Is there a way of not inheriting seccomp filters to child processes?

Asked Jul 28 '21 at 15:32

Active Jul 28 '21 at 15:32

Viewed 183 times

so let's suppose I have a simple program like that:

#include <seccomp.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>

int main(void) {
    scmp_filter_ctx ctx;
    int ret = 0;

    ctx = seccomp_init(SCMP_ACT_ALLOW);
    ret |= seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(write), 0);
    ret |= seccomp_load(ctx);

    if (ret) {
        exit(ret);
    }

    // some more stuff

    execve("/bin/sh", NULL, NULL);
}

Is it possible to not inherit the restriction to the execve - spawned process? (We are talking configuration, I do not want to call anything seccomp related anymore before the execve invocation)

asked Jul 28 '21 at 15:32

milck

What happens if you init a new context with no rules and load it? – user253751 Jul 28 '21 at 16:18
I cannot do that. The restrictions have to drop on process replacement because I do not control the invocation of the execve syscall – milck Jul 28 '21 at 17:26
do you control the use of seccomp? Then, try not using seccomp – user253751 Jul 29 '21 at 08:10
Yes I was looking for alternatives. The only thing which comes reasonably close is a sandbox using ptrace.. Other suggestions welcome – milck Jul 29 '21 at 13:25

Is there a way of not inheriting seccomp filters to child processes?

0 Answers0