seccomp(2)

1SECCOMP(2)                 Linux Programmer's Manual                SECCOMP(2)
2
3
4

NAME

6       seccomp - operate on Secure Computing state of the process
7

SYNOPSIS

9       #include <linux/seccomp.h>
10       #include <linux/filter.h>
11       #include <linux/audit.h>
12       #include <linux/signal.h>
13       #include <sys/ptrace.h>
14
15       int seccomp(unsigned int operation, unsigned int flags, void *args);
16

DESCRIPTION

18       The  seccomp()  system  call operates on the Secure Computing (seccomp)
19       state of the calling process.
20
21       Currently, Linux supports the following operation values:
22
23       SECCOMP_SET_MODE_STRICT
24              The only system calls that the calling thread  is  permitted  to
25              make  are  read(2),  write(2), _exit(2) (but not exit_group(2)),
26              and sigreturn(2).  Other system calls result in the delivery  of
27              a  SIGKILL  signal.   Strict secure computing mode is useful for
28              number-crunching applications that may need to execute untrusted
29              byte code, perhaps obtained by reading from a pipe or socket.
30
31              Note  that  although  the calling thread can no longer call sig‐
32              procmask(2), it can use sigreturn(2) to block all signals  apart
33              from  SIGKILL  and SIGSTOP.  This means that alarm(2) (for exam‐
34              ple) is not sufficient for restricting the  process's  execution
35              time.   Instead, to reliably terminate the process, SIGKILL must
36              be used.   This  can  be  done  by  using  timer_create(2)  with
37              SIGEV_SIGNAL  and  sigev_signo set to SIGKILL, or by using setr‐
38              limit(2) to set the hard limit for RLIMIT_CPU.
39
40              This operation is available only if  the  kernel  is  configured
41              with CONFIG_SECCOMP enabled.
42
43              The value of flags must be 0, and args must be NULL.
44
45              This operation is functionally identical to the call:
46
47                  prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);
48
49       SECCOMP_SET_MODE_FILTER
50              The  system calls allowed are defined by a pointer to a Berkeley
51              Packet Filter (BPF) passed via args.  This argument is a pointer
52              to  a  struct sock_fprog; it can be designed to filter arbitrary
53              system calls and  system  call  arguments.   If  the  filter  is
54              invalid, seccomp() fails, returning EINVAL in errno.
55
56              If  fork(2) or clone(2) is allowed by the filter, any child pro‐
57              cesses will be constrained to the same system  call  filters  as
58              the  parent.  If execve(2) is allowed, the existing filters will
59              be preserved across a call to execve(2).
60
61              In order to use the  SECCOMP_SET_MODE_FILTER  operation,  either
62              the  caller  must  have the CAP_SYS_ADMIN capability in its user
63              namespace, or the thread must already have the no_new_privs  bit
64              set.   If  that  bit  was not already set by an ancestor of this
65              thread, the thread must make the following call:
66
67                  prctl(PR_SET_NO_NEW_PRIVS, 1);
68
69              Otherwise,  the  SECCOMP_SET_MODE_FILTER  operation  fails   and
70              returns  EACCES  in  errno.   This  requirement  ensures that an
71              unprivileged process cannot apply a malicious  filter  and  then
72              invoke   a   set-user-ID   or  other  privileged  program  using
73              execve(2), thus potentially compromising that program.  (Such  a
74              malicious  filter  might,  for  example, cause an attempt to use
75              setuid(2) to set the caller's user  IDs  to  nonzero  values  to
76              instead return 0 without actually making the system call.  Thus,
77              the program might be tricked into retaining superuser privileges
78              in circumstances where it is possible to influence it to do dan‐
79              gerous things because it did not actually drop privileges.)
80
81              If prctl(2) or seccomp() is allowed by the attached filter, fur‐
82              ther  filters may be added.  This will increase evaluation time,
83              but allows for further reduction of the  attack  surface  during
84              execution of a thread.
85
86              The  SECCOMP_SET_MODE_FILTER  operation is available only if the
87              kernel is configured with CONFIG_SECCOMP_FILTER enabled.
88
89              When flags is 0, this operation is functionally identical to the
90              call:
91
92                  prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, args);
93
94              The recognized flags are:
95
96              SECCOMP_FILTER_FLAG_TSYNC
97                     When  adding  a new filter, synchronize all other threads
98                     of the calling process to the same seccomp  filter  tree.
99                     A  "filter  tree" is the ordered list of filters attached
100                     to a thread.  (Attaching identical  filters  in  separate
