Re: [libseccomp-discuss] ANN: libseccomp

From: Paul Moore
Date: Mon Apr 16 2012 - 10:09:52 EST

On Saturday, April 14, 2012 10:10:28 AM David Windsor wrote:
> Out of curiosity, are there any current efforts towards creating a "learning
> mode" type of application for seccomp? I.e. creating a profile for a
> particular application based upon which syscalls it makes during normal
> operation. I realize that many people consider this a security anti-
> pattern, but it could be useful for the initial creation of a seccomp filter
> for a particular application, and other security subsystems already do this
> (ala AppArmor's learning/complain mode). IIUC, no other kernel mechanisms
> would need to be created; ptrace could accomplish syscall monitoring.

I'm not aware of any serious efforts, but as Kees already pointed out, his
seccomp tutorial could be extended to do something similar to what you
describe. Kees' tutorial uses raw BPF, but the same basic principles would
work with libseccomp as well if you wanted a higher level interface.

The libseccomp sources also contain a simple little script which runs an
application via strace and presents a slightly cleaned up version of the
strace report which shows the syscalls, their frequency (important if you want
to tune the seccomp filter), and some of the arguments you're likely to want
to filter on. Simple example:

# ./tools/sys_inspector -h
usage ./tools/sys_inspector [-f] [-a] [-o <file>] <command> [<args>]
# ./tools/sys_inspector -f /bin/true
Syscall Report ("/bin/true")
freq syscall
8 mmap
4 mprotect
2 open
2 fstat
2 close
1 read
1 munmap
1 exit_group
1 execve
1 brk
1 arch_prctl
1 access

paul moore

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at