How SECCOMP accomplished security is via restricting syscalls which can be executed:
Take for example – here only 6 syscalls are permitted to be called by the application:
https://blog.cloudflare.com/sandboxing-in-linux-with-zero-lines-of-code/
The implementation internals are via BPF macro + prctl() + SECCOMP syscall.
But alternatively there is also the libseccomp library:
At the end of which is an example (https://gist.github.com/tthtlc/e0c4560fe8c609c7e34eb7cff48923e8):
The API from the Seccomp library are mainly “seccomp_rule_add()” , other APIs you are get from here: https://libseccomp.readthedocs.io/en/latest/. and here: https://man7.org/linux/man-pages/man3/seccomp_rule_add.3.html
And you can compile it via “gcc seccomp.c -lseccomp”.
These seccomp rules are implemented inside the kernel – which is linked to the task_struct thread structure:
Another good writeup on Seccomp internal is here:
http://terenceli.github.io/%E6%8A%80%E6%9C%AF/2019/02/04/seccomp
And overall summary is provided here:
https://man7.org/training/download/secisol_seccomp_slides.pdf
And if you are not from the same process, but from another process, the ptrace() mechanism will allow you to enumerate all the SECCOMP properties of the seccomp-ed process:
https://man7.org/tlpi/code/online/dist/seccomp/dump_seccomp_filter.c
References:
https://tthtlc.wordpress.com/2014/08/11/security-via-seccomp/
https://tthtlc.wordpress.com/2014/07/25/seccomp-based-applications-analysis-and-debugging/
You must be logged in to post a comment.