39
edits
Changes
→How do I call seccomp-bpf ?
=== How do I call seccomp-bpf ? ===
Seccomp-bpf is turned on through the prctl() system call (process control). The call looks , like thatthis:
#include <sys/prctl.h>
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_prog)
bpf_prog is a BPF structure which contains the rules used by seccomp-bpf - — i.e., which system calls are allowed or not.To ensure that you can't execute this call again with a more permissive filter program (bpf_prog), there is an additional call to make, "no new privileges", which ensures it's only possible to tighten the filter, never to extend it. This means you could first remove access to one system call, then later on in the process lifetime, remove access to more system calls, for example.
Here's the same code, with the no new privileges call:
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
In this example, you could have a filter that validates that the syscall is for the correct architecture you run on supports seccomp(rather than trying to use an OS emulation feature or 32/64-bpfbit translation, where the syscall numbers could have different meanings), then allow check the syscall number against each entry on a list of system calls, whitelist and allow the call if none match the listit matches, and finally kill the processif it didn't match any whitelist entry.
== Use in Gecko ==
