When working with seccomp userspace notifications (https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html) via SECCOMP_RET_USER_NOTIF I found the PID as part of the seccomp_notif struct extremely useful for some filtering decisions. In ebpf filters helper functions, like bpf_get_current_pid_tgid(), can be used to obtain such information. But since seccomp only seems to support the classic BPF I was wondering if there is another way. Inside a seccomp filter as far as I know it is only possible to access the seccomp_data structure. Is there a way to get specific information like the PID inside a seccomp filter directly?
Asked
Active
Viewed 167 times
1 Answers
0
No, you cannot get that information from the seccomp filter itself unless it is part of the syscall arguments. To retrieve the PID, you would have to e.g. give control to a userspace ptracer process or rely on SECCOMP_RET_USER_NOTIF as you mentioned.
pchaigno
- 11,313
- 2
- 29
- 54