Comments (3)
In the future, please send questions like this to the mailing list first.
This is a limitation in the 32-bit x86 ABI and the kernel's implementation of syscall filtering. On 32-bit x86 the socket syscalls are multiplexed over a single syscall, socketcall(). I'll leave the details as an exercise for the reader but the short version is that you can't filter socket related syscalls, with arguments, on 32-bit x86.
from libseccomp.
Interesting. Will send to the mailing list next time. Would it be possible to get this documented somewhere? Could libseccomp fail if you try to filter sockets on x86? That would have saved me quite a bit of time figuring out what was going on.
from libseccomp.
The first paragraph of the description section in the seccomp_rule_add(3) man page specifically mentions that the socket syscalls on x86; would you suggest something different? Patches are always welcome.
We do have APIs which would have failed in the particular example above, seccomp_rule_add_exact(3). We offer both because there are use cases for each; some developers need to add a rule regardless of the architecture, while some need to be notified if the rule can not be created exactly as requested. Unfortunately, I believe you had a bit of bad luck and picked the more permissive of the two APIs to start.
from libseccomp.
Related Issues (20)
- RFE: Support for addfd to secomp user notifier HOT 3
- RFE: add support for comparisons against 32-bit arguments HOT 7
- Q: getting errno 14 and returned error code -13 when adding rule HOT 2
- BUG: libtool warning: '../src/libseccomp.la' has not been installed in '/usr/lib64' when running configure HOT 14
- RFE: add support for SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV (Linux 5.19) HOT 1
- Polish bitcoin with my power of the bakers act 1896 they were registering overall rating before 73 HOT 2
- Q: Abstract socket argument filter HOT 10
- Q: manually setting CFLAGS=-fvisibility=hidden does not work HOT 3
- BUG: problems with docker seccomp profiles on ARM HOT 5
- RFE: add SCMP_ACT_DEFAULT rule HOT 3
- Q: request of new minor release with an updated syscall table to support newer kernels HOT 22
- 华 HOT 2
- 一朵玫瑰 HOT 3
- RFE: investigate the new SECCOMP_USER_NOTIF_FD_SYNC_WAKE_UP seccomp() flag HOT 1
- Q: new release request HOT 1
- BUG: test 29 is broken on aarch64 HOT 6
- Q: use a whitelist, and notify when the process tries to use a syscall that is not on the whitelist HOT 8
- BUG: Compiler warning in gen_bpf.c HOT 1
- Q: can this library be used for Android HOT 1
- RFE: update the syscall table in the main branch HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from libseccomp.