101                     seccomp()  calls  results  in different filters from this
102                     perspective.)
103
104                     If any thread cannot synchronize to the same filter tree,
105                     the call will not attach the new seccomp filter, and will
106                     fail, returning the first thread  ID  found  that  cannot
107                     synchronize.  Synchronization will fail if another thread
108                     in the same process is in SECCOMP_MODE_STRICT  or  if  it
109                     has  attached  new  seccomp  filters to itself, diverging
110                     from the calling thread's filter tree.
111
112              SECCOMP_FILTER_FLAG_LOG (since Linux 4.14)
113                     All filter return actions except SECCOMP_RET_ALLOW should
114                     be  logged.   An  administrator  may override this filter
115                     flag by preventing specific actions from being logged via
116                     the /proc/sys/kernel/seccomp/actions_logged file.
117
118       SECCOMP_GET_ACTION_AVAIL (since Linux 4.14)
119              Test to see if an action is supported by the kernel.  This oper‐
120              ation is helpful to confirm that the  kernel  knows  of  a  more
121              recently  added filter return action since the kernel treats all
122              unknown actions as SECCOMP_RET_KILL_PROCESS.
123
124              The value of flags must be 0, and args must be a pointer  to  an
125              unsigned 32-bit filter return action.
126
127   Filters
128       When  adding filters via SECCOMP_SET_MODE_FILTER, args points to a fil‐
129       ter program:
130
131           struct sock_fprog {
132               unsigned short      len;    /* Number of BPF instructions */
133               struct sock_filter *filter; /* Pointer to array of
134                                              BPF instructions */
135           };
136
137       Each program must contain one or more BPF instructions:
138
139           struct sock_filter {            /* Filter block */
140               __u16 code;                 /* Actual filter code */
141               __u8  jt;                   /* Jump true */
142               __u8  jf;                   /* Jump false */
143               __u32 k;                    /* Generic multiuse field */
144           };
145
146       When executing the instructions, the BPF program operates on the system
147       call information made available (i.e., use the BPF_ABS addressing mode)
148       as a (read-only) buffer of the following form:
149
150           struct seccomp_data {
151               int   nr;                   /* System call number */
152               __u32 arch;                 /* AUDIT_ARCH_* value
153                                              (see <linux/audit.h>) */
154               __u64 instruction_pointer;  /* CPU instruction pointer */
155               __u64 args[6];              /* Up to 6 system call arguments */
156           };
157
158       Because numbering of system calls varies between architectures and some
159       architectures  (e.g.,  x86-64) allow user-space code to use the calling
160       conventions of multiple architectures, it is usually necessary to  ver‐
161       ify the value of the arch field.
162
163       It is strongly recommended to use a whitelisting approach whenever pos‐
164       sible because such an approach is more robust and simple.  A  blacklist
165       will have to be updated whenever a potentially dangerous system call is
166       added (or a dangerous flag or option if those are blacklisted), and  it
167       is often possible to alter the representation of a value without alter‐
168       ing its meaning, leading to  a  blacklist  bypass.   See  also  Caveats
169       below.
170
171       The  arch  field is not unique for all calling conventions.  The x86-64
172       ABI and the x32 ABI both use AUDIT_ARCH_X86_64 as arch, and they run on
173       the  same  processors.   Instead, the mask __X32_SYSCALL_BIT is used on
174       the system call number to tell the two ABIs apart.
175
176       This means that in order to create a seccomp-based blacklist for system
177       calls  performed  through  the  x86-64 ABI, it is necessary to not only
178       check that arch equals AUDIT_ARCH_X86_64, but also to explicitly reject
179       all system calls that contain __X32_SYSCALL_BIT in nr.
180
181       The  instruction_pointer field provides the address of the machine-lan‐
182       guage instruction that performed the system call.  This might be useful
183       in conjunction with the use of /proc/[pid]/maps to perform checks based
184       on which region (mapping) of the program made the system call.  (Proba‐
185       bly,  it  is wise to lock down the mmap(2) and mprotect(2) system calls
186       to prevent the program from subverting such checks.)
187
188       When checking values from args against a blacklist, keep in  mind  that
189       arguments  are  often  silently  truncated  before being processed, but
190       after the seccomp check.  For example, this happens if the i386 ABI  is
