I have an existing program that I would like to sandbox using seccomp (v2).
How can I find what seccomp rules I need to allow for the program?
I’ve tried adding seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(…), 0)
for all syscalls printed by strace -xfc a.out
, but apparently that wasn’t enough, since I’m still getting “SIGSYS, Bad system call” when I run the program with seccomp.
Advertisement
Answer
Probably the most reliable way is to switch your seccomp filter to return SECCOMP_RET_TRAP
(“send catchable SIGSYS
on error”) rather than SECCOMP_RET_KILL
(“kill the process with an uncatchable SIGSYS
“), then print the siginfo_t
from the signal handler, then commit suicide.