On Wed, Dec 5, 2018 at 5:15 PM Shabir Mean <[email protected]> wrote: > Hi Paul, > > The system call filtering I have is: > > seccomp_rule_add(ctx, SCMP_FAIL, SCMP_SYS(clone), 1, > SCMP_A0(SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, > CLONE_NEWUSER)) > > I tested it a couple of times and noticed that the system_call filtering only > happens when I use - SCMP_A0. > > When I use SCMP_A1, the use of different flags CLONE_VFORK, CLONE_NEWNET, > CLONE_NEWUSER the call to clone() sometimes fails and sometimes works. This > might be something to do with the container I've implemented. > > I then went to clone(2) man page and checked under NOTES, which explains the > argument ordering for the raw-clone() system call. For x86_64 it is: > > long clone(unsigned long flags, void *child_stack, > int *ptid, int *ctid, > unsigned long newtls); > > So it seems that the flags are indeed the first argument in the raw system > call for clone() in x86_64. > > However, it is still confusing what strace shows. Is it some other wrapper > function on top of the raw call?
Looking at the strace code for the clone(2) syscall it looks like it does report the clone(2) arguments out of order: * https://github.com/strace/strace/blob/master/clone.c My apologies for sending you in the wrong direction with strace, the clone(2) manpage does seem to have the right information. I'm glad you finally got it working! -- paul moore www.paul-moore.com -- You received this message because you are subscribed to the Google Groups "libseccomp" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