191       used  on  an  x86-64 kernel: although the kernel will normally not look
192       beyond the 32 lowest bits of the arguments,  the  values  of  the  full
193       64-bit  registers will be present in the seccomp data.  A less surpris‐
194       ing example is that if the x86-64 ABI is used to perform a system  call
195       that  takes  an  argument of type int, the more-significant half of the
196       argument register is ignored by the system call,  but  visible  in  the
197       seccomp data.
198
199       A  seccomp  filter  returns a 32-bit value consisting of two parts: the
200       most significant 16 bits (corresponding to the mask defined by the con‐
201       stant  SECCOMP_RET_ACTION_FULL)  contain  one  of  the  "action" values
202       listed below; the least significant 16-bits (defined  by  the  constant
203       SECCOMP_RET_DATA) are "data" to be associated with this return value.
204
205       If  multiple  filters exist, they are all executed, in reverse order of
206       their addition to the filter tree—that is, the most recently  installed
207       filter  is  executed first.  (Note that all filters will be called even
208       if one of the earlier filters returns SECCOMP_RET_KILL.  This  is  done
209       to  simplify the kernel code and to provide a tiny speed-up in the exe‐
210       cution of sets of filters by avoiding a check for this uncommon  case.)
211       The  return  value  for  the  evaluation  of a given system call is the
212       first-seen action value of highest precedence (along with its  accompa‐
213       nying data) returned by execution of all of the filters.
214
215       In  decreasing  order  of  precedence,  the  action  values that may be
216       returned by a seccomp filter are:
217
218       SECCOMP_RET_KILL_PROCESS (since Linux 4.14)
219              This value results in immediate termination of the process, with
220              a core dump.  The system call is not executed.  By contrast with
221              SECCOMP_RET_KILL_THREAD below, all threads in the  thread  group
222              are  terminated.   (For  a  discussion of thread groups, see the
223              description of the CLONE_THREAD flag in clone(2).)
224
225              The process terminates as though  killed  by  a  SIGSYS  signal.
226              Even  if  a  signal  handler has been registered for SIGSYS, the
227              handler will be ignored in this case and the process always ter‐
228              minates.   To  a  parent process that is waiting on this process
229              (using waitpid(2) or similar), the returned wstatus  will  indi‐
230              cate that its child was terminated as though by a SIGSYS signal.
231
232       SECCOMP_RET_KILL_THREAD (or SECCOMP_RET_KILL)
233              This  value  results in immediate termination of the thread that
234              made the system call.  The system call is not  executed.   Other
235              threads in the same thread group will continue to execute.
236
237              The  thread terminates as though killed by a SIGSYS signal.  See
238              SECCOMP_RET_KILL_PROCESS above.
239
240              Before Linux 4.11, any process terminated in this way would  not
241              trigger  a  coredump  (even  though SIGSYS is documented in sig‐
242              nal(7) as having a default action of  termination  with  a  core
243              dump).   Since  Linux  4.11, a single-threaded process will dump
244              core if terminated in this way.
245
246              With the addition of  SECCOMP_RET_KILL_PROCESS  in  Linux  4.14,
247              SECCOMP_RET_KILL_THREAD   was   added  as  a  synonym  for  SEC‐
248              COMP_RET_KILL, in order to  more  clearly  distinguish  the  two
249              actions.
250
251       SECCOMP_RET_TRAP
252              This  value  results  in  the  kernel  sending a thread-directed
253              SIGSYS signal to the triggering thread.  (The system call is not
254              executed.)   Various  fields will be set in the siginfo_t struc‐
255              ture (see sigaction(2)) associated with signal:
256
257              *  si_signo will contain SIGSYS.
258
259              *  si_call_addr  will  show  the  address  of  the  system  call
260                 instruction.
261
262              *  si_syscall  and  si_arch  will indicate which system call was
263                 attempted.
264
265              *  si_code will contain SYS_SECCOMP.
266
267              *  si_errno will contain the  SECCOMP_RET_DATA  portion  of  the
268                 filter return value.
269
270              The  program  counter will be as though the system call happened
271              (i.e., the program counter will not point  to  the  system  call
272              instruction).   The return value register will contain an archi‐
273              tecture-dependent value; if resuming execution, set it to  some‐
274              thing appropriate for the system call.  (The architecture depen‐
275              dency is because replacing it with ENOSYS could  overwrite  some
276              useful information.)
277
278       SECCOMP_RET_ERRNO
279              This  value  results in the SECCOMP_RET_DATA portion of the fil‐
