Constant libseccomp_sys::SECCOMP_USER_NOTIF_FLAG_CONTINUE
source · [−]pub const SECCOMP_USER_NOTIF_FLAG_CONTINUE: u32 = 1;
Expand description
Tell the kernel to execute the target’s system call
linux/seccomp.h
:
Note, the
SECCOMP_USER_NOTIF_FLAG_CONTINUE
flag must be used with caution! If set by the process supervising the syscalls of another process the syscall will continue. This is problematic because of an inherent TOCTOU. An attacker can exploit the time while the supervised process is waiting on a response from the supervising process to rewrite syscall arguments which are passed as pointers of the intercepted syscall. It should be absolutely clear that this means that the seccomp notifier cannot be used to implement a security policy! It should only ever be used in scenarios where a more privileged process supervises the syscalls of a lesser privileged process to get around kernel-enforced security restrictions when the privileged process deems this safe. In other words, in order to continue a syscall the supervising process should be sure that another security mechanism or the kernel itself will sufficiently block syscalls if arguments are rewritten to something unsafe.Similar precautions should be applied when stacking
SECCOMP_RET_USER_NOTIF
orSECCOMP_RET_TRACE
. ForSECCOMP_RET_USER_NOTIF
filters acting on the same syscall, the most recently added filter takes precedence. This means that the newSECCOMP_RET_USER_NOTIF
filter can override anySECCOMP_IOCTL_NOTIF_SEND
from earlier filters, essentially allowing all such filtered syscalls to be executed by sending the responseSECCOMP_USER_NOTIF_FLAG_CONTINUE
. Note thatSECCOMP_RET_TRACE
can equally be overriden bySECCOMP_USER_NOTIF_FLAG_CONTINUE
.