Skip to main content

Module seccomp_notify

evalbox_sys

Module seccomp_notify 

Source
Expand description

Seccomp user notification (SECCOMP_RET_USER_NOTIF) support.

Seccomp user notification allows a supervisor process to intercept syscalls from a sandboxed child and make decisions on its behalf. This enables filesystem virtualization without user namespaces.

§Architecture

  1. Child installs a seccomp filter with SECCOMP_FILTER_FLAG_NEW_LISTENER
  2. This returns a “listener fd” which is passed to the parent via SCM_RIGHTS
  3. Parent polls the listener fd; when readable, calls SECCOMP_IOCTL_NOTIF_RECV
  4. Parent inspects the syscall and either:
    • Returns SECCOMP_USER_NOTIF_FLAG_CONTINUE to let it proceed
    • Returns an error code to deny it
    • Uses SECCOMP_IOCTL_NOTIF_ADDFD to inject a file descriptor

§TOCTOU Protection

Between receiving a notification and responding, the child’s memory may change. Always call SECCOMP_IOCTL_NOTIF_ID_VALID after reading child memory to verify the notification is still valid.

Structs§

SeccompData
Seccomp notification data (mirrors kernel struct seccomp_data).
SeccompNotif
Seccomp notification received from the child (mirrors kernel struct seccomp_notif).
SeccompNotifAddfd
Inject a file descriptor into the notifying process (mirrors kernel struct seccomp_notif_addfd).
SeccompNotifResp
Response to a seccomp notification (mirrors kernel struct seccomp_notif_resp).

Constants§

SECCOMP_ADDFD_FLAG_SEND
Atomically inject fd and respond to the notification.
SECCOMP_ADDFD_FLAG_SETFD
Replace an existing fd in the target process.
SECCOMP_FILTER_FLAG_NEW_LISTENER
SECCOMP_IOCTL_NOTIF_ADDFD
ioctl to inject a file descriptor into the notifying process.
SECCOMP_IOCTL_NOTIF_ID_VALID
ioctl to check if a notification ID is still valid (TOCTOU protection).
SECCOMP_IOCTL_NOTIF_RECV
ioctl to receive a notification from the seccomp listener fd.
SECCOMP_IOCTL_NOTIF_SEND
ioctl to send a response to a seccomp notification.
SECCOMP_USER_NOTIF_FLAG_CONTINUE
Let the syscall proceed as-is (supervisor approves).

Functions§

notif_addfd
Inject a file descriptor into the notifying process.
notif_id_valid
Check if a notification ID is still valid.
notif_recv
Receive a notification from the seccomp listener fd.
notif_send
Send a response to a seccomp notification.
seccomp_set_mode_filter_listener
Install a seccomp filter with SECCOMP_FILTER_FLAG_NEW_LISTENER.