Socket filtering broken on x86 about libseccomp HOT 3 CLOSED

In the future, please send questions like this to the mailing list first.

This is a limitation in the 32-bit x86 ABI and the kernel's implementation of syscall filtering. On 32-bit x86 the socket syscalls are multiplexed over a single syscall, socketcall(). I'll leave the details as an exercise for the reader but the short version is that you can't filter socket related syscalls, with arguments, on 32-bit x86.

from libseccomp.

Interesting. Will send to the mailing list next time. Would it be possible to get this documented somewhere? Could libseccomp fail if you try to filter sockets on x86? That would have saved me quite a bit of time figuring out what was going on.

from libseccomp.

The first paragraph of the description section in the seccomp_rule_add(3) man page specifically mentions that the socket syscalls on x86; would you suggest something different? Patches are always welcome.

We do have APIs which would have failed in the particular example above, seccomp_rule_add_exact(3). We offer both because there are use cases for each; some developers need to add a rule regardless of the architecture, while some need to be notified if the rule can not be created exactly as requested. Unfortunately, I believe you had a bit of bad luck and picked the more permissive of the two APIs to start.

from libseccomp.