1SECCOMP(2)                 Linux Programmer's Manual                SECCOMP(2)
2
3
4

NAME

6       seccomp - operate on Secure Computing state of the process
7

SYNOPSIS

9       #include <linux/seccomp.h>
10       #include <linux/filter.h>
11       #include <linux/audit.h>
12       #include <linux/signal.h>
13       #include <sys/ptrace.h>
14
15       int seccomp(unsigned int operation, unsigned int flags, void *args);
16

DESCRIPTION

18       The  seccomp()  system  call operates on the Secure Computing (seccomp)
19       state of the calling process.
20
21       Currently, Linux supports the following operation values:
22
23       SECCOMP_SET_MODE_STRICT
24              The only system calls that the calling thread  is  permitted  to
25              make  are  read(2),  write(2), _exit(2) (but not exit_group(2)),
26              and sigreturn(2).  Other system calls result in the delivery  of
27              a  SIGKILL  signal.   Strict secure computing mode is useful for
28              number-crunching applications that may need to execute untrusted
29              byte code, perhaps obtained by reading from a pipe or socket.
30
31              Note  that  although  the calling thread can no longer call sig‐
32              procmask(2), it can use sigreturn(2) to block all signals  apart
33              from  SIGKILL  and SIGSTOP.  This means that alarm(2) (for exam‐
34              ple) is not sufficient for restricting the  process's  execution
35              time.   Instead, to reliably terminate the process, SIGKILL must
36              be used.   This  can  be  done  by  using  timer_create(2)  with
37              SIGEV_SIGNAL  and  sigev_signo set to SIGKILL, or by using setr‐
38              limit(2) to set the hard limit for RLIMIT_CPU.
39
40              This operation is available only if  the  kernel  is  configured
41              with CONFIG_SECCOMP enabled.
42
43              The value of flags must be 0, and args must be NULL.
44
45              This operation is functionally identical to the call:
46
47                  prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);
48
49       SECCOMP_SET_MODE_FILTER
50              The  system calls allowed are defined by a pointer to a Berkeley
51              Packet Filter (BPF) passed via args.  This argument is a pointer
52              to  a  struct sock_fprog; it can be designed to filter arbitrary
53              system calls and  system  call  arguments.   If  the  filter  is
54              invalid, seccomp() fails, returning EINVAL in errno.
55
56              If  fork(2) or clone(2) is allowed by the filter, any child pro‐
57              cesses will be constrained to the same system  call  filters  as
58              the  parent.  If execve(2) is allowed, the existing filters will
59              be preserved across a call to execve(2).
60
61              In order to use the  SECCOMP_SET_MODE_FILTER  operation,  either
62              the  caller  must  have the CAP_SYS_ADMIN capability in its user
63              namespace, or the thread must already have the no_new_privs  bit
64              set.   If  that  bit  was not already set by an ancestor of this
65              thread, the thread must make the following call:
66
67                  prctl(PR_SET_NO_NEW_PRIVS, 1);
68
69              Otherwise,  the  SECCOMP_SET_MODE_FILTER  operation  fails   and
70              returns  EACCES  in  errno.   This  requirement  ensures that an
71              unprivileged process cannot apply a malicious  filter  and  then
72              invoke   a   set-user-ID   or  other  privileged  program  using
73              execve(2), thus potentially compromising that program.  (Such  a
74              malicious  filter  might,  for  example, cause an attempt to use
75              setuid(2) to set the caller's user  IDs  to  nonzero  values  to
76              instead return 0 without actually making the system call.  Thus,
77              the program might be tricked into retaining superuser privileges
78              in circumstances where it is possible to influence it to do dan‐
79              gerous things because it did not actually drop privileges.)
80
81              If prctl(2) or seccomp() is allowed by the attached filter, fur‐
82              ther  filters may be added.  This will increase evaluation time,
83              but allows for further reduction of the  attack  surface  during
84              execution of a thread.
85
86              The  SECCOMP_SET_MODE_FILTER  operation is available only if the
87              kernel is configured with CONFIG_SECCOMP_FILTER enabled.
88
89              When flags is 0, this operation is functionally identical to the
90              call:
91
92                  prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, args);
93
94              The recognized flags are:
95
96              SECCOMP_FILTER_FLAG_TSYNC
97                     When  adding  a new filter, synchronize all other threads
98                     of the calling process to the same seccomp  filter  tree.
99                     A  "filter  tree" is the ordered list of filters attached
100                     to a thread.  (Attaching identical  filters  in  separate
