Stack Overflow
Stack Overflow

Questions tagged [seccomp]

'SecComp' is an abbreviation for Secure Computing Mode, a facility built into modern Linux kernels that can be used to constrain (irreversibly) what a program is allowed to do.

'SecComp' is an abbreviation for Secure Computing Mode, a facility built into modern Linux kernels that can be used to constrain (irreversibly) what a program is allowed to do.

In older kernels, the access was (only) via the prctl() system call; since kernel 3.17, there is a separate seccomp() system call that should be used in preference.

101 questions
2
votes
1 answer

wait() hangs when CLONE_THREAD

I am tracing some processes and their children using ptrace. I am trying to print specific system call (using Seccomp filter that notifies ptrace, see this blogpost). In most cases my code (see below) is working fine. However, when I am tracing a…
DirtyC0wBoy
  • 33
  • 4
2
votes
3 answers

Adding custom seccomp profile in docker

I am trying to use a custom seccomp profile with docker run command; however, I invoked with the following error- $ sudo docker run --rm -it --security-opt seccomp=/home/temp/default.json ubuntu docker: Error response from daemon: OCI runtime create…
user3862410
  • 171
  • 1
  • 6
2
votes
0 answers

Catch seccomp violation of Docker container

I would like to catch any violations of prohibited systemcalls a container, started with a seccomp profile, executed. For example, my profile defines chown as blocked, which is also prevented within the container. Now, I would like to log if a…
MajorasKid
  • 733
  • 2
  • 5
  • 24
2
votes
0 answers

SECCOMP_MODE_STRICT in unprivileged Docker container

When running a normal, unprivileged Docker container, it seems that SECCOMP_MODE_STRICT cannot be applied, returning EINVAL. SECCOMP_MODE_FILTER works correctly, and using --privileged or --security-opt 'seccomp=unconfined' allows MODE_STRICT to…
clubby789
  • 2,543
  • 4
  • 16
  • 32
2
votes
0 answers

Integrate seccomp profile into Docker image

I have a seccomp profile for my Golang app (generated with go2seccomp) to use with Docker but would like not to have to use it on the command line with --security-opt. Is there a way to "integrate" the profile while building the image? One reason is…
Bytemare
  • 36
  • 4
2
votes
1 answer

implicit reference to seccomp

PROBLEM: I'm trying to play with seccomp but I can't understand why gcc tells me that seccomp() function call has an implicit declaration. #define _GNU_SOURCE #include // offsetof #include #include #include…
Maicake
  • 1,046
  • 10
  • 34
2
votes
0 answers

Is there ways to load seccomp filter after exec.Start() and before the command starts

I'm writing a simple sandbox using Go code as a module, and I need load seccomp rules to limit the system call for the command. I use os/exec to run the command but I can't find anyway to load the filter before the command really starts. I found…
boxjan
  • 33
  • 3
2
votes
1 answer

About the seccomp of container

I want to get the available system call list of a running container without knowing the Seccomp profile. How can I achieve it?
Luba A
  • 81
  • 9
2
votes
0 answers

How to make Android app running on 7.0 compatible with server containing ECC certificate secp384r1

After updating our server with ECC certificate - secp384r1, our client app running on Android 7.0 could not establish communication with server but getting OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE exception. Doing some investigation it is…
Atahar Hossain
  • 336
  • 3
  • 11
2
votes
1 answer

seccomp how to handle ptrace events

I am using seccomp filters to restrict system calls made by a process. Up to using whitelist of system calls to allow and disallow system call is understandable. I stuck on concept of ptrace events generated by seccomp rules. For example I can…
incompetent
  • 1,715
  • 18
  • 29
1
vote
1 answer

Enabling seccomp strict mode gets "Invalid Argument" error on Replit

I am making an online code judge using Replit, and I want to use seccomp to securely run submitted code. Through reading a few tutorials, I have made a simple test program to test seccomp: #include #include #include…
Eric Xue
  • 272
  • 2
  • 11
1
vote
0 answers

ls -l in Docker shows question marks in place of file permissions and stats

Before I begin, there are other questions that mention that ls -l produces questions marks but those are due to permissions issue. This question is different. Hopefully! I have a decommissioned Docker host: Kernel 3.10 docker 18.06 glibc…
Praveen Lobo
  • 6,956
  • 2
  • 28
  • 40
1
vote
1 answer

Unable to launch docker container with custom seccomp profile

Unable to initiate docker container with a custom seccomp profile using JSON. Getting below error. sudo docker run --name=alpin1effcon1t -it 453135d09376 --security-opt seccomp:chrome.json docker: Error response from daemon: OCI runtime create…
Oxycash
  • 167
  • 12
1
vote
0 answers

seccomp and apparmor vs in-container root user

I'm trying to build Docker images without a privileged builder, therefore DinD is not an option. I found now two ways of achieving that with either kaniko or img. Both of them work in my local Docker setup and achieve that goal: docker run --rm -it…
cmdjulian
  • 123
  • 1
  • 1
  • 6
1
vote
1 answer

Error: failed to create containerd container: cannot load seccomp profile, no such file or directory

Trying to set a custom seccomp profile when using kubectl apply and despite the file being there in the container, the pod will not start with the following error: Error: failed to create containerd container: cannot load seccomp profile…
BrutalDev
  • 6,181
  • 6
  • 58
  • 72
1 2
3
4 5 6 7