Os Syscall Seccomp
DodaTech
1 min read
In this tutorial, you'll learn about How to Fix seccomp Errors. We cover key concepts, practical examples, and best practices.
Fix seccomp errors when process without seccomp allows dangerous syscalls like execve after init.
Quick Fix
Wrong
import os
# process() function only needs read/write but execve and fork are still available
if os.fork()==0:
os.execv('/bin/sh',['/bin/sh']) # can escape!
Process can fork+exec shell despite only needing read/write. Security vulnerability.
Right
import os, ctypes
libc=ctypes.CDLL('libc.so.6')
PR_SET_NO_NEW_PRIVS=38
SECCOMP_SET_MODE_FILTER=1
# Prevent privilege escalation:
libc.prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)
import ctypes.util
# Simple seccomp: allow only read, write, exit, sigreturn
# Using libseccomp for Python:
try:
import seccomp
filter=seccomp.SyscallFilter(seccomp.KILL)
filter.add_rule(seccomp.ALLOW, 'read')
filter.add_rule(seccomp.ALLOW, 'write')
filter.add_rule(seccomp.ALLOW, 'exit_group')
filter.load()
print('Seccomp filter loaded')
# Now: os.fork() -> killed by seccomp!
except ImportError:
print('pip install python-seccomp')
# Without library:
BPF=bytes([...]) # raw BPF filter for seccomp
# Apply:
libc.prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)
libc.seccomp(SECCOMP_SET_MODE_FILTER, 0, BPF)
After seccomp, fork/execve get SIGKILL. Process restricted to needed syscalls only.
Prevention
Use seccomp to restrict syscalls. Allow only needed ones. KILL action for unexpected syscalls.
DodaTech Tools
Doda Browser's algorithm visualizer steps through DSA operations line by line. DodaZIP archives implementation patterns for team sharing. Durga Antivirus Pro detects memory corruption patterns in algorithm implementations.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro