Stack Overflow
Stack Overflow

Questions tagged [seccomp]

'SecComp' is an abbreviation for Secure Computing Mode, a facility built into modern Linux kernels that can be used to constrain (irreversibly) what a program is allowed to do.

'SecComp' is an abbreviation for Secure Computing Mode, a facility built into modern Linux kernels that can be used to constrain (irreversibly) what a program is allowed to do.

In older kernels, the access was (only) via the prctl() system call; since kernel 3.17, there is a separate seccomp() system call that should be used in preference.

101 questions
37
votes
1 answer

Set secomp to unconfined in docker-compose

I need to be able fork a process. As i understand it i need to set the security-opt. I have tried doing this with docker command and it works fine. However when i do this in a docker-compose file it seem to do nothing, maybe I'm not using compose…
Icy Creature
  • 1,875
  • 2
  • 28
  • 53
21
votes
2 answers

seccomp --- how to EXIT_SUCCESS?

Ηow to EXIT_SUCCESS after strict mode seccomp is set. Is it the correct practice, to call syscall(SYS_exit, EXIT_SUCCESS); at the end of main? #include #include #include #include #include…
MCH
  • 415
  • 3
  • 11
11
votes
1 answer

Elasticsearch fails to start: CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed

I've tried to start Elasticsearch and failed.I've checked the logs and got the following error: [...][WARN ][o.e.b.JNANatives ] unable to install syscall filter: java.lang.UnsupportedOperationException: seccomp unavailable: CONFIG_SECCOMP…
raven99
  • 1,341
  • 4
  • 13
  • 28
8
votes
2 answers

How to use seccomp filter with ebpf?

I'm looking for an example of eBPF to write a seccomp filter, but I can't find none. Could someone tell me if is possible to use eBPF to write seccomp filter?
Maicake
  • 1,046
  • 10
  • 34
8
votes
1 answer

Sandboxing for online judges

I developed a Linux application that runs untrusted code received from users (contestants). More specifically, the application is an online judge, which is something like UVa OJ, SPOJ and Codeforces, but mainly like BOCA Online Contest…
matheuscscp
  • 827
  • 7
  • 23
8
votes
1 answer

How does seccomp-bpf filter syscalls?

I'm investigating the implementation detail of seccomp-bpf, the syscall filtration mechanism that was introduced into Linux since version 3.5. I looked into the source code of kernel/seccomp.c from Linux 3.10 and want to ask some questions about…
user2875834
8
votes
2 answers

Is there seccomp analogue for Windows

Is there something like seccomp that works on Windows? It should limit all syscalls to some very limited set, like only reading and writing to already opened files. The one described as sandbox for Chromium does not look like Seccomp, as it is based…
Vi.
  • 37,014
  • 18
  • 93
  • 148
7
votes
2 answers

How to seccomp a subprocess?

I'd like to use execvp to create a subprocess and seccomp it (only give it read and write permission, without open). In order to achieve that, I must call seccomp functions before execvp (which also calls open), and thus I should give myself execvp…
t123yh
  • 657
  • 2
  • 7
  • 18
6
votes
1 answer

Docker seccomp error after upgrade from debian 8 to debian 9

The following error occurs during docker run and docker build after upgrading from Debian 8 to Debian 9: ERROR: Service 'etherpad' failed to build: OCI runtime create failed: container_linux.go:344: starting container process caused "error loading…
aljoshare
  • 792
  • 9
  • 16
6
votes
1 answer

How to use BPF to filter kernel function arguments?

How to use the Berkeley Packet Filter (BPF) to filter function arguments in kernel? The function should be any non-inline functions, rather than only system calls. Also, it is better that the pointers in function arguments can be dereferenced for…
WindChaser
  • 960
  • 1
  • 10
  • 30
6
votes
1 answer

Restrict system calls inside docker container

How can I restrict any system call made inside a docker container. If the given process makes a system call it will be blocked. Or how can I use seccomp with docker.
Neetesh
  • 71
  • 2
  • 6
6
votes
3 answers

SECCOMP: How to emulate malloc, realloc and free?

I would like to execute arbitrary (potentially dangerous) binaries on my server. Therefore, I have used objcopy to rename the "main" symbol to "other_main" so that I could link in my own small main function that sets an appropriate value for…
tux21b
  • 90,183
  • 16
  • 117
  • 101
5
votes
4 answers

After a few days, I can no longer start Puppeteer until I restart the server

Puppeteer version: 10.2.0 Platform / OS version: Ubuntu 20.04.3 LTS aarch64 Node.js version: v.14.17.6 Happens on any URL. This is my test script: bug.hr/homepage.js const puppeteer = require('puppeteer-extra'); (async () => { const eventPage…
The Onin
  • 5,068
  • 2
  • 38
  • 55
4
votes
1 answer

Getting "Bad System Call" working with seccomp filters

I have just started learning about seccomp filters and I am using libseccomp v2.4.4. I tried to write a basic whitelisting filter that will only allow writing to the file named file1 but I am getting a "Bad system call" message in STDOUT. Here is my…
Shubham Johri
  • 169
  • 8
4
votes
1 answer

Is it possible to apply a Linux kernel SECCOMP profile from a Go process?

I am trying to implement an system call tracer with the support of kernel SECCOMP filters to reduce the overhead by filtering a few syscall types. All the implementations I have found are in C, I am not able to figure how to map it to Go due to the…
João Pinto
  • 5,521
  • 5
  • 21
  • 35
1
2 3 4 5 6 7