The exportFilter.c seccomp filter doesn't work.

[madaidan]

Hi,

I would love to be able to use seccomp with bubblewrap but I have no experience in creating seccomp filters so your filter template looked great for me.

When I compile it with gcc exportFilter.c -lseccomp -o exportFilter and create a sandbox with it by running bwrap --dev-bind / / --seccomp 10 10< exportFilter bash, I get an error from bubblewrap that says,

bwrap: prctl(PR_SET_SECCOMP): Invalid argument

It then quits and doesn't create the sandbox. Using your precompiled seccomp filter works but I would like to create my own.

Is there something wrong with the way I did it or is there an error in the filter?

[valoq]

exportFilter.c does not create the seccomp filter directly. It creates a small binary that can be executed to create the filter list. The list can then be found at /tmp/seccomp_filter.bpf

[madaidan]

Ah, thanks! Now it works.

[chriscroome]

I thought I'd try to also generate my own seccomp_filter.bpf file, this is as far as I have got (on Debian bookworm):

sudo apt install libseccomp-dev # to provide seccomp.h
git clone https://github.com/valoq/bwscripts.git
cd bwscripts
gcc exportFilter.c -lseccomp -o exportFilter
./exportFilter

This results in the exportFilter binary but running it doesn't create a /tmp/seccomp_filter.bpf file -- I'm clearly missing something fundamental here?

[valoq]

The current version will create the seccomp_filter.bpf file in your working directory instead.