What technology area does this patent fall under?

Primary CPC classification G06F21/53. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Jun 17 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Containers system auditing through system call emulation

US12332995B2 · US · B2

Patent metadata
Field	Value
Publication number	US-12332995-B2
Application number	US-202017079200-A
Country	US
Kind code	B2
Filing date	Oct 23, 2020
Priority date	Oct 23, 2020
Publication date	Jun 17, 2025
Grant date	Jun 17, 2025

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Embodiments of the present disclosure provide a substitute audit log for use by applications in the user-space of a host operating system to write audit information. When a container makes a system call attempting to write audit information to an audit log of the kernel, the kernel may utilize a predefined set of instructions indicating how to detect such system calls and how such system calls are to be modified so as to reroute the system call to an unprivileged socket. The kernel write the audit information of the system call to an unprivileged socket that is connected to a substitute audit log. A container management program monitoring the unprivileged socket may write the audit information to the substitute log which is defined in container specific directories of the container.

First claim

Opening claim text (preview).

What is claimed is: 1. A method comprising: detecting a system call attempting to write information to an audit log of a kernel, wherein the system call originates from a container; creating a socket pair in response to detecting the system call, wherein each socket of the socket pair represents an endpoint of a virtual connection and wherein a second socket of the socket pair is an unprivileged socket and is a different type of socket from a socket initially used by the system call when attempting to write the information to the audit log of a kernel; connecting a first socket of the socket pair to the container; modifying, by a processing device, the system call to reroute the system call to the second socket of the socket pair, wherein the second socket is connected to a substitute log that is to receive information intended for the audit log; writing the information to the second socket of the socket pair; and in response to detecting that the information has been written to the second socket of the socket pair, writing the information directly from the second socket to the substitute log, wherein the substitute log is defined within one or more directories specific to the container. 2. The method of claim 1 , wherein detecting the system call comprises: determining that the system call is attempting to create a netfilter socket to communicate with the audit log of the kernel. 3. The method of claim 1 , further comprising: defining a secure computing mode (seccomp) profile comprising a set of rules for filtering system calls from the container, wherein the set of rules comprises rules instructing the kernel to change arguments of the system call to connect the system call to the second socket of the socket pair; and providing the seccomp profile to the kernel. 4. The method of claim 3 , wherein modifying the system call comprises: changing the arguments of the system call to connect the system call to the second socket of the socket pair based on the seccomp profile, wherein the container operates as if it is connected to the audit log of the kernel. 5. The method of claim 4 , further comprising: monitoring the second socket of the socket pair using a management program, wherein the management program writes the information to the substitute log in response to detecting that the information has been written to the second socket of the socket pair. 6. The method of claim 1 , wherein container tools access the information from the substitute log on an ad-hoc basis. 7. A system comprising: a memory; and a processing device operatively coupled to the memory, the processing device to: detect a system call attempting to write information to an audit log of a kernel, wherein the system call originates from a container; create a socket pair in response to detecting the system call, wherein each socket of the socket pair represents an endpoint of a virtual connection and wherein a second socket of the socket pair is an unprivileged socket and is a different type of socket from a socket initially used by the system call when attempting to write the information to the audit log of a kernel; connect a first socket of the socket pair to the container; modify the system call to reroute the system call to the second socket of the socket pair, wherein the second socket is connected to a substitute log that is to receive information intended for the audit log; write the information to the second socket of the socket pair; and in response to detecting that the information has been written to the second socket of the socket pair, write the information directly from the second socket to the substitute log, wherein the substitute log is defined within one or more directories specific to the container. 8. The system of claim 7 , wherein to detect the system call, the processing device is to: determine that the system call is attempting to create a netfilter socket to communicate with the audit log of the kernel. 9. The system of claim 7 , wherein the processing device is further to: define a secure computing mode (seccomp) profile comprising a set of rules for filtering system calls from the container, wherein the set of rules comprises rules instructing the kernel to change arguments of the system call to connect the system call to the second socket of the socket pair; and provide the seccomp profile to the kernel. 10. The system of claim 9 , wherein to modify the system call, the processing device is to: change, using the kernel, the arguments of the system call to connect the system call to the second socket of the socket pair based on the seccomp profile, wherein the container operates as if it is connected to the audit log of the kernel. 11. The system of claim 10 , wherein the processing device is further to: monitor the second socket of the socket pair using a management program, wherein the management program writes the information to the substitute log in response to detecting that the information has been written to the second socket of the socket pair. 12. The system of claim 7 , wherein container tools access the information from the substitute log on an ad-hoc basis. 13. A non-transitory computer-readable medium having instructions stored thereon which, when executed by a processing device, cause the processing device to: detect a system call attempting to write information to an audit log of a kernel, wherein the system call originates from a container; create a socket pair in response to detecting the system call, wherein each socket of the socket pair represents an endpoint of a virtual connection and wherein a second socket of the socket pair is an unprivileged socket and is a different type of socket from a socket initially used by the system call when attempting to write the information to the audit log of a kernel; connect a first socket of the socket pair to the container; modify, by the processing device, the system call to reroute the system call to the second socket of the socket pair, wherein the second socket is connected to a substitute log that is to receive information intended for the audit log; writing the information to the second socket of the socket pair; and in response to detecting that the information has been written to the second socket of the socket pair, write the information directly from the second socket to the substitute log, wherein the substitute log is defined within one or more directories specific to the container. 14. The non-transitory computer-readable medium of claim 13 , wherein to detect the system call, the processing device is to: determine that the system call is attempting to create a netfilter socket to communicate with the audit log of the kernel. 15. The non-transitory computer-readable medium of claim 13 , wherein the processing device is further to: define a secure computing mode (seccomp) profile comprising a set of rules for filtering system calls from the container, wherein the set of rules comprises rules instructing the kernel to change arguments of the system call to connect the system call to the second socket of the socket pair; and provide the seccomp profile to the kernel. 16. The non-transitory computer-readable medium of claim 15 , wherein to modify the system call, the processing device is to: change, using the kernel, the arguments of the system call to connect the system call to the second socket of the socket pair based on the seccomp profile, wherein the container operates as if it is connected to the audit log of the kernel. 17. The system of claim 16 , wherein

Assignees

Red Hat Inc

Inventors

Classifications

G06F9/545
where tasks reside in different layers, e.g. user- and kernel-space · CPC title
G06F2009/45591
Monitoring or debugging support · CPC title
G06F2009/45587
Isolation or security of virtual machine instances · CPC title
G06F21/566
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
G06F9/45558
Hypervisor-specific management and integration aspects · CPC title

Patent family

Related publications grouped by family.

View patent family 81257401

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US12332995B2 cover?: Embodiments of the present disclosure provide a substitute audit log for use by applications in the user-space of a host operating system to write audit information. When a container makes a system call attempting to write audit information to an audit log of the kernel, the kernel may utilize a predefined set of instructions indicating how to detect such system calls and how such system calls …
Who is the assignee on this patent?: Red Hat Inc
What technology area does this patent fall under?: Primary CPC classification G06F21/53. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Jun 17 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 12 related publications on this page (citations in our corpus or others sharing the same primary CPC).