On Tue, Dec 4, 2018 at 4:40 PM <[email protected]> wrote: > Hi, > > I am trying to add a rule to block the clone() syscall when its called with > the CLONE_NEWUSER flag. I want to allow the other flags to work. > > How I did this was: > > seccomp_rule_add(ctx, SCMP_FAIL, SCMP_SYS(clone), 1, > SCMP_A2(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, > CLONE_NEWUSER)) > > > Notice that the SCMP macro used is SCMP_A2 since the flags in the clone() > system call is provided at the 3rd argument. However, this doesn't seem to > work. > > It only works when I use SCMP_A0. Why is this happening? What could be the > reason? > Am I missing something? I couldn't find any information on it and the > examples on the man-page seem to be suggesting the above.
What architecture are you running on? Unfortunately the clone() syscall has different argument ordering depending on the architecture, that may be what is happening here. You can use strace to verify the syscall argument order. Eventually I want libseccomp to abstract things like this away from the callers, but we are not there yet. -- paul moore www.paul-moore.com -- You received this message because you are subscribed to the Google Groups "libseccomp" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