101                     seccomp()  calls  results  in different filters from this
102                     perspective.)
103
104                     If any thread cannot synchronize to the same filter tree,
105                     the call will not attach the new seccomp filter, and will
106                     fail, returning the first thread  ID  found  that  cannot
107                     synchronize.  Synchronization will fail if another thread
108                     in the same process is in SECCOMP_MODE_STRICT  or  if  it
109                     has  attached  new  seccomp  filters to itself, diverging
110                     from the calling thread's filter tree.
111
112              SECCOMP_FILTER_FLAG_LOG (since Linux 4.14)
113                     All filter return actions except SECCOMP_RET_ALLOW should
114                     be  logged.   An  administrator  may override this filter
115                     flag by preventing specific actions from being logged via
116                     the /proc/sys/kernel/seccomp/actions_logged file.
117
118       SECCOMP_GET_ACTION_AVAIL (since Linux 4.14)
119              Test to see if an action is supported by the kernel.  This oper‐
120              ation is helpful to confirm that the  kernel  knows  of  a  more
121              recently  added filter return action since the kernel treats all
122              unknown actions as SECCOMP_RET_KILL_PROCESS.
123
124              The value of flags must be 0, and args must be a pointer  to  an
125              unsigned 32-bit filter return action.
126
127   Filters
128       When  adding filters via SECCOMP_SET_MODE_FILTER, args points to a fil‐
129       ter program:
130
131           struct sock_fprog {
132               unsigned short      len;    /* Number of BPF instructions */
133               struct sock_filter *filter; /* Pointer to array of
134                                              BPF instructions */
135           };
136
137       Each program must contain one or more BPF instructions:
138
139           struct sock_filter {            /* Filter block */
140               __u16 code;                 /* Actual filter code */
141               __u8  jt;                   /* Jump true */
142               __u8  jf;                   /* Jump false */
143               __u32 k;                    /* Generic multiuse field */
144           };
145
146       When executing the instructions, the BPF program operates on the system
147       call information made available (i.e., use the BPF_ABS addressing mode)
148       as a (read-only) buffer of the following form:
149
150           struct seccomp_data {
151               int   nr;                   /* System call number */
152               __u32 arch;                 /* AUDIT_ARCH_* value
153                                              (see <linux/audit.h>) */
154               __u64 instruction_pointer;  /* CPU instruction pointer */
155               __u64 args[6];              /* Up to 6 system call arguments */
156           };
157
158       Because numbering of system calls varies between architectures and some
159       architectures  (e.g.,  x86-64) allow user-space code to use the calling
160       conventions of multiple architectures (and the  convention  being  used
161       may  vary  over  the  life  of a process that uses execve(2) to execute
162       binaries that employ the different conventions), it is  usually  neces‐
163       sary to verify the value of the arch field.
164
165       It is strongly recommended to use a whitelisting approach whenever pos‐
166       sible because such an approach is more robust and simple.  A  blacklist
167       will have to be updated whenever a potentially dangerous system call is
168       added (or a dangerous flag or option if those are blacklisted), and  it
169       is often possible to alter the representation of a value without alter‐
170       ing its meaning, leading to  a  blacklist  bypass.   See  also  Caveats
171       below.
172
173       The  arch  field is not unique for all calling conventions.  The x86-64
174       ABI and the x32 ABI both use AUDIT_ARCH_X86_64 as arch, and they run on
175       the  same  processors.   Instead, the mask __X32_SYSCALL_BIT is used on
176       the system call number to tell the two ABIs apart.
177
178       This means that in order to create a seccomp-based blacklist for system
179       calls  performed  through  the  x86-64 ABI, it is necessary to not only
180       check that arch equals AUDIT_ARCH_X86_64, but also to explicitly reject
181       all system calls that contain __X32_SYSCALL_BIT in nr.
182
183       The  instruction_pointer field provides the address of the machine-lan‐
184       guage instruction that performed the system call.  This might be useful
185       in conjunction with the use of /proc/[pid]/maps to perform checks based
186       on which region (mapping) of the program made the system call.  (Proba‐
187       bly,  it  is wise to lock down the mmap(2) and mprotect(2) system calls
188       to prevent the program from subverting such checks.)
189
190       When checking values from args against a blacklist, keep in  mind  that
191       arguments  are  often  silently  truncated  before being processed, but