280              ter's return value being passed to user space as the errno value
281              without executing the system call.
282
283       SECCOMP_RET_TRACE
284              When  returned,  this  value will cause the kernel to attempt to
285              notify a ptrace(2)-based tracer prior to  executing  the  system
286              call.   If  there  is  no tracer present, the system call is not
287              executed and returns a failure status with errno set to ENOSYS.
288
289              A tracer will be notified if it  requests  PTRACE_O_TRACESECCOMP
290              using ptrace(PTRACE_SETOPTIONS).  The tracer will be notified of
291              a PTRACE_EVENT_SECCOMP and the SECCOMP_RET_DATA portion  of  the
292              filter's  return  value  will  be  available  to  the tracer via
293              PTRACE_GETEVENTMSG.
294
295              The tracer can skip the system call by changing the system  call
296              number  to  -1.  Alternatively, the tracer can change the system
297              call requested by changing the system call  to  a  valid  system
298              call  number.   If the tracer asks to skip the system call, then
299              the system call will appear to return the value that the  tracer
300              puts in the return value register.
301
302              Before kernel 4.8, the seccomp check will not be run again after
303              the tracer is notified.  (This means  that,  on  older  kernels,
304              seccomp-based  sandboxes must not allow use of ptrace(2)—even of
305              other sandboxed processes—without extreme care; ptracers can use
306              this mechanism to escape from the seccomp sandbox.)
307
308       SECCOMP_RET_LOG (since Linux 4.14)
309              This  value  results in the system call being executed after the
310              filter return action is logged.  An administrator  may  override
311              the   logging  of  this  action  via  the  /proc/sys/kernel/sec‐
312              comp/actions_logged file.
313
314       SECCOMP_RET_ALLOW
315              This value results in the system call being executed.
316
317       If an action value other than one of the above is specified,  then  the
318       filter  action  is  treated  as  either SECCOMP_RET_KILL_PROCESS (since
319       Linux 4.14) or SECCOMP_RET_KILL_THREAD (in Linux 4.13 and earlier).
320
321   /proc interfaces
322       The files in the directory /proc/sys/kernel/seccomp provide  additional
323       seccomp information and configuration:
324
325       actions_avail (since Linux 4.14)
326              A  read-only  ordered  list  of seccomp filter return actions in
327              string form.  The ordering, from left-to-right, is in decreasing
328              order  of  precedence.   The  list represents the set of seccomp
329              filter return actions supported by the kernel.
330
331       actions_logged (since Linux 4.14)
332              A read-write ordered list of seccomp filter return actions  that
333              are  allowed to be logged.  Writes to the file do not need to be
334              in ordered form but reads from the file will be ordered  in  the
335              same way as the actions_avail file.
336
337              It  is  important  to note that the value of actions_logged does
338              not prevent certain filter return actions from being logged when
339              the  audit  subsystem  is  configured  to  audit a task.  If the
340              action is not found in the actions_logged file, the final  deci‐
341              sion  on whether to audit the action for that task is ultimately
342              left up to the audit subsystem to decide for all  filter  return
343              actions other than SECCOMP_RET_ALLOW.
344
345              The "allow" string is not accepted in the actions_logged file as
346              it is not possible to log SECCOMP_RET_ALLOW actions.  Attempting
347              to write "allow" to the file will fail with the error EINVAL.
348
349   Audit logging of seccomp actions
350       Since  Linux  4.14, the kernel provides the facility to log the actions
351       returned by seccomp filters in the audit log.   The  kernel  makes  the
352       decision to log an action based on the action type,  whether or not the
353       action is present in the actions_logged file, and whether kernel audit‐
354       ing  is  enabled (e.g., via the kernel boot option audit=1).  The rules
355       are as follows:
356
357       *  If the action is SECCOMP_RET_ALLOW, the action is not logged.
358
359       *  Otherwise, if the action is either SECCOMP_RET_KILL_PROCESS or  SEC‐
360          COMP_RET_KILL_THREAD,  and that action appears in the actions_logged
361          file, the action is logged.
362
363       *  Otherwise, if the filter has  requested  logging  (the  SECCOMP_FIL‐
364          TER_FLAG_LOG  flag)  and  the  action  appears in the actions_logged
365          file, the action is logged.
366
367       *  Otherwise, if kernel auditing is enabled and the  process  is  being
368          audited (autrace(8)), the action is logged.
369
370       *  Otherwise, the action is not logged.
371

