On Fri, Jun 12, 2026 at 12:25 PM Will Drewry <[email protected]> wrote: > > On Tue, May 26, 2026 at 10:42 AM Jamie Hill-Daniel <[email protected]> > wrote: > > > > It is currently impossible to enable `SECCOMP_MODE_STRICT` if > > `SECCOMP_MODE_FILTER` is enabled, and vice-versa. This makes using > > seccomp difficult in environments such as Docker, which installs a > > seccomp filter by default. > > Some quick thoughts on your resend -- the original reasons for > this approach: > (a) filter policy != strict policy > (b) filter can implement strict, if layering is desired > (c) minimize checks in the syscall entry/return path > > I'd expected folks to simply create the ~80 byte strict filter and install > it if they needed STRICT policy.
I wonder if It would be reasonable to have the kernel do this on behalf of the user program that's asking for STRICT. The implementation would probably be trivial. --Andy
