Questions tagged [seccomp]

'SecComp' is an abbreviation for Secure Computing Mode, a facility built into modern Linux kernels that can be used to constrain (irreversibly) what a program is allowed to do.

In older kernels, the access was (only) via the prctl() system call; since kernel 3.17, there is a separate seccomp() system call that should be used in preference.

101 questions

votes

1 answer

I load a seccomp filter to disallow fork(), but can still use fork() with no problem

I'm trying to create a seccomp filter that would blacklist the use of fork(). This is my code: #include #include #include #include int main(void) { int rc = -1; int pid_t; …

c linux seccomp

asked Dec 21 '18 at 00:05

Alex V

3,416
2
33
52

votes

1 answer

How can sigreturn block all signal except SIGKILL and SIGSTOP in SECCOMP_SET_MODE_STRICT?

In section SECCOMP_SET_MODE_STRICT of man 2 seccomp, it is said that: Note that although the calling thread can no longer call sigprocmask(2), it can use sigreturn(2) to block all signals apart from SIGKILL and SIGSTOP. I cannot figure out how…

linux linux-kernel signals system-calls seccomp

asked Nov 29 '18 at 14:32

JiaHao Xu

2,452
16
31

votes

1 answer

elasticsearch: where is bootstrap.system_call_filter set?

elasticsearch 6.4.2 on Centos 7.5 I need to turn off bootstrap.system_call_filter (because it is preventing startup, for reasons I do not understand, outlined here) When I add: system_call_filter=false to jvm.options, elastic doesn't start at…

elasticsearch seccomp

asked Oct 29 '18 at 18:17

Jonesome Reinstate Monica

6,618
11
65
112

votes

2 answers

Docker seccomp not working on Kali

I'm investigating about kernel security using Docker. I'm testing seccomp and it works very well on Debian and Ubuntu, but It's not working on Kali Linux. Example: I created a simple json file called sec.json with this content: { …

security docker linux-kernel kernel seccomp

asked May 06 '17 at 11:43

OscarAkaElvis

5,384
4
27
51

votes

0 answers

pip is not allowing me to install seccomplite

I tried to install seccomplite package with pip. instead I got these errors. Please help. Collecting seccomplite Using cached seccomplite-0.1.0a3.tar.gz Installing collected packages: seccomplite Running setup.py install for seccomplite…

python python-3.x package pip seccomp

asked Dec 21 '16 at 19:29

Vasantha Ganesh

4,570
3
25
33

votes

1 answer

why seccomp ban my normal system call

This is the newest problem in pwnable.kr , asm.c use seccomp to restrict my system call except:write(),open(),read() and exit(). asm.c: #include #include #include #include #include #include…

linux nasm shellcode seccomp

asked Nov 29 '16 at 11:30

ETenal

votes

1 answer

docker restore fails - when checkpointed with active TCP connections - criu

I am using cr-defunct checkpoint restore (based on feedback from Ross Boucher) to build 1.10.0-dev from source to get checkpoint/restore functionality. When I checkpoint a container without any active TCP connections, and then restore it into a…

tcp docker restore checkpoint seccomp

asked Jun 13 '16 at 20:09

userVK

votes

1 answer

Python Seccomp Allow STDIN

I'm working on a project where I will be running potentially malicious code. It's basic organization is that there is a master and a slave process. The slave process runs the potentially malicious code, and has seccomp enabled. import…

python stdin seccomp

asked Aug 11 '14 at 05:20

KosherBacon

votes

1 answer

Can a sand box mitigate the effect of a buffer overflow.

I have to do some research about Sand Box process. But I cannot understand how a sandbox can mitigate a buffer overflow. Let's say I have my server application ( a FTP server) this is affect by a buffer overflow which can be exploited remotely. How…

security linux-kernel selinux seccomp

asked Jan 01 '13 at 09:55

Giuseppe Pes

7,772
3
52
90

-1

votes

1 answer

Running Spark on EKS 1.25 in Restricted Namespace

We are currently running Spark jobs on EKS 1.24. The jobs run in a PSS restricted namespace. We specify the securityContext settings in a pod template file. These settings provide a seccompProfile which is required by the PSS restricted policy.…

apache-spark kubernetes seccomp security-context

asked Mar 04 '23 at 00:55

Conrad Mukai

-1

votes

1 answer

elasticsearch will not start: Seccomp is present, but bootstrap check fails (Centos 7 / ES 6.4.2)

CentOS Linux release 7.5.1804 (Core) Configuring a production cluster, and ES refuses to start: 1:33:56,454][INFO ][o.e.t.TransportService ] [node-68795-C] publish_address {192.168.200.162:9300}, bound_addresses…

elasticsearch seccomp

asked Oct 29 '18 at 14:07

Jonesome Reinstate Monica

6,618
11
65
112

Prev 1 2 3 4 5 6