RETURN VALUE

373       On   success,   seccomp()   returns   0.   On  error,  if  SECCOMP_FIL‐
374       TER_FLAG_TSYNC was used, the return value is the ID of the thread  that
375       caused  the synchronization failure.  (This ID is a kernel thread ID of
376       the type returned by clone(2) and gettid(2).)  On other errors,  -1  is
377       returned, and errno is set to indicate the cause of the error.
378

ERRORS

380       seccomp() can fail for the following reasons:
381
382       EACCESS
383              The caller did not have the CAP_SYS_ADMIN capability in its user
384              namespace,  or  had  not  set  no_new_privs  before  using  SEC‐
385              COMP_SET_MODE_FILTER.
386
387       EFAULT args was not a valid address.
388
389       EINVAL operation  is unknown or is not supported by this kernel version
390              or configuration.
391
392       EINVAL The specified flags are invalid for the given operation.
393
394       EINVAL operation included BPF_ABS, but the  specified  offset  was  not
395              aligned  to  a  32-bit  boundary  or exceeded sizeof(struct sec‐
396              comp_data).
397
398       EINVAL A secure computing mode has already been set, and operation dif‐
399              fers from the existing setting.
400
401       EINVAL operation specified SECCOMP_SET_MODE_FILTER, but the filter pro‐
402              gram pointed to by args was not valid or the length of the  fil‐
403              ter  program  was  zero or exceeded BPF_MAXINSNS (4096) instruc‐
404              tions.
405
406       ENOMEM Out of memory.
407
408       ENOMEM The total length of all filter programs attached to the  calling
409              thread  would  exceed  MAX_INSNS_PER_PATH  [22m(32768) instructions.
410              Note that for the  purposes  of  calculating  this  limit,  each
411              already  existing filter program incurs an overhead penalty of 4
412              instructions.
413
414       EOPNOTSUPP
415              operation specified  SECCOMP_GET_ACTION_AVAIL,  but  the  kernel
416              does not support the filter return action specified by args.
417
418       ESRCH  Another  thread  caused a failure during thread sync, but its ID
419              could not be determined.
420

