I’ll just assert that there’s no way to use seccomp() correctly. Just like how there’s no way to use gets() correctly, causing it to eventually be removed fr...

Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

seccomp() is fundamentally broken as a syscall filtering mechanism due to three core problems: syscalls change depending on libc version and architecture without recompilation, library functions make surprising and order-dependent syscalls (e.g. printf() calling newfstatat), and there's no way to express high-level intent like 'only use already-open file descriptors' without enumerating dozens of low-level syscalls that can change at any time. The author argues OpenBSD's pledge() and unveil() are the correct approach, expressing capability groups rather than individual syscalls. For Linux, Landlock is mentioned as a future possibility, with unshare() as a current imperfect alternative.

seccomp — Unsafe at any speed

1. Syscalls change. Sometimes without even recompiling

3. (hinting at the solution): There’s no grouping