Hi! I'm the author of extrasafe, a Rust wrapper around seccomp (and soon landlock as well, hopefully). I'm looking to switch from libseccomp-rs to seccompiler, mostly to make static compilation easier.
libseccomp supports the SECCOMP_FILTER_FLAG_TSYNC flag, which is a flag you can pass when calling the seccomp syscall directly. It allows you to apply the current seccomp filter to all running threads (TSYNC = thread sync).
Libseccomp achieves this by calling the seccomp syscall directly. It seems that seccompiler uses prctrl to enable seccomp, so in addition to adding a new flag to seccompiler::apply_filter, it would also need to be modified to call the syscall itself rather than using prctl.
If you'd be open to accepting a patch I'd be glad to make it - maybe just extracting the body of apply_filter into a new function apply_filter_with_flags, changing it to use the seccomp syscall, and then having apply_filter just proxy to apply_filter_with_flags with empty flags.
If you have a better design or don't want to support it at all, that's fine, just let me know!
Just for reference (mostly for me), here's a convenient link to the seccomp syscall manpage
Hi! I'm the author of extrasafe, a Rust wrapper around seccomp (and soon landlock as well, hopefully). I'm looking to switch from libseccomp-rs to seccompiler, mostly to make static compilation easier.
libseccomp supports the SECCOMP_FILTER_FLAG_TSYNC flag, which is a flag you can pass when calling the seccomp syscall directly. It allows you to apply the current seccomp filter to all running threads (TSYNC = thread sync).
Libseccomp achieves this by calling the seccomp syscall directly. It seems that seccompiler uses prctrl to enable seccomp, so in addition to adding a new flag to
seccompiler::apply_filter, it would also need to be modified to call the syscall itself rather than using prctl.If you'd be open to accepting a patch I'd be glad to make it - maybe just extracting the body of apply_filter into a new function
apply_filter_with_flags, changing it to use the seccomp syscall, and then having apply_filter just proxy toapply_filter_with_flagswith empty flags.If you have a better design or don't want to support it at all, that's fine, just let me know!
Just for reference (mostly for me), here's a convenient link to the seccomp syscall manpage
And here's the libseccomp code that calls the seccomp syscall directly, passing in the flags. See the few lines above it for where the flags are set: https://github.com/seccomp/libseccomp/blob/f1c3196d9b95de22dde8f23c5befcbeabef5711c/src/system.c#L414