VERSIONS

422       The seccomp() system call first appeared in Linux 3.17.
423

CONFORMING TO

425       The seccomp() system call is a nonstandard Linux extension.
426

NOTES

428       Rather than hand-coding seccomp filters as shown in the example  below,
429       you  may  prefer  to  employ  the  libseccomp library, which provides a
430       front-end for generating seccomp filters.
431
432       The Seccomp field of the /proc/[pid]/status file provides a  method  of
433       viewing the seccomp mode of a process; see proc(5).
434
435       seccomp()  provides  a  superset  of  the functionality provided by the
436       prctl(2) PR_SET_SECCOMP operation (which does not support flags).
437
438       Since Linux 4.4, the prctl(2) PTRACE_SECCOMP_GET_FILTER  operation  can
439       be used to dump a process's seccomp filters.
440
441   Caveats
442       There  are various subtleties to consider when applying seccomp filters
443       to a program, including the following:
444
445       *  Some traditional system calls have user-space implementations in the
446          vdso(7)  on many architectures.  Notable examples include clock_get‐
447          time(2), gettimeofday(2), and time(2).  On such architectures,  sec‐
448          comp  filtering  for  these system calls will have no effect.  (How‐
449          ever, there are cases where the  vdso(7)  implementations  may  fall
450          back to invoking the true system call, in which case seccomp filters
451          would see the system call.)
452
453       *  Seccomp filtering is based on system call numbers.  However,  appli‐
454          cations  typically  do not directly invoke system calls, but instead
455          call wrapper functions in the C library which  in  turn  invoke  the
456          system calls.  Consequently, one must be aware of the following:
457
458          ·  The glibc wrappers for some traditional system calls may actually
459             employ system calls with different  names  in  the  kernel.   For
460             example,  the  exit(2)  wrapper  function  actually  employs  the
461             exit_group(2) system call, and the fork(2) wrapper function actu‐
462             ally calls clone(2).
463
464          ·  The  behavior of wrapper functions may vary across architectures,
465             according to the range of system calls provided on  those  archi‐
466             tectures.   In  other words, the same wrapper function may invoke
467             different system calls on different architectures.
468
469          ·  Finally, the behavior of  wrapper  functions  can  change  across
470             glibc  versions.  For example, in older versions, the glibc wrap‐
471             per function for open(2) invoked the  system  call  of  the  same
472             name,  but starting in glibc 2.26, the implementation switched to
473             calling openat(2) on all architectures.
474
475       The consequence of the above points is that it may be necessary to fil‐
476       ter  for  a  system  call other than might be expected.  Various manual
477       pages in Section  2  provide  helpful  details  about  the  differences
478       between  wrapper  functions  and the underlying system calls in subsec‐
479       tions entitled C library/kernel differences.
480
481       Furthermore, note that the application of seccomp  filters  even  risks
482       causing bugs in an application, when the filters cause unexpected fail‐
483       ures for legitimate operations that the application might need to  per‐
484       form.   Such bugs may not easily be discovered when testing the seccomp
485       filters if the bugs occur in rarely used application code paths.
486
487   Seccomp-specific BPF details
488       Note the following BPF details specific to seccomp filters:
489
490       *  The BPF_H and BPF_B size modifiers are not supported: all operations
491          must load and store (4-byte) words (BPF_W).
492
493       *  To  access  the contents of the seccomp_data buffer, use the BPF_ABS
494          addressing mode modifier.
495
496       *  The BPF_LEN addressing mode modifier yields an immediate mode  oper‐
497          and whose value is the size of the seccomp_data buffer.
498

