I want to get notified every time a program performs any type of I/O system call. I want to see the parameters and the data being copied. I also want the opportunity to cancel the system call and even return fake results and data back to the program.
I already use strace to understand what programs do but it would be great if I could also intercept these calls in real time. Just keep the program waiting until I approve its open system call on that specific file.
Isn't this ability basically already provided via ptrace? The tracer can mutate syscall arguments, mutate syscall return values, or even block syscalls. The primitives ptrace provides should be sufficient to implement something like this.
That's basically how strace is implemented anyways.
This can be done with a FUSE server. By using filesystem namespaces, an app can then be restricted to just the view of the filesystem that this FUSE server exposes. Another possibility, at least for dynamically linked programs, would be to set LD_LIBRARY_PATH to force every system call through a wrapper.
I already use strace to understand what programs do but it would be great if I could also intercept these calls in real time. Just keep the program waiting until I approve its open system call on that specific file.