Skip to content
Advertisement

How can I find all syscalls that have to be whitelisted for seccomp?

I have an existing program that I would like to sandbox using seccomp (v2).

How can I find what seccomp rules I need to allow for the program?


I’ve tried adding seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(…), 0) for all syscalls printed by strace -xfc a.out, but apparently that wasn’t enough, since I’m still getting “SIGSYS, Bad system call” when I run the program with seccomp.

Advertisement

Answer

Probably the most reliable way is to switch your seccomp filter to return SECCOMP_RET_TRAP (“send catchable SIGSYS on error”) rather than SECCOMP_RET_KILL (“kill the process with an uncatchable SIGSYS“), then print the siginfo_t from the signal handler, then commit suicide.

User contributions licensed under: CC BY-SA
2 People found this is helpful
Advertisement