Q: modify seccomp filter for a running process

[norway5354]

If a process with seccomp filter is already running in memory. Can I modify the seccomp filter of this process remotely by programming? This may involve process injection.Thank you!

[pcmoore]

Hi @norway5354.

No, once a seccomp filter is loaded into the kernel it can not be modified. However, it is possible to load additional seccomp filters into the kernel for a given process assuming that the seccomp loading mechanisms, e.g. seccomp(2) or prctl(2), have not been blocked by any of the existing seccomp filters.

When multiple seccomp filters are loaded into the kernel each filter is evaluated on every syscall invocation and the "most restrictive" filter result is the action taken by the kernel, for example a KILL action is taken over an ALLOW action.

[norway5354]

OK, thank you for your reply!

[pcmoore]

Your welcome @norway5354, if you have any more questions feel free to enter new issues. Thanks!