Stack Overflow
Stack Overflow

Questions tagged [seccomp]

'SecComp' is an abbreviation for Secure Computing Mode, a facility built into modern Linux kernels that can be used to constrain (irreversibly) what a program is allowed to do.

'SecComp' is an abbreviation for Secure Computing Mode, a facility built into modern Linux kernels that can be used to constrain (irreversibly) what a program is allowed to do.

In older kernels, the access was (only) via the prctl() system call; since kernel 3.17, there is a separate seccomp() system call that should be used in preference.

101 questions
4
votes
1 answer

How to get the return code of the syscall using SECCOMP_RET_DATA and PTRACE_GETEVENTMSG

I'm a little bit confused trying to obtaining syscall's return value using ptrace + seccomp. man 4 bpf says: FILTER MACHINE A filter program is an array of instructions, with all branches forwardly directed, terminated by a return…
Sam Toliman
  • 123
  • 1
  • 5
4
votes
1 answer

What is the default location of Docker seccomp profile?

Question: Where does docker store it's default seccomp profile ? It seems like this isn't documented anywhere(at least i couldn't find it) . What i could find was the contents of the file on github:…
Mino_e
  • 393
  • 3
  • 16
4
votes
1 answer

How do you cleanly exit after enabling seccomp in Python?

I have enabled seccomp via python-prctl in a project. I can't quite figure out how to exit cleanly - the result is always a kill. I saw some examples that use ctypes or ffi to try to reference libc, but if I expect them with WIFEXITED they also…
tamarintech
  • 1,972
  • 12
  • 17
3
votes
1 answer

Curl error (6) on amazonlinux docker container during `yum install`, but no issues with other image

I am attempting to build a Docker container on my local machine based on the amazonlinux:latest image, but running into a Curl error during the yum install steps in my Dockerfile: #6 0.378 - Curl error (6): Couldn't resolve host name for…
Derek Schilling
  • 41
  • 3
3
votes
0 answers

Can I use seccomp on Amazon Lambda

I am trying to use Amazon Lambda to host a programming learning platform, where I have to execute simple untrusted Python code. My latest attempt at isolating the user’s code in a simple way is to use seccomp to disable anything but reading from…
Joachim Breitner
  • 25,395
  • 6
  • 78
  • 139
3
votes
1 answer

Why does loading seccomp filter affect permitted and effective capability set?

I'm recently writing programs with libcap and libseccomp, and I notice a problem when using them together. In the following minimal reproducible example, I first set the current process' capability to P(inheritable) = CAP_NET_RAW only, with other…
taoky
  • 43
  • 1
  • 7
3
votes
1 answer

C SECCOMP blocks or closes STDIN/STDOUT

I am now implementing to run another program in child process after fork. int main(int argc, char *argv[]) { pid_t pid = 0; int status; struct user_regs_struct regs; prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); …
pincoin
  • 665
  • 5
  • 19
3
votes
1 answer

seccomp: from parent, find which system call caused child to die on SIGSYS

I will describe my question in detail and forgive my unruly and crude please. I had done some experiments on seccomp-BPF and signal handing. At beginning I followed this tutorial. After adding SIGSYS signal handling (syscall-reporter.c) I can get…
crazyX
  • 39
  • 2
3
votes
1 answer

Passing --security-opt seccomp:filename.json to a container in Docker swarm

I need to pass a custom seccomp profile file to a container running on a Docker swarm. It can be easily done and it works fine with a standalone container using --security-opt option. The problem arises when you try to pass it to a container that is…
Yuri Vorontsov
  • 81
  • 1
  • 5
3
votes
1 answer

Inconsistent seccomp behavior

I am working on containing different applications using Linux's seccomp and I got to an inconsistency I cannot explain. I have tried to give you examples clear enough to reproduce the problem. I am creating a "protector module" which disallows…
Ben Hirschberg
  • 1,410
  • 1
  • 12
  • 17
3
votes
1 answer

Pointer return values in seccomp systemcall trap functions

I'm trying to implement trap functions for different systemcalls. The target is, that a broker will execute them and then return the result. So the client won't execute the commands itself. Seccomp offers the ability to achieve this: What have i…
user4833973
  • 31
  • 3
3
votes
1 answer

Opening a DGRAM socket from within a docker container fails (permission denied)

I'm running an application which builds and sends ICMP ECHO requests to a few different ip addresses. The application is written in Crystal. When attempting to open a socket from within the crystal docker container, Crystal raises an exception:…
voxobscuro
  • 2,132
  • 1
  • 21
  • 45
3
votes
1 answer

Process Isolation in Rust

I want to implement a server for a protocol. For security reasons the parser should be isolated in its own thread from the rest of the program and only a bidirectional channel should be held open for communication. The parser thread should lose any…
user3637203
  • 762
  • 5
  • 17
3
votes
2 answers

Find syscalls whitelisted by seccomp

So I stumbled across a program in C that uses seccomp to filter out a few syscalls. Is there anyway, other than bruteforcing, to find out the syscalls that are actually allowed. Thanks in advance
Jayakrishna Menon
  • 149
  • 8
3
votes
1 answer

Why does a seccomp process always get killed?

Why does a process that has gone into seccomp mode always get killed on exit? $ cat simple.c #include #include #include int main( int argc, char **argv ) { printf("Starting\n"); prctl(PR_SET_SECCOMP,…
engie
  • 2,569
  • 3
  • 18
  • 13
1
2
3 4 5 6 7