Kornel
Reputation: 100170
How can I find all syscalls that have to be whitelisted for seccomp?
I have an existing program that I would like to sandbox using seccomp (v2).
How can I find what seccomp rules I need to allow for the program?
I've tried adding seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(…), 0) for all syscalls printed by strace -xfc a.out, but apparently that wasn't enough, since I'm still getting "SIGSYS, Bad system call" when I run the program with seccomp.
Upvotes: 2
Views: 967
Answers (1)
o11c
Reputation: 16136
Probably the most reliable way is to switch your seccomp filter to return SECCOMP_RET_TRAP ("send catchable SIGSYS on error") rather than SECCOMP_RET_KILL ("kill the process with an uncatchable SIGSYS"), then print the siginfo_t from the signal handler, then commit suicide.
Upvotes: 3
Related Questions
- How can I dump the seccomp filters installed while running the application?
- How to write a seccomp BPF program to filter the system call instruction pointer
- How to bypass seccomp in linux
- seccomp system call priority values 65535
- how to use seccomp_release libseccomp?
- implicit reference to seccomp
- Find syscalls whitelisted by seccomp
- why seccomp ban my normal system call
- How does seccomp-bpf filter syscalls?
- seccomp-bpf - how can i use bpf to filter the arguments of a system call?