l=326 for disabling just stub FP for example): ### Normal: ``` time ./runsc --rootless --network none --ignore-cgroups do --force-overlay=false ./env/bin/python3...

> Do you think if optimizing sentry fastpath (with mix of fastpath and no-fastpath) would potentially give us even better performance than completely disabling it For sentry fastpath this is...

> maybe we could dynamically change [maxSysmsgThreads](https://cs.opensource.google/gvisor/gvisor/+/master:pkg/sentry/platform/systrap/subprocess.go;drc=d06b27e25f95ebd2a4978c4b0547e447866d0e0a;l=108) to account for whether sentry fastpath is on or off? Just so we don't repeat work, I tried this out and it didn't...

Hey @dany74q, you can just use the new flag `--systrap-disable-syscall-patching` for your usecase. A general solution is possible if we roll back the patches to their original state, but it...

Take a look at https://github.com/avagin/gvisor/commit/0a2587e11a07f4a48b1cba1bd722f8e27e1e9289. For systrap this is only feasible if we introduce a systrap mode without fastpath, which would be significantly slower.

This proposal is trying to do a lot of things at once imo. Some thoughts: > Implement security monitoring for sensitive paths I believe this use-case is better suited for...