192       after the seccomp check.  For example, this happens if the i386 ABI  is
193       used  on  an  x86-64 kernel: although the kernel will normally not look
194       beyond the 32 lowest bits of the arguments,  the  values  of  the  full
195       64-bit  registers will be present in the seccomp data.  A less surpris‐
196       ing example is that if the x86-64 ABI is used to perform a system  call
197       that  takes  an  argument of type int, the more-significant half of the
198       argument register is ignored by the system call,  but  visible  in  the
199       seccomp data.
200
201       A  seccomp  filter  returns a 32-bit value consisting of two parts: the
202       most significant 16 bits (corresponding to the mask defined by the con‐
203       stant  SECCOMP_RET_ACTION_FULL)  contain  one  of  the  "action" values
204       listed below; the least significant 16-bits (defined  by  the  constant
205       SECCOMP_RET_DATA) are "data" to be associated with this return value.
206
207       If  multiple  filters exist, they are all executed, in reverse order of
208       their addition to the filter tree—that is, the most recently  installed
209       filter  is  executed first.  (Note that all filters will be called even
210       if one of the earlier filters returns SECCOMP_RET_KILL.  This  is  done
211       to  simplify the kernel code and to provide a tiny speed-up in the exe‐
212       cution of sets of filters by avoiding a check for this uncommon  case.)
213       The  return  value  for  the  evaluation  of a given system call is the
214       first-seen action value of highest precedence (along with its  accompa‐
215       nying data) returned by execution of all of the filters.
216
217       In  decreasing  order  of  precedence,  the  action  values that may be
218       returned by a seccomp filter are:
219
220       SECCOMP_RET_KILL_PROCESS (since Linux 4.14)
221              This value results in immediate termination of the process, with
222              a core dump.  The system call is not executed.  By contrast with
223              SECCOMP_RET_KILL_THREAD below, all threads in the  thread  group
224              are  terminated.   (For  a  discussion of thread groups, see the
225              description of the CLONE_THREAD flag in clone(2).)
226
227              The process terminates as though  killed  by  a  SIGSYS  signal.
228              Even  if  a  signal  handler has been registered for SIGSYS, the
229              handler will be ignored in this case and the process always ter‐
230              minates.   To  a  parent process that is waiting on this process
231              (using waitpid(2) or similar), the returned wstatus  will  indi‐
232              cate that its child was terminated as though by a SIGSYS signal.
233
234       SECCOMP_RET_KILL_THREAD (or SECCOMP_RET_KILL)
235              This  value  results in immediate termination of the thread that
236              made the system call.  The system call is not  executed.   Other
237              threads in the same thread group will continue to execute.
238
239              The  thread terminates as though killed by a SIGSYS signal.  See
240              SECCOMP_RET_KILL_PROCESS above.
241
242              Before Linux 4.11, any process terminated in this way would  not
243              trigger  a  coredump  (even  though SIGSYS is documented in sig‐
244              nal(7) as having a default action of  termination  with  a  core
245              dump).   Since  Linux  4.11, a single-threaded process will dump
246              core if terminated in this way.
247
248              With the addition of  SECCOMP_RET_KILL_PROCESS  in  Linux  4.14,
249              SECCOMP_RET_KILL_THREAD   was   added  as  a  synonym  for  SEC‐
250              COMP_RET_KILL, in order to  more  clearly  distinguish  the  two
251              actions.
252
253       SECCOMP_RET_TRAP
254              This  value  results  in  the  kernel  sending a thread-directed
255              SIGSYS signal to the triggering thread.  (The system call is not
256              executed.)   Various  fields will be set in the siginfo_t struc‐
257              ture (see sigaction(2)) associated with signal:
258
259              *  si_signo will contain SIGSYS.
260
261              *  si_call_addr  will  show  the  address  of  the  system  call
262                 instruction.
263
264              *  si_syscall  and  si_arch  will indicate which system call was
265                 attempted.
266
267              *  si_code will contain SYS_SECCOMP.
268
269              *  si_errno will contain the  SECCOMP_RET_DATA  portion  of  the
270                 filter return value.
271
272              The  program  counter will be as though the system call happened
273              (i.e., the program counter will not point  to  the  system  call
274              instruction).   The return value register will contain an archi‐
275              tecture-dependent value; if resuming execution, set it to  some‐
276              thing appropriate for the system call.  (The architecture depen‐
277              dency is because replacing it with ENOSYS could  overwrite  some
278              useful information.)
279
280       SECCOMP_RET_ERRNO
