The power of `SECCOMP_RET_USER_NOTIF` and `SECCOMP_IOCTL_NOTIF_ADDFD` (Part 1) #5123

rusty-snake · 2022-04-29T16:40:03Z

rusty-snake
Apr 29, 2022
Collaborator

SECCOMP_RET_USER_NOTIF (since Linux 5.0) and SECCOMP_IOCTL_NOTIF_ADDFD (since Linux 5.9) allow to "emulate" file-open syscalls (open, openat, openat2, creat).
This could be used to

disallow creation of blacklisted files.
open non-whitelisted files.
...

man 2 seccomp and man 2 seccomp_unotify

rusty-snake · 2022-04-29T16:47:34Z

rusty-snake
Apr 29, 2022
Collaborator Author

Other threads about newer kernel features:

fanotify opportunities #4674 (fanotify)
Enhancement adding lowlevel new sandbox feature "landlock" #3992 (landlock)

0 replies

rusty-snake · 2022-05-07T13:04:19Z

rusty-snake
May 7, 2022
Collaborator Author

PoC how you can "emulate" open syscalls: https://github.com/rusty-snake/openat_dialog_poc

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

The power of `SECCOMP_RET_USER_NOTIF` and `SECCOMP_IOCTL_NOTIF_ADDFD` (Part 1) #5123

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

The power of SECCOMP_RET_USER_NOTIF and SECCOMP_IOCTL_NOTIF_ADDFD (Part 1) #5123

Uh oh!

rusty-snake Apr 29, 2022 Collaborator

Replies: 2 comments

Uh oh!

rusty-snake Apr 29, 2022 Collaborator Author

Uh oh!

rusty-snake May 7, 2022 Collaborator Author

The power of `SECCOMP_RET_USER_NOTIF` and `SECCOMP_IOCTL_NOTIF_ADDFD` (Part 1) #5123

rusty-snake
Apr 29, 2022
Collaborator

rusty-snake
Apr 29, 2022
Collaborator Author

rusty-snake
May 7, 2022
Collaborator Author