I’m trying to write a C wrapper to run a bash process. The goal of this wrapper is to apply a seccomp policy to restrict certain syscalls. Here is the code:

#define _GNU_SOURCE
#include 
#include 
#include 
#include 
#include 
#include 
#include 

// Function to apply seccomp filter
void apply_seccomp_filter() {
    scmp_filter_ctx ctx;

    // Initialize seccomp context with default allow policy
    ctx = seccomp_init(SCMP_ACT_ALLOW);
    if (ctx == NULL) {
        perror("seccomp_init");
        exit(EXIT_FAILURE);
    }

    // Block finit_module syscall
    if (seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(finit_module), 0) < 0) {
        perror("seccomp_rule_add: finit_module");
        seccomp_release(ctx);
        exit(EXIT_FAILURE);
    }

    // Load the filter
    if (seccomp_load(ctx) < 0) {
        perror("seccomp_load");
        seccomp_release(ctx);
        exit(EXIT_FAILURE);
    }

    seccomp_release(ctx);
}

int main() {
    apply_seccomp_filter();
    execl("/bin/bash", "bash", NULL);
    perror("execl");
    return EXIT_FAILURE;
}

The code works fine to block the syscall, but when I try to run sudo, I get this message:

sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
sudo: If sudo is running in a container, you may need to adjust the container configuration to disable the flag.

Do you know how to disable this flag? All the answers I find online are related to containers like Docker, but that’s not my case. Thanks in advance for your help!

I'm trying to lock down a container using systemd-nspawn, so that *only* the specific syscalls I whitelist are allowed. Per the documentation , there's a pretty lax filter in place by default, consisting of a large whitelist of hundreds of different system calls. There's a unit option SystemCallFilter=, which claims to allow you to blacklist or whitelist specific calls. I tried it out, putting a single syscall on there and expecting complete failure:

[Exec]
...
# We use way more syscalls than this! This whitelist should fail, but it doesn't because it's not a real whitelist.
SystemCallFilter=open,write,close
...

Instead, the program runs just fine. I can get it to fail if I explicitly disallow a syscall I know is in use:

[Exec]
...
# This actually fails, because open's been explicitly blacklisted.
SystemCallFilter=~open,~write
...

Also, because the blacklist takes precedence over the "whitelist," I can't just disable everything and then turn back on only the ones I need; the whitelist is just ignored:

[Exec]
...
# Doesn't work, as ~@default takes precedence over the allowlist so *nothing* is allowed
SystemCallFilter=~@default
# full list is much longer and generated automatically from a docker seccomp .json
SystemCallFilter=open,write,close,...

Is there a way to achieve the functionality I want? I really don't want to maintain a blacklist of all of the hundreds of syscalls on the default allowlist, which seems like the only way to do it currently.

systemd unit file: [Service] SystemCallFilter=[...] Error message: > unit-name.service: Main process exited, code=killed, status=31/SYS How to find out which system call is missing in the whitelist?

how can I use seccomp and prctl syscall vs bcc to interception syscalls? Is there another way to achieve this goal with bcc ?? I know that it is possible with pure ebpf code in C but it is too difficult to understand and use and I want to use bcc for it.

I noticed a strange thing. When I run the file command as a regular user, I always get an invalid system call error. For example in [tag:zsh]:

$ file ~/.zshrc

    18553 invalid system call  file ~/.zshrc

Or in [tag:bash] / [tag:dash] / [tag:sh]:

$ file ~/.bashrc

Bad system call

It does not depend on the target file, wm environment (happens in tty as well) and seems to not depend on the shell either. The only way to avoid this error is to run the command as a root or with sudo:

$ sudo file ~/.bashrc                                                                        

/home/user/.bashrc: ASCII text

It doesn't look like expected behaviour. Does anyone know what can cause this issue? I have no idea how to proceed in debugging this. Any comment or link could be useful because I didn't find anything related directly to the file command, which seems to be only one command affected by this. **Edit 1** ls and df commands work as expected.

$ ls -alGg .bashrc

-rw-r--r-- 1 603 31. led 11.09 .bashrc

$ df -h .
        
Filesystem      Size  Used Avail Use% Mounted on
/dev/nvme0n1p5  420G  419G  1.5G 100% /home

file command I use:

$ whereis file

file: /usr/bin/file /usr/share/man/man1/file.1.bz2 /usr/share/man/man1p/file.1p.bz2 /usr/share/man/mann/file.n.bz2

$ which file

/usr/bin/file

$ command -v file

/usr/bin/file

$ file -v

file-5.39
magic file from /usr/share/misc/magic
seccomp support included

**Edit 2** I use Gentoo and figured out that when I compile [file](https://packages.gentoo.org/packages/sys-apps/file) package without [seccomp](https://gitweb.gentoo.org/repo/gentoo.git/tree/sys-apps/file/file-5.39-r3.ebuild#n64) USE flag, it works fine. **Edit 3**

$ strace file ~/.bashrc

execve("/usr/bin/file", ["file", "/home/user/.bashrc"], 0x7fff74d08c58 /* 74 vars */) = 0
brk(NULL)                               = 0x55e04e3e3000
openat(AT_FDCWD, "/usr/lib64/libgio-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\270\3\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1857608, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff54a543000
mmap(NULL, 1867584, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff54a37b000
mprotect(0x7ff54a3b3000, 1593344, PROT_NONE) = 0
mmap(0x7ff54a3b3000, 1040384, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x38000) = 0x7ff54a3b3000
mmap(0x7ff54a4b1000, 548864, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x136000) = 0x7ff54a4b1000
mmap(0x7ff54a538000, 40960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bc000) = 0x7ff54a538000
mmap(0x7ff54a542000, 3904, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ff54a542000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib64/libglib-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\315\1\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1201032, ...}) = 0
mmap(NULL, 1206440, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff54a254000
mprotect(0x7ff54a270000, 1081344, PROT_NONE) = 0
mmap(0x7ff54a270000, 532480, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c000) = 0x7ff54a270000
mmap(0x7ff54a2f2000, 544768, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9e000) = 0x7ff54a2f2000
mmap(0x7ff54a378000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x123000) = 0x7ff54a378000
mmap(0x7ff54a37a000, 2216, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ff54a37a000
close(3)                                = 0
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=218596, ...}) = 0
mmap(NULL, 218596, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ff54a21e000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib64/libmagic.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0PG\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=158712, ...}) = 0
mmap(NULL, 161688, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff54a1f6000
mmap(0x7ff54a1fa000, 102400, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7ff54a1fa000
mmap(0x7ff54a213000, 36864, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d000) = 0x7ff54a213000
mmap(0x7ff54a21c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25000) = 0x7ff54a21c000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib64/libseccomp.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320Q\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=309280, ...}) = 0
mmap(NULL, 311568, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff54a1a9000
mmap(0x7ff54a1ce000, 40960, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25000) = 0x7ff54a1ce000
mmap(0x7ff54a1d8000, 16384, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2f000) = 0x7ff54a1d8000
mmap(0x7ff54a1dc000, 106496, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x32000) = 0x7ff54a1dc000
close(3)                                = 0
openat(AT_FDCWD, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0@\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1798224, ...}) = 0
mmap(NULL, 1811664, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff549fee000
mmap(0x7ff54a010000, 1327104, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x22000) = 0x7ff54a010000
mmap(0x7ff54a154000, 307200, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x166000) = 0x7ff54a154000
mmap(0x7ff54a19f000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b0000) = 0x7ff54a19f000
mmap(0x7ff54a1a5000, 13520, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ff54a1a5000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib64/libgobject-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\347\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=379696, ...}) = 0
mmap(NULL, 384776, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff549f90000
mmap(0x7ff549f9e000, 212992, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xe000) = 0x7ff549f9e000
mmap(0x7ff549fd2000, 98304, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x42000) = 0x7ff549fd2000
mmap(0x7ff549fea000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x59000) = 0x7ff549fea000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib64/libgmodule-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\22\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=18472, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff549f8e000
mmap(NULL, 20888, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff549f88000
mmap(0x7ff549f89000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7ff549f89000
mmap(0x7ff549f8b000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7ff549f8b000
mmap(0x7ff549f8c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7ff549f8c000
close(3)                                = 0
openat(AT_FDCWD, "/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0203\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=100592, ...}) = 0
mmap(NULL, 102800, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff549f6e000
mmap(0x7ff549f71000, 57344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7ff549f71000
mmap(0x7ff549f7f000, 28672, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x11000) = 0x7ff549f7f000
mmap(0x7ff549f86000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7ff549f86000
close(3)                                = 0
openat(AT_FDCWD, "/lib64/libmount.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\332\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=382776, ...}) = 0
mmap(NULL, 385800, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff549f0f000
mprotect(0x7ff549f1b000, 327680, PROT_NONE) = 0
mmap(0x7ff549f1b000, 245760, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7ff549f1b000
mmap(0x7ff549f57000, 77824, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x48000) = 0x7ff549f57000
mmap(0x7ff549f6b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5b000) = 0x7ff549f6b000
mmap(0x7ff549f6d000, 776, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ff549f6d000
close(3)                                = 0
openat(AT_FDCWD, "/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260C\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=84528, ...}) = 0
mmap(NULL, 96896, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff549ef7000
mprotect(0x7ff549efb000, 65536, PROT_NONE) = 0
mmap(0x7ff549efb000, 49152, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x7ff549efb000
mmap(0x7ff549f07000, 12288, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x10000) = 0x7ff549f07000
mmap(0x7ff549f0b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13000) = 0x7ff549f0b000
mmap(0x7ff549f0d000, 6784, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ff549f0d000
close(3)                                = 0
openat(AT_FDCWD, "/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360k\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=148000, ...}) = 0
mmap(NULL, 128088, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff549ed7000
mmap(0x7ff549edd000, 61440, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7ff549edd000
mmap(0x7ff549eec000, 20480, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7ff549eec000
mmap(0x7ff549ef1000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19000) = 0x7ff549ef1000
mmap(0x7ff549ef3000, 13400, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7ff549ef3000
close(3)                                = 0
openat(AT_FDCWD, "/lib64/libpcre.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360!\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=460856, ...}) = 0
mmap(NULL, 463336, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff549e65000
mmap(0x7ff549e67000, 327680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7ff549e67000
mmap(0x7ff549eb7000, 122880, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x52000) = 0x7ff549eb7000
mmap(0x7ff549ed5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6f000) = 0x7ff549ed5000
close(3)                                = 0
openat(AT_FDCWD, "/lib64/libbz2.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\"\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=74904, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff549e63000
mmap(NULL, 77192, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff549e50000
mmap(0x7ff549e52000, 53248, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7ff549e52000
mmap(0x7ff549e5f000, 8192, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xf000) = 0x7ff549e5f000
mmap(0x7ff549e61000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x10000) = 0x7ff549e61000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib64/libffi