libseccomp 似乎没有按预期工作

libseccomp 似乎没有按预期工作
int python_seccomp_rules(struct config *_config)
{
   // Syscalls blacklist array
    int syscalls_blacklist[] = {
        SCMP_SYS(fork), SCMP_SYS(vfork), SCMP_SYS(kill)
    };

    // Initializing seccomp context
    scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
    if (!ctx)
    {
        return LOAD_SECCOMP_FAILED;
    }

    // Blacklist specified syscalls
    int syscalls_blacklist_length = sizeof(syscalls_blacklist) / sizeof(int);
    for (int i = 0; i < syscalls_blacklist_length; i++)
    {
        if (seccomp_rule_add(ctx, SCMP_ACT_KILL, syscalls_blacklist[i], 0) != 0)
        {
            seccomp_release(ctx);
            return LOAD_SECCOMP_FAILED;
        }
    }
    
    // load seccomp into the kernel

当我使用 strace 命令跟踪它时,我得到了以下输出:

6885  15:57:14 seccomp(SECCOMP_SET_MODE_STRICT, 0x1, NULL) = -1 EINVAL (Invalid argument)
6885  15:57:14 seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, NULL) = -1 EFAULT (Bad address)
6885  15:57:14 seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, NULL) = -1 EFAULT (Bad address)
6885  15:57:14 seccomp(SECCOMP_GET_ACTION_AVAIL, 0, [SECCOMP_RET_LOG]) = 0
6885  15:57:14 seccomp(SECCOMP_GET_ACTION_AVAIL, 0, [SECCOMP_RET_KILL_PROCESS]) = 0
6885  15:57:14 seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_SPEC_ALLOW, NULL) = -1 EFAULT (Bad address)
6885  15:57:14 seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER, NULL) = -1 EFAULT (Bad address)
6885  15:57:14 seccomp(SECCOMP_GET_NOTIF_SIZES, 0, {seccomp_notif=80, seccomp_notif_resp=24, seccomp_data=64}) = 0
6885  15:57:14 seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC_ESRCH, NULL) = -1 EFAULT (Bad address)
6885  15:57:14 prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
6885  15:57:14 seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=30, filter=0x55a7aaa8b490}) = 0

相关内容