Stack Overflow
Stack Overflow

Questions tagged [seccomp]

'SecComp' is an abbreviation for Secure Computing Mode, a facility built into modern Linux kernels that can be used to constrain (irreversibly) what a program is allowed to do.

'SecComp' is an abbreviation for Secure Computing Mode, a facility built into modern Linux kernels that can be used to constrain (irreversibly) what a program is allowed to do.

In older kernels, the access was (only) via the prctl() system call; since kernel 3.17, there is a separate seccomp() system call that should be used in preference.

101 questions
1
vote
1 answer

Enable default secomp and apparmor profiles , cluster level

Can I enable, on the cluster level, for the pods to use default secomp and apparmor profiles or do I need to make an admission controller of my own to insert the innotation to the objects? Leaving it to users is not an option.
Ijaz Ahmad
  • 11,198
  • 9
  • 53
  • 73
1
vote
1 answer

How to execute an untrusted function efficiently in a cross-platform way?

I am writing an open source cross-platform application written in C++ that targets Windows, Mac, and Linux on x86 CPUs. The application produces a stream of data (integers) that needs to be validated, and my application will perform actions…
Bernard
  • 5,209
  • 1
  • 34
  • 64
1
vote
1 answer

How can I find all syscalls that have to be whitelisted for seccomp?

I have an existing program that I would like to sandbox using seccomp (v2). How can I find what seccomp rules I need to allow for the program? I've tried adding seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(…), 0) for all syscalls printed by…
Kornel
  • 97,764
  • 37
  • 219
  • 309
1
vote
2 answers

Seccomp: Why does the following program deadlock?

I have the simple test program: #include #include #include #include #include #include #include void *do_work(void *args) { prctl(PR_SET_SECCOMP,…
Petter
  • 37,121
  • 7
  • 47
  • 62
1
vote
1 answer

How to change rules in seccomp filter of openssh

I have done the installation of OpenSSH_6.6p1 with OpenSSL 1.0.1f. It is working fine. There is a sandbox-seccomp-filter in OpenSSH_6.6p1. How can I change the rules in the filter and then how to implement the filter again so that OpenSSH can filter…
Tahir
  • 39
  • 5
1
vote
1 answer

How to add seccomp rules to a secific process?

I'm designing a judge system, which starts a new process and then limit the cpu time and memory usage of the new process. To ensure safety, some system calls can not be allowed with the new process, like fork, clone and so on. I tried to use…
virusdefender
  • 505
  • 5
  • 15
1
vote
1 answer

seccomp-bpf - how can i use bpf to filter the arguments of a system call?

I have a function f() which returns 0 or 1 - 0 for false, 1 for true. What I'd like to do is set a rule with seccomp-bpf so that the system call "fopen" is only allowed if f( --fopen's first parameter-- ) == 1. How would I do this?
user3475234
  • 1,503
  • 3
  • 22
  • 40
1
vote
2 answers

Suppressing "Bad system call" Message

As described here ,using seccomp filters, we can block specific system calls when running example.c file. The process will terminate and a "Bad system call" message will be printed: $ ./example Bad system call I want to suppress the message. Even…
Mohammad Javad Naderi
  • 486
  • 1
  • 4
  • 14
0
votes
0 answers

Logging system calls of external Process created by Java with Seccomp

I would like to log all system calls made by a Java application and the processes started from the application with a Seccomp profile. Im running the applcation within a Kubernetes pod and supplying the seccomp profile through the yml. Is there a…
Cheese3000
  • 1
0
votes
0 answers

libseccomp seems to be not working as expected

I have implemented libseccomp restrict certain system calls for a process. It is the first program that I have written. However, when I debugged it using strace, it appears that libseccomp is not functioning as expected. Following is libseccomp…
Shiva Madhunala
  • 1
0
votes
0 answers

External process on Android terminates with exit code 159 (abnormal termination with SIGSYS?)

I am writing an app which spawns an external process (a ported Linux app which in turn spawns other processes). This will ultimately be done in a separate thread, but for testing purposes, I am spawning the process from the UI thread (processing…
user149408
  • 5,385
  • 4
  • 33
  • 69
0
votes
0 answers

Is non root user and Seccomp necessary on docker desktop?

I was reading through playwright docs and when using docker they recommend to create a separate user inside the Docker container and use the seccomp profile. And a few questions came up to mind: is this necessary (security improvement) if I am using…
Joaquim
  • 111
  • 1
  • 10
0
votes
0 answers

Restrict system call

I have tried to restrict fork system call and allow thread system by using Setrlimit, nproc, but fork and thread both are not allowed by using Setrlimit. So I have come to know using seccomp but still same issue. Even seccomp also works same as…
Sudarshan
  • 1
0
votes
0 answers

How to connect to a new screen while working

->How to modify seccomp profile to block the keyctlsyscall? ->How Modify the security context in pod manifest to point to seccomp profile? ->How to apply newly modified policy using kubectl? Not able to solve this...
bhawana gupta
  • 1
0
votes
0 answers

When executing a compiled C/C++ file with below code using seccomp and execve, it is exiting with status code 159 and signal 31

I'm trying to execute C/C++ code in a secure environment using Seccomp and Ececve. But, C/C++ code is not being executed while trying with this setup. Please look at the files. seccomp_rules.c #include #include #include…
Vikram Ayaluri
  • 11
  • 2
1 2 3 4
5
6 7