281              This  value  results in the SECCOMP_RET_DATA portion of the fil‐
282              ter's return value being passed to user space as the errno value
283              without executing the system call.
284
285       SECCOMP_RET_TRACE
286              When  returned,  this  value will cause the kernel to attempt to
287              notify a ptrace(2)-based tracer prior to  executing  the  system
288              call.   If  there  is  no tracer present, the system call is not
289              executed and returns a failure status with errno set to ENOSYS.
290
291              A tracer will be notified if it  requests  PTRACE_O_TRACESECCOMP
292              using ptrace(PTRACE_SETOPTIONS).  The tracer will be notified of
293              a PTRACE_EVENT_SECCOMP and the SECCOMP_RET_DATA portion  of  the
294              filter's  return  value  will  be  available  to  the tracer via
295              PTRACE_GETEVENTMSG.
296
297              The tracer can skip the system call by changing the system  call
298              number  to  -1.  Alternatively, the tracer can change the system
299              call requested by changing the system call  to  a  valid  system
300              call  number.   If the tracer asks to skip the system call, then
301              the system call will appear to return the value that the  tracer
302              puts in the return value register.
303
304              Before kernel 4.8, the seccomp check will not be run again after
305              the tracer is notified.  (This means  that,  on  older  kernels,
306              seccomp-based  sandboxes must not allow use of ptrace(2)—even of
307              other sandboxed processes—without extreme care; ptracers can use
308              this mechanism to escape from the seccomp sandbox.)
309
310       SECCOMP_RET_LOG (since Linux 4.14)
311              This  value  results in the system call being executed after the
312              filter return action is logged.  An administrator  may  override
313              the   logging  of  this  action  via  the  /proc/sys/kernel/sec‐
314              comp/actions_logged file.
315
316       SECCOMP_RET_ALLOW
317              This value results in the system call being executed.
318
319       If an action value other than one of the above is specified,  then  the
320       filter  action  is  treated  as  either SECCOMP_RET_KILL_PROCESS (since
321       Linux 4.14) or SECCOMP_RET_KILL_THREAD (in Linux 4.13 and earlier).
322
323   /proc interfaces
324       The files in the directory /proc/sys/kernel/seccomp provide  additional
325       seccomp information and configuration:
326
327       actions_avail (since Linux 4.14)
328              A  read-only  ordered  list  of seccomp filter return actions in
329              string form.  The ordering, from left-to-right, is in decreasing
330              order  of  precedence.   The  list represents the set of seccomp
331              filter return actions supported by the kernel.
332
333       actions_logged (since Linux 4.14)
334              A read-write ordered list of seccomp filter return actions  that
335              are  allowed to be logged.  Writes to the file do not need to be
336              in ordered form but reads from the file will be ordered  in  the
337              same way as the actions_avail file.
338
339              It  is  important  to note that the value of actions_logged does
340              not prevent certain filter return actions from being logged when
341              the  audit  subsystem  is  configured  to  audit a task.  If the
342              action is not found in the actions_logged file, the final  deci‐
343              sion  on whether to audit the action for that task is ultimately
344              left up to the audit subsystem to decide for all  filter  return
345              actions other than SECCOMP_RET_ALLOW.
346
347              The "allow" string is not accepted in the actions_logged file as
348              it is not possible to log SECCOMP_RET_ALLOW actions.  Attempting
349              to write "allow" to the file will fail with the error EINVAL.
350
351   Audit logging of seccomp actions
352       Since  Linux  4.14, the kernel provides the facility to log the actions
353       returned by seccomp filters in the audit log.   The  kernel  makes  the
354       decision to log an action based on the action type,  whether or not the
355       action is present in the actions_logged file, and whether kernel audit‐
356       ing  is  enabled (e.g., via the kernel boot option audit=1).  The rules
357       are as follows:
358
359       *  If the action is SECCOMP_RET_ALLOW, the action is not logged.
360
361       *  Otherwise, if the action is either SECCOMP_RET_KILL_PROCESS or  SEC‐
362          COMP_RET_KILL_THREAD,  and that action appears in the actions_logged
363          file, the action is logged.
364
365       *  Otherwise, if the filter has  requested  logging  (the  SECCOMP_FIL‐
366          TER_FLAG_LOG  flag)  and  the  action  appears in the actions_logged
367          file, the action is logged.
368
369       *  Otherwise, if kernel auditing is enabled and the  process  is  being
370          audited (autrace(8)), the action is logged.
371
372       *  Otherwise, the action is not logged.
373

