Verifying that seccomp-bpf is running

[kewde]

One of the things I'd like to be able to do is test whether or not the renderer process is sandboxed. The linux version uses two sandboxing technique, namely seccomp-bpf & user namespaces.

I will be pouring anything I can figure out about it in this issue.

---

Get a list syscalls of 'whoami'.

strace -c -f -S name whoami 2>&1 1>/dev/null | tail -n +3 | head -n -2 | awk '{print $(NF)}'

Can be used to build the seccomp-bpf profile (source)

Not very useful in figuring out if it's enabled, but interesting nonetheless.

[kewde]

Found it, thanks to Michael Kerrisk.

Replace the PID with the renderer process pid.

cat /proc/PID/status | grep "Seccomp"

Modes (2 is the one you want for renderer processes)

0 //  SECCOMP_MODE_DISABLED
1 //  SECCOMP_MODE_STRICT
2 //  SECCOMP_MODE_FILTER