Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

could not create filter #111

Open
18827555809 opened this issue Oct 22, 2024 · 1 comment
Open

could not create filter #111

18827555809 opened this issue Oct 22, 2024 · 1 comment

Comments

@18827555809
Copy link

ubuntu1~20.04
go version go1.20.6 linux/amd64
gcc version 9.4.0

package lib

import (
	"bytes"
	"encoding/binary"
	"log"
	"os"
	"syscall"
	"unsafe"

	sg "github.com/seccomp/libseccomp-golang"
)

func Seccomp(allowed_syscalls []int, allowed_not_kill_syscalls []int) error {
	log.Println("Starting Seccomp configuration")
	ctx, err := sg.NewFilter(sg.ActKillProcess)
	if err != nil {
		log.Printf("Failed to create new filter: %v", err)
		return err
	}

	reader, writer, err := os.Pipe()
	if err != nil {
		log.Printf("Failed to create pipe: %v", err)
		return err
	}
	defer reader.Close()
	defer writer.Close()

	for _, syscall := range allowed_syscalls {
		ctx.AddRule(sg.ScmpSyscall(syscall), sg.ActAllow)
	}

	for _, syscall := range allowed_not_kill_syscalls {
		ctx.AddRule(sg.ScmpSyscall(syscall), sg.ActErrno)
	}

	file := os.NewFile(uintptr(writer.Fd()), "pipe")
	ctx.ExportBPF(file)
	log.Println("BPF exported successfully")
	// read from pipe
	data := make([]byte, 4096)
	n, err := reader.Read(data)
	if err != nil {
		log.Printf("Failed to read from pipe: %v", err)
		return err
	}
	log.Printf("Read %d bytes from pipe", n)
	// load bpf
	sock_filters := make([]syscall.SockFilter, n/8)
	bytesBuffer := bytes.NewBuffer(data)
	err = binary.Read(bytesBuffer, binary.LittleEndian, &sock_filters)
	if err != nil {
		log.Printf("Failed to decode sock filters: %v", err)
		return err
	}
	log.Println("Sock filters decoded successfully")

	bpf := syscall.SockFprog{
		Len:    uint16(len(sock_filters)),
		Filter: &sock_filters[0],
	}

	_, _, err2 := syscall.Syscall(
		SYS_SECCOMP,
		uintptr(SeccompSetModeFilter),
		uintptr(SeccompFilterFlagTSYNC),
		uintptr(unsafe.Pointer(&bpf)),
	)

	if err2 != 0 {
		return err2
	}

	return nil
}

The above code is executed at "sg. NewFilter (sg. ActKillProcess)": "Failed to create new filter: could not create filter"
@kolyshkin
Copy link
Contributor

This means that seccomp_init(3) failed. Note that sg.ActKillProcess requires API level 3 from the kernel -- this might be the reason for a failure.

You can get more information by using strace(1).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kolyshkin @18827555809