Trips its own execve call

[obadz]

Looks like syscall_limiter can't prevent the process it's trying to limit from using execve since it needs to use execve itself:

$ LIMIT_SYSCALLS_DEFAULT_ACTION=a ./result/bin/limit_syscalls execve,e1 -- `which python` -c 'print("hi");'
execve: Operation not permitted
`

[vi]

Yes, it is a limitation.

As far as I understand, seccomp filter must be stateless and can't refer to any memory, so it's not possible to allow first execve, but not subsequent.

Similar problem is that dynamic loader uses a lot of various syscalls that you may not need later, but it's not possible to make already installed filter to discriminate between dynamic loader and the application itself.

I see one workaround: LD_PRELOAD the syscall limiter into application and apply the rules after the application has already started (for example, on setuid call). It is less safe. Maybe I'll try to implement it.

[obadz]

That would be cool.

(Btw, I've just packaged syscall_limiter for NixOS: NixOS/nixpkgs#12160)

[vi]

Looks like it's the my project ever packaged for a distribution (unless there some which I don't know).

Note that syscall_limiter also has a sub-project writelimiter. Maybe that can be useful for somebody too...