Hi Paul, Thank you very much indeed for letting me know where to start looking :)
Best Shabir On Thu, Dec 6, 2018 at 8:48 AM Paul Moore <[email protected]> wrote: > On Wed, Dec 5, 2018 at 5:15 PM Shabir Mean <[email protected]> wrote: > > Hi Paul, > > > > The system call filtering I have is: > > > > seccomp_rule_add(ctx, SCMP_FAIL, SCMP_SYS(clone), 1, > > SCMP_A0(SCMP_CMP_MASKED_EQ, > CLONE_NEWUSER, CLONE_NEWUSER)) > > > > I tested it a couple of times and noticed that the system_call filtering > only happens when I use - SCMP_A0. > > > > When I use SCMP_A1, the use of different flags CLONE_VFORK, > CLONE_NEWNET, CLONE_NEWUSER the call to clone() sometimes fails and > sometimes works. This might be something to do with the container I've > implemented. > > > > I then went to clone(2) man page and checked under NOTES, which explains > the argument ordering for the raw-clone() system call. For x86_64 it is: > > > > long clone(unsigned long flags, void *child_stack, > > int *ptid, int *ctid, > > unsigned long newtls); > > > > So it seems that the flags are indeed the first argument in the raw > system call for clone() in x86_64. > > > > However, it is still confusing what strace shows. Is it some other > wrapper function on top of the raw call? > > Looking at the strace code for the clone(2) syscall it looks like it > does report the clone(2) arguments out of order: > > * https://github.com/strace/strace/blob/master/clone.c > > My apologies for sending you in the wrong direction with strace, the > clone(2) manpage does seem to have the right information. I'm glad > you finally got it working! > > -- > paul moore > www.paul-moore.com > -- *---------------------------------------* *Shabir Abdul Samadh**Research Assistant* *ANRL Lab - McGill University* -- You received this message because you are subscribed to the Google Groups "libseccomp" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
