Stack Overflow
Stack Overflow

Questions tagged [seccomp]

'SecComp' is an abbreviation for Secure Computing Mode, a facility built into modern Linux kernels that can be used to constrain (irreversibly) what a program is allowed to do.

'SecComp' is an abbreviation for Secure Computing Mode, a facility built into modern Linux kernels that can be used to constrain (irreversibly) what a program is allowed to do.

In older kernels, the access was (only) via the prctl() system call; since kernel 3.17, there is a separate seccomp() system call that should be used in preference.

101 questions
1
vote
1 answer

How can I bypass seccomp

I know the way to bypass filter mode, but I don't know the way to bypass strict mode. At 64bit The code has: read 1024 bytes at rwxp mapped buf run buf() scanf address and scanf value. write value(long) at address(long) and has only canary and…
Dotch
  • 19
  • 1
1
vote
1 answer

How can I reliably observe which paths an executable is accessing?

In Linux or macOS, is there a way to observe which paths an x86-64 executable is trying to access, so that: I can see the path of every file access, and the executable can't read content of any file, directly or indirectly, without me knowing about…
Kornel
  • 97,764
  • 37
  • 219
  • 309
1
vote
3 answers

Run a process from C with a seccomp profile

I want to run a process with a seccomp profile applied to it (can be from C, terminal, etc.). In particular, I would like the target command to not be allowed to read and write any files, and it can just print to the console. The temporary C outline…
user100123122
  • 309
  • 4
  • 11
1
vote
1 answer

Is it possible to get the current PID in a seccomp filter?

When working with seccomp userspace notifications (https://www.kernel.org/doc/html/latest/userspace-api/seccomp_filter.html) via SECCOMP_RET_USER_NOTIF I found the PID as part of the seccomp_notif struct extremely useful for some filtering…
user14866032
  • 13
  • 3
1
vote
1 answer

Install seccomp filter in child

I would like to know if it is possible to install a seccomp filter in a child process in a Go program. Currently I am spawning the child process as follows: cmd := exec.Command(target) cmd.Stdout = os.Stdout cmd.Stdin = os.Stdin cmd.Stderr =…
Zach
  • 4,652
  • 18
  • 22
1
vote
0 answers

Modify the ptrace without passing the flag

I'm running some distributed training on some platform using MPI. During the training I saw massive printings like: Read -1, expected 5017600, errno = 1 Read -1, expected 5017600, errno = 1 Read -1, expected 5017600, errno = 1 Read -1, expected…
user3391299
  • 73
  • 4
1
vote
1 answer

Docker fails building image when using default seccomp profile

When I try to build a docker image I get the following error OCI runtime create failed: container_linux.go:346: starting container process caused "seccomp: config provided but seccomp not supported": unknown I'm running docker build -t…
cpr4t3s
  • 1,345
  • 1
  • 11
  • 15
1
vote
1 answer

Failed to create pod sandbox: rpc error: code = Unknown desc = seccomp is not enabled in your kernel, cannot run with a profile

I'm having a problem with kube & Cri-o. Actually I'm deploying a kube cluster and I just wan't to deploy the dashboard. I've installed CRIO instead of Docker (RHEL8 in production environment). The output log of the "describe pod" command is :…
CptBuko
  • 11
  • 1
  • 2
1
vote
1 answer

use another data structure instead of seccomp_data with seccomp

Is it possible to use another data structure instead of seccomp_data within the BPF code of seccomp? For example from this... ... BPF_STMT(BPF_LD+BPF_W+BPF_ABS,(offsetof (struct seccomp_data, args[0]))), ... to…
Maicake
  • 1,046
  • 10
  • 34
1
vote
1 answer

What's the difference between Seccomp and Capabilities wrt Docker environment?

I want to restrict a process(running in a docker container) from performing some function - i have 2 options, either restrict capabilities of it or i use a seccomp profile. My question is which option to choose and under what circumstances? I am…
user3740597
  • 11
  • 2
1
vote
1 answer

Why after load seccomp filter, PING will no work by normal user

I use seccomp record 'ping' used syscall. When I run it, it always notice socket: Operation not permitted. I can run ping in bash very well, but no work after load seccomp filter in program. But if I run the same program by root, it will run very…
boxjan
  • 33
  • 3
1
vote
1 answer

seccomp system call priority values 65535

I've read that priority can be a value between 0 and 255 (http://man7.org/linux/man-pages/man3/seccomp_syscall_priority.3.html). Why using seccomp_export_pfc the baseline priority is 65535??? # filter for syscall "exit_group" (231) [priority:…
Maicake
  • 1,046
  • 10
  • 34
1
vote
1 answer

Questions about how docker daemon initializes the seccomp filter

I read the original code of the moby project and read the seccomp code in the moby/profiles folder. I know that docker use the libseccomp-golang to support the feature. We usually use the libseccomp.NewFilter() API to create a seccomp filter.…
Luba A
  • 81
  • 9
1
vote
1 answer

How to bypass seccomp in linux

Even if a process uses seccomp and limited to exit, read and write, could I still do harm? And if I can, how is it possible to exploit a system like that?
VinShety
  • 21
  • 2
1
vote
1 answer

error: ‘scmp_filter_ctx’ was not declared in this scope

I am getting compilation error:error: ‘scmp_filter_ctx’ was not declared in this scope. I have declared a seccomp filter. scmp_filter_ctx ctx; I have included the library #include and already installed the library libseccomp-dev…
pratyush chaudhary
  • 39
  • 3
1 2 3
4
5 6 7