EXAMPLE

500       The  program  below  accepts  four  or more arguments.  The first three
501       arguments are a system call number, a numeric architecture  identifier,
502       and  an error number.  The program uses these values to construct a BPF
503       filter that is used at run time to perform the following checks:
504
505       [1] If the program is not running on the  specified  architecture,  the
506           BPF filter causes system calls to fail with the error ENOSYS.
507
508       [2] If  the program attempts to execute the system call with the speci‐
509           fied number, the BPF filter causes the system call  to  fail,  with
510           errno being set to the specified error number.
511
512       The  remaining  command-line  arguments  specify the pathname and addi‐
513       tional arguments of a program that the example program  should  attempt
514       to  execute  using  execv(3)  (a  library  function  that  employs  the
515       execve(2) system call).  Some example runs of  the  program  are  shown
516       below.
517
518       First,  we display the architecture that we are running on (x86-64) and
519       then construct a shell function that looks up system  call  numbers  on
520       this architecture:
521
522           $ uname -m
523           x86_64
524           $ syscall_nr() {
525               cat /usr/src/linux/arch/x86/syscalls/syscall_64.tbl | \
526               awk '$2 != "x32" && $3 == "'$1'" { print $1 }'
527           }
528
529       When  the  BPF filter rejects a system call (case [2] above), it causes
530       the system call to fail with the error number specified on the  command
531       line.  In the experiments shown here, we'll use error number 99:
532
533           $ errno 99
534           EADDRNOTAVAIL 99 Cannot assign requested address
535
536       In  the following example, we attempt to run the command whoami(1), but
537       the BPF filter rejects the execve(2) system call, so that  the  command
538       is not even executed:
539
540           $ syscall_nr execve
541           59
542           $ ./a.out
543           Usage: ./a.out <syscall_nr> <arch> <errno> <prog> [<args>]
544           Hint for <arch>: AUDIT_ARCH_I386: 0x40000003
545                            AUDIT_ARCH_X86_64: 0xC000003E
546           $ ./a.out 59 0xC000003E 99 /bin/whoami
547           execv: Cannot assign requested address
548
549       In  the  next example, the BPF filter rejects the write(2) system call,
550       so that, although it is successfully started, the whoami(1) command  is
551       not able to write output:
552
553           $ syscall_nr write
554           1
555           $ ./a.out 1 0xC000003E 99 /bin/whoami
556
557       In  the final example, the BPF filter rejects a system call that is not
558       used by the whoami(1) command, so it is able  to  successfully  execute
559       and produce output:
560
561           $ syscall_nr preadv
562           295
563           $ ./a.out 295 0xC000003E 99 /bin/whoami
564           cecilia
565
566   Program source
567       #include <errno.h>
568       #include <stddef.h>
569       #include <stdio.h>
570       #include <stdlib.h>
571       #include <unistd.h>
572       #include <linux/audit.h>
573       #include <linux/filter.h>
574       #include <linux/seccomp.h>
575       #include <sys/prctl.h>
576
577       #define X32_SYSCALL_BIT 0x40000000
578
579       static int
580       install_filter(int syscall_nr, int t_arch, int f_errno)
581       {
582           unsigned int upper_nr_limit = 0xffffffff;
583
584           /* Assume that AUDIT_ARCH_X86_64 means the normal x86-64 ABI */
585           if (t_arch == AUDIT_ARCH_X86_64)
586               upper_nr_limit = X32_SYSCALL_BIT - 1;
587
588           struct sock_filter filter[] = {
589               /* [0] Load architecture from 'seccomp_data' buffer into
590                      accumulator */
591               BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
592                        (offsetof(struct seccomp_data, arch))),
593
594               /* [1] Jump forward 5 instructions if architecture does not
595                      match 't_arch' */
596               BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, t_arch, 0, 5),
597
598               /* [2] Load system call number from 'seccomp_data' buffer into
599                      accumulator */
600               BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
601                        (offsetof(struct seccomp_data, nr))),
602
603               /* [3] Check ABI - only needed for x86-64 in blacklist use
604                      cases.  Use BPF_JGT instead of checking against the bit
605                      mask to avoid having to reload the syscall number. */
606               BPF_JUMP(BPF_JMP | BPF_JGT | BPF_K, upper_nr_limit, 3, 0),
607
608               /* [4] Jump forward 1 instruction if system call number
609                      does not match 'syscall_nr' */
610               BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, syscall_nr, 0, 1),
611
612               /* [5] Matching architecture and system call: don't execute
613                   the system call, and return 'f_errno' in 'errno' */
614               BPF_STMT(BPF_RET | BPF_K,
615                        SECCOMP_RET_ERRNO | (f_errno & SECCOMP_RET_DATA)),
616
617               /* [6] Destination of system call number mismatch: allow other
618                      system calls */
619               BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
620
621               /* [7] Destination of architecture mismatch: kill task */
622               BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
623           };
624
625           struct sock_fprog prog = {
626               .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
627               .filter = filter,
628           };
629
630           if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) {
631               perror("seccomp");
632               return 1;
633           }
634
635           return 0;
636       }
637
638       int
639       main(int argc, char **argv)
640       {
641           if (argc < 5) {
642               fprintf(stderr, "Usage: "
643                       "%s <syscall_nr> <arch> <errno> <prog> [<args>]\n"
644                       "Hint for <arch>: AUDIT_ARCH_I386: 0x%X\n"
645                       "                 AUDIT_ARCH_X86_64: 0x%X\n"
646                       "\n", argv[0], AUDIT_ARCH_I386, AUDIT_ARCH_X86_64);
647               exit(EXIT_FAILURE);
648           }
649
650           if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
651               perror("prctl");
652               exit(EXIT_FAILURE);
653           }
654
655           if (install_filter(strtol(argv[1], NULL, 0),
656                              strtol(argv[2], NULL, 0),
657                              strtol(argv[3], NULL, 0)))
658               exit(EXIT_FAILURE);
659
660           execv(argv[4], &argv[4]);
661           perror("execv");
662           exit(EXIT_FAILURE);
663       }
664

COLOPHON

682       This page is part of release 4.15 of the Linux  man-pages  project.   A
683       description  of  the project, information about reporting bugs, and the
684       latest    version    of    this    page,    can     be     found     at
685       https://www.kernel.org/doc/man-pages/.
686
687
688
689Linux                             2018-02-02                        SECCOMP(2)