1

I have an existing program that I would like to sandbox using seccomp (v2).

How can I find what seccomp rules I need to allow for the program?

I've tried adding seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(…), 0) for all syscalls printed by strace -xfc a.out, but apparently that wasn't enough, since I'm still getting "SIGSYS, Bad system call" when I run the program with seccomp.

Kornel
  • 97,764
  • 37
  • 219
  • 309

1 Answers1

3

Probably the most reliable way is to switch your seccomp filter to return SECCOMP_RET_TRAP ("send catchable SIGSYS on error") rather than SECCOMP_RET_KILL ("kill the process with an uncatchable SIGSYS"), then print the siginfo_t from the signal handler, then commit suicide.

o11c
  • 15,265
  • 4
  • 50
  • 75
  • Is that equivalent to `scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);`? – Kornel Jul 01 '18 at 17:03
  • Yes, that's one of the C-level libraries; I was answering at the syscall level since that's the same. – o11c Jul 01 '18 at 20:56