Hi, Let's suppose we have a permissive default seccomp policy and at the same time I want to restrict write() to only 2 fds. I tried the rules bellow:
ctx = seccomp_init(SCMP_ACT_ALLOW); seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_EQ, 7)); seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, SCMP_A0(SCMP_CMP_EQ, 58)); seccomp_rule_add_exact(ctx, SCMP_ACT_KILL, SCMP_SYS(write), 0); What was assumed here is: the first rule that matches is the one that will be applied. Not sure if it makes sense because of my limited knowledge of BPF. I found out later that libseccomp doesn't allow adding a rule that has the same action as the default action, which makes my example hopeless. Is there a way of achieving what I want without inverting the logic of the example (i.e SCMP_ACT_KILL on all other fds other than the ones I want to allow write)? Cheers, ------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 _______________________________________________ libseccomp-discuss mailing list libseccomp-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