RETURN VALUE

375       On   success,   seccomp()   returns   0.   On  error,  if  SECCOMP_FIL‐
376       TER_FLAG_TSYNC was used, the return value is the ID of the thread  that
377       caused  the synchronization failure.  (This ID is a kernel thread ID of
378       the type returned by clone(2) and gettid(2).)  On other errors,  -1  is
379       returned, and errno is set to indicate the cause of the error.
380

ERRORS

382       seccomp() can fail for the following reasons:
383
384       EACCESS
385              The caller did not have the CAP_SYS_ADMIN capability in its user
386              namespace,  or  had  not  set  no_new_privs  before  using  SEC‐
387              COMP_SET_MODE_FILTER.
388
389       EFAULT args was not a valid address.
390
391       EINVAL operation  is unknown or is not supported by this kernel version
392              or configuration.
393
394       EINVAL The specified flags are invalid for the given operation.
395
396       EINVAL operation included BPF_ABS, but the  specified  offset  was  not
397              aligned  to  a  32-bit  boundary  or exceeded sizeof(struct sec‐
398              comp_data).
399
400       EINVAL A secure computing mode has already been set, and operation dif‐
401              fers from the existing setting.
402
403       EINVAL operation specified SECCOMP_SET_MODE_FILTER, but the filter pro‐
404              gram pointed to by args was not valid or the length of the  fil‐
405              ter  program  was  zero or exceeded BPF_MAXINSNS (4096) instruc‐
406              tions.
407
408       ENOMEM Out of memory.
409
410       ENOMEM The total length of all filter programs attached to the  calling
411              thread  would  exceed  MAX_INSNS_PER_PATH  (32768) instructions.
412              Note that for the  purposes  of  calculating  this  limit,  each
413              already  existing filter program incurs an overhead penalty of 4
414              instructions.
415
416       EOPNOTSUPP
417              operation specified  SECCOMP_GET_ACTION_AVAIL,  but  the  kernel
418              does not support the filter return action specified by args.
419
420       ESRCH  Another  thread  caused a failure during thread sync, but its ID
421              could not be determined.
422

VERSIONS

424       The seccomp() system call first appeared in Linux 3.17.
425

CONFORMING TO

427       The seccomp() system call is a nonstandard Linux extension.
428

NOTES

430       Rather than hand-coding seccomp filters as shown in the example  below,
431       you  may  prefer  to  employ  the  libseccomp library, which provides a
432       front-end for generating seccomp filters.
433
434       The Seccomp field of the /proc/[pid]/status file provides a  method  of
435       viewing the seccomp mode of a process; see proc(5).
436
437       seccomp()  provides  a  superset  of  the functionality provided by the
438       prctl(2) PR_SET_SECCOMP operation (which does not support flags).
439
440       Since Linux 4.4, the ptrace(2) PTRACE_SECCOMP_GET_FILTER operation  can
441       be used to dump a process's seccomp filters.
442
443   Architecture support for seccomp BPF
444       Architecture support for seccomp BPF filtering is available on the fol‐
445       lowing architectures:
446
447       *  x86-64, i386, x32 (since Linux 3.5)
448       *  ARM (since Linux 3.8)
449       *  s390 (since Linux 3.8)
450       *  MIPS (since Linux 3.16)
451       *  ARM-64 (since Linux 3.19)
452       *  PowerPC (since Linux 4.3)
453       *  Tile (since Linux 4.3)
454       *  PA-RISC (since Linux 4.6)
455
456   Caveats
457       There are various subtleties to consider when applying seccomp  filters
458       to a program, including the following:
459
460       *  Some traditional system calls have user-space implementations in the
461          vdso(7) on many architectures.  Notable examples include  clock_get‐
462          time(2),  gettimeofday(2), and time(2).  On such architectures, sec‐
463          comp filtering for these system calls will have  no  effect.   (How‐
464          ever,  there  are  cases  where the vdso(7) implementations may fall
465          back to invoking the true system call, in which case seccomp filters
466          would see the system call.)
467
468       *  Seccomp  filtering is based on system call numbers.  However, appli‐
469          cations typically do not directly invoke system calls,  but  instead
470          call  wrapper  functions  in  the C library which in turn invoke the
471          system calls.  Consequently, one must be aware of the following:
472
473          ·  The glibc wrappers for some traditional system calls may actually
474             employ  system  calls  with  different  names in the kernel.  For
475             example,  the  exit(2)  wrapper  function  actually  employs  the
476             exit_group(2) system call, and the fork(2) wrapper function actu‐
477             ally calls clone(2).
478
479          ·  The behavior of wrapper functions may vary across  architectures,
480             according  to  the range of system calls provided on those archi‐
481             tectures.  In other words, the same wrapper function  may  invoke
482             different system calls on different architectures.
483
484          ·  Finally,  the  behavior  of  wrapper  functions can change across
485             glibc versions.  For example, in older versions, the glibc  wrap‐
486             per  function  for  open(2)  invoked  the system call of the same
487             name, but starting in glibc 2.26, the implementation switched  to
488             calling openat(2) on all architectures.
489
490       The consequence of the above points is that it may be necessary to fil‐
491       ter for a system call other than might  be  expected.   Various  manual
492       pages  in  Section  2  provide  helpful  details  about the differences
493       between wrapper functions and the underlying system  calls  in  subsec‐
494       tions entitled C library/kernel differences.
495
496       Furthermore,  note  that  the application of seccomp filters even risks
497       causing bugs in an application, when the filters cause unexpected fail‐
498       ures  for legitimate operations that the application might need to per‐
499       form.  Such bugs may not easily be discovered when testing the  seccomp
500       filters if the bugs occur in rarely used application code paths.
501
502   Seccomp-specific BPF details
503       Note the following BPF details specific to seccomp filters:
504
505       *  The BPF_H and BPF_B size modifiers are not supported: all operations
506          must load and store (4-byte) words (BPF_W).
507
508       *  To access the contents of the seccomp_data buffer, use  the  BPF_ABS
509          addressing mode modifier.
510
511       *  The  BPF_LEN addressing mode modifier yields an immediate mode oper‐
512          and whose value is the size of the seccomp_data buffer.
513

EXAMPLE

515       The program below accepts four or  more  arguments.   The  first  three
516       arguments  are a system call number, a numeric architecture identifier,
517       and an error number.  The program uses these values to construct a  BPF
518       filter that is used at run time to perform the following checks:
519
520       [1] If  the  program  is not running on the specified architecture, the
521           BPF filter causes system calls to fail with the error ENOSYS.
522
523       [2] If the program attempts to execute the system call with the  speci‐
524           fied  number,  the  BPF filter causes the system call to fail, with
525           errno being set to the specified error number.
526
527       The remaining command-line arguments specify  the  pathname  and  addi‐
528       tional  arguments  of a program that the example program should attempt
529       to  execute  using  execv(3)  (a  library  function  that  employs  the
530       execve(2)  system  call).   Some  example runs of the program are shown
531       below.
532
533       First, we display the architecture that we are running on (x86-64)  and
534       then  construct  a  shell function that looks up system call numbers on
535       this architecture:
536
537           $ uname -m
538           x86_64
539           $ syscall_nr() {
540               cat /usr/src/linux/arch/x86/syscalls/syscall_64.tbl | \
541               awk '$2 != "x32" && $3 == "'$1'" { print $1 }'
542           }
543
544       When the BPF filter rejects a system call (case [2] above),  it  causes
545       the  system call to fail with the error number specified on the command
546       line.  In the experiments shown here, we'll use error number 99:
547
548           $ errno 99
549           EADDRNOTAVAIL 99 Cannot assign requested address
550
551       In the following example, we attempt to run the command whoami(1),  but
552       the  BPF  filter rejects the execve(2) system call, so that the command
553       is not even executed:
554
555           $ syscall_nr execve
556           59
557           $ ./a.out
558           Usage: ./a.out <syscall_nr> <arch> <errno> <prog> [<args>]
559           Hint for <arch>: AUDIT_ARCH_I386: 0x40000003
560                            AUDIT_ARCH_X86_64: 0xC000003E
561           $ ./a.out 59 0xC000003E 99 /bin/whoami
562           execv: Cannot assign requested address
563
564       In the next example, the BPF filter rejects the write(2)  system  call,
565       so  that, although it is successfully started, the whoami(1) command is
566       not able to write output:
567
568           $ syscall_nr write
569           1
570           $ ./a.out 1 0xC000003E 99 /bin/whoami
571
572       In the final example, the BPF filter rejects a system call that is  not
573       used  by  the  whoami(1) command, so it is able to successfully execute
574       and produce output:
575
576           $ syscall_nr preadv
577           295
578           $ ./a.out 295 0xC000003E 99 /bin/whoami
579           cecilia
580
581   Program source
582       #include <errno.h>
583       #include <stddef.h>
584       #include <stdio.h>
585       #include <stdlib.h>
586       #include <unistd.h>
587       #include <linux/audit.h>
588       #include <linux/filter.h>
589       #include <linux/seccomp.h>
590       #include <sys/prctl.h>
591
592       #define X32_SYSCALL_BIT 0x40000000
593
594       static int
595       install_filter(int syscall_nr, int t_arch, int f_errno)
596       {
597           unsigned int upper_nr_limit = 0xffffffff;
598
599           /* Assume that AUDIT_ARCH_X86_64 means the normal x86-64 ABI
600              (in the x32 ABI, all system calls have bit 30 set in the
601              'nr' field, meaning the numbers are >= X32_SYSCALL_BIT) */
602           if (t_arch == AUDIT_ARCH_X86_64)
603               upper_nr_limit = X32_SYSCALL_BIT - 1;
604
605           struct sock_filter filter[] = {
606               /* [0] Load architecture from 'seccomp_data' buffer into
607                      accumulator */
608               BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
609                        (offsetof(struct seccomp_data, arch))),
610
611               /* [1] Jump forward 5 instructions if architecture does not
612                      match 't_arch' */
613               BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, t_arch, 0, 5),
614
615               /* [2] Load system call number from 'seccomp_data' buffer into
616                      accumulator */
617               BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
618                        (offsetof(struct seccomp_data, nr))),
619
620               /* [3] Check ABI - only needed for x86-64 in blacklist use
621                      cases.  Use BPF_JGT instead of checking against the bit
622                      mask to avoid having to reload the syscall number. */
623               BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, upper_nr_limit, 3, 0),
624
625               /* [4] Jump forward 1 instruction if system call number
626                      does not match 'syscall_nr' */
627               BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, syscall_nr, 0, 1),
628
629               /* [5] Matching architecture and system call: don't execute
630                   the system call, and return 'f_errno' in 'errno' */
631               BPF_STMT(BPF_RET | BPF_K,
632                        SECCOMP_RET_ERRNO | (f_errno & SECCOMP_RET_DATA)),
633
634               /* [6] Destination of system call number mismatch: allow other
635                      system calls */
636               BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
637
638               /* [7] Destination of architecture mismatch: kill task */
639               BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
640           };
641
642           struct sock_fprog prog = {
643               .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
644               .filter = filter,
645           };
646
647           if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) {
648               perror("seccomp");
649               return 1;
650           }
651
652           return 0;
653       }
654
655       int
656       main(int argc, char **argv)
657       {
658           if (argc < 5) {
659               fprintf(stderr, "Usage: "
660                       "%s <syscall_nr> <arch> <errno> <prog> [<args>]\n"
661                       "Hint for <arch>: AUDIT_ARCH_I386: 0x%X\n"
662                       "                 AUDIT_ARCH_X86_64: 0x%X\n"
663                       "\n", argv[0], AUDIT_ARCH_I386, AUDIT_ARCH_X86_64);
664               exit(EXIT_FAILURE);
665           }
666
667           if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
668               perror("prctl");
669               exit(EXIT_FAILURE);
670           }
671
672           if (install_filter(strtol(argv[1], NULL, 0),
673                              strtol(argv[2], NULL, 0),
674                              strtol(argv[3], NULL, 0)))
675               exit(EXIT_FAILURE);
676
677           execv(argv[4], &argv[4]);
678           perror("execv");
679           exit(EXIT_FAILURE);
680       }
681

SEE ALSO

683       strace(1), bpf(2), prctl(2),  ptrace(2),  sigaction(2),  proc(5),  sig‐
684       nal(7), socket(7)
685
686       Various    pages    from    the    libseccomp    library,    including:
687       scmp_sys_resolver(1),    seccomp_init(3),     seccomp_load(3),     sec‐
688       comp_rule_add(3), and seccomp_export_bpf(3).
689
690       The  kernel  source files Documentation/networking/filter.txt and Docu‐
691       mentation/userspace-api/seccomp_filter.rst (or Documentation/prctl/sec‐
692       comp_filter.txt before Linux 4.13).
693
694       McCanne, S. and Jacobson, V. (1992) The BSD Packet Filter: A New Archi‐
695       tecture for User-level Packet Capture, Proceedings of the USENIX Winter
696       1993 Conference ⟨http://www.tcpdump.org/papers/bpf-usenix93.pdf
697

COLOPHON

699       This  page  is  part of release 4.16 of the Linux man-pages project.  A
700       description of the project, information about reporting bugs,  and  the
701       latest     version     of     this    page,    can    be    found    at
702       https://www.kernel.org/doc/man-pages/.
703
704
705
706Linux                             2018-02-02                        SECCOMP(2)
Impressum