libseccomp
libseccomp copied to clipboard
seccomp
The main libseccomp repository
This came out of issue #314. While `arch-syscall-check.c` is good at ensuring the internal libseccomp syscall tables are consistent across arch/ABIs, it doesn't verify that we have the necessary `__SNR_xxx`...
This is related to opencontainers/runc#2151. In order to work around #286 and related issues, we have to generate inverse rules for all syscalls specified in our allow list. Unfortunately this...
Triggered by a discussion (in [June](https://lists.freedesktop.org/archives/systemd-devel/2020-June/044755.html) & [Aug](https://lists.freedesktop.org/archives/systemd-devel/2020-August/045038.html)) on systemd-devel .. systemd-nspawn chooses to return `EPERM` for non-whitelisted syscalls. However, this causes problems in cases like `openat2`, where libc checks...
The implementation of `seccomp_notify_receive()` just uses: ``` if (ioctl(fd, SECCOMP_IOCTL_NOTIF_RECV, req) < 0) return -ECANCELED; ``` Regardless of the error in `errno`, it returns `-ECANCELED`. When debugging with strace, I...
What about adding `seccomp_arch_name` (inverse of `seccomp_arch_resolve_name`) to the API ? It would be nice (e.g to debug rule generation) if the SCMP_ARCH_* constants can be resolved to the architecture...
This should be useful eg, for https://github.com/systemd/systemd/issues/3882 . I did a tentative patch for systemd that reads if `Seccomp` is mentioned in `/proc/self/status`: ``` c bool is_seccomp_enabled() { _cleanup_free_ char*...
On x32, the kernel VDSO that provides clock_gettime and gettimeofday sometimes falls back to the underlying syscall. Unfortunately, it falls back to the x86-64 variant of that syscall (https://bugs.debian.org/850047 is...
Internally libseccomp has supported transactions for some time now, but we haven't exposed this as part of the libseccomp API. Originally this was fine as the transaction mechanism was relatively...
In addition to the syscall number and syscall arguments the kernel makes the caller's IP available to seccomp-bpf filters, we should consider exposing this in libseccomp. See a related request...
Looking at `seccomp_init()` and `seccomp_load()` man's raised me a question, what happens if I try to init() and load() another set of seccomp filters while running on another child thread,...
