Highest Voted 'seccomp' Questions - IT Security Stack Exchange

16

votes

2 answers

Docker: when to use apparmor vs seccomp vs --cap-drop

Docker seems to support both apparmor and seccomp. Docker also allows to drop capabilities when running a container. However I couldn't find any documentation or guideline on when to use which approach. There seems to be a significant overlap in…

asked Nov 02 '18 at 04:32

JackDaniels

261
2
5

11

votes

2 answers

Difference between linux capabities and seccomp

I know seccomp (secure computing) is a way to restrict a process from making particular system calls. While linux capabilities provides a way to give privileges to specific user or process. So if I want to disable a process from making raw network…

linux capabilities seccomp

asked May 18 '19 at 10:14

mchawre

213
2
7

7

votes

2 answers

Opt-in a security profile at runtime, without tedious setup

I like lowering my access privilege mid-program (e.g. restrict my program to the current directory and files, disable networking). I imagine this is a pretty common wish. I would like to be able to do this as a normal user, without the involvement…

sandbox selinux apparmor seccomp

asked May 12 '19 at 15:34

fluxrider

171
2

3

votes

1 answer

Why I am unable to execute insmod on the docker container?

I have started an unprivileged docker container and trying to start the privileged exec session. It has CAP_SYS_MODULE capabilities, but still, I am getting operations not permitted in insmod. docker start -it -d --name test ubuntu docker exec -it…

linux docker seccomp

asked May 02 '22 at 11:47

tbhaxor

131
3

2

votes

1 answer

What additional protection does seccomp provide when compared to capabilites?

From this answer I understand that seccomp-bpf filters the list of syscalls a process can call. Similarly, the capabilites mechanism will cause a syscall to fail if the caller does not have the capability necessary for that syscall. What I want to…

capabilities seccomp

asked Apr 23 '21 at 16:01

inorik

197
5

2

votes

1 answer

Is it possible to use systemd seccomp filtering for running applications from command line?

Example systemd unit file, what I mean by…

seccomp systemd

asked Jun 27 '19 at 16:23

adrelanos

680
7
21

0

votes

0 answers

How to dump the input of a seccomp BPF filter?

I am writing a program that creates BPF seccomp filters. These filters are supposed to check syscalls and their arguments against predefined allowed values. The logic to check the syscall by its number works as expected. However, the logic to filter…

debugging filtering seccomp

asked Aug 02 '21 at 13:23

inorik

197
5

0

votes

2 answers

Syscalls are disabled with seccomp. What attacks are still possible? How to prevent them?

I want to run a piece of untrusted code on my machine. I've disabled all syscalls (besides exit, sigreturn, read and write) with seccomp for a process. Now, I'd like to spawn a child process that will execute the untrusted code. What attacks are…

linux seccomp

asked Apr 27 '21 at 07:41

John Smith

357
2
6

Questions tagged [seccomp]