seccomp

Lecture

seccomp

Syscall Filtering

Unlike chroot, seccomp allows developers to write complex rules to:

• whitelist certain syscalls.

• blacklsit certain syscalls.

• whitelist/blacklist syscalls based on argument variables.

seccomp rules are inherited by children processes!

To learn more about seccomp, you can read the documentation. Here we learn how it works through an example.

How does seccomp work?

seccomp uses the kernel functionality eBPF (extended Berkeley Packet Filter). eBPFs are programs that run in an in-kernel, "provably-safe" virtual machine. It is used with seccomp() to apply syscall filters to processes.

My comment:

Interestingly enough, ZDI recently published a blog post on CVE-2021-31440, which is a bug that bypassed the eBPF verification and resulted in an out-of-bounds (OOB) access in the Linux kernel. You can read more about it here:

Zero Day Initiative — CVE-2021-31440: An Incorrect Bounds Calculation in the Linux Kernel eBPF VerifierZero Day Initiative

CVE-2021-31440 Walkthrough by ZDI