Seccomp filtering is a mechanism in the linux kernel that restricts the use of certain syscalls in your application. When your application is hacked or manipulated, and tries to call those disabled syscalls the kernel will kill your application.
For example, if you application needs to open files at the beginning, but then just appends to the files, you can drop the open/openat syscalls after you've opened the file.
We have a nice nim module that is very easy to use. https://github.com/FedericoCeratto/nim-seccomp
import seccomp
proc dropRights() =
let ctx = seccomp_ctx()
ctx.add_rule(Allow, "write")
ctx.add_rule(Allow, "close")
ctx.add_rule(Allow, "newfstatat")
ctx.add_rule(Allow, "exit_group")
# ctx.add_rule(Allow, "mmap") # needed for dynamic seq + strings etc
ctx.load()
# here open is still allowed
let fh = open("/tmp/foo", fmWrite)
dropRights() # here we drop all syscalls except the allowed ones
echo "[x] Rights dropped"
fh.write("write does still works")
echo "[x] write works"
# This will fail, since we've dropped the rights above.
echo "[x] hacker tries to open another file:"
let fh2 = open("/tmp/baa", fmWrite)
The output:
Hint: /home/david/projects/nimPlayground/seccompt202401291758 [Exec]
[x] Rights dropped
[x] write works
[x] hacker tries to open another file:
Bad system call (core dumped)
Error: execution of an external program failed: '/home/david/projects/nimPlayground/seccompt202401291758
When you need to know which syscalls is used you can use strace
strace ./yourApplication
[.....]
newfstatat(3, "", {st_mode=S_IFREG|0664, st_size=0, ...}, AT_EMPTY_PATH) = 0
write(1, "[x] write works\n", 16[x] write works
) = 16
write(1, "[x] hacker tries to open another"..., 39[x] hacker tries to open another file:
) = 39
openat(AT_FDCWD, "/tmp/baa", O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0666) = 257 # <---------- here we try to use "openat"
+++ killed by SIGSYS (core dumped) +++ <--------- and here its killed
Bad system call (core dumped)
[ble: exit 159]
There is also a nice talk about this from a german hacker FeFe held at the CCC: https://www.youtube.com/watch?v=TaE28fJVPTk