Hi,
I am trying to add a rule to block the clone() syscall when its called with the
CLONE_NEWUSER flag. I want to allow the other flags to work.
How I did this was:
seccomp_rule_add(ctx, SCMP_FAIL, SCMP_SYS(clone), 1,
SCMP_A2(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER,
CLONE_NEWUSER))
Notice that the SCMP macro used is SCMP_A2 since the flags in the clone()
system call is provided at the 3rd argument. However, this doesn't seem to work.
It only works when I use SCMP_A0. Why is this happening? What could be the
reason?
Am I missing something? I couldn't find any information on it and the examples
on the man-page seem to be suggesting the above.
Best
Shabir
--
You received this message because you are subscribed to the Google Groups
"libseccomp" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/d/optout.
