Proof of concept SECCOMP_RET_USER_NOTIF based Frida syscall tracer
A hacked up version of https://man7.org/tlpi/code/online/dist/seccomp/seccomp_user_notification.c.html running inside Frida.
installFilter() should be called on the main thread of the application. It's not possible to install the seccomp filter from
rpc.exports.init() because it runs on a Frida thread.
installFilter() sets NO_NEW_PRIVS (required if non-root), installs the seccomp filter to trigger notifications, then creates a pthread to watch for notifications. Upon notifications a callback into Frida is invoked.
When the callback fires, it won't be on the thread that invoked the syscall. I'm not actually sure how to use Frida interact with the suspended thread. Don't know how to get a backtrace on it or execute code on it. Might be possible to set a temporary interceptor on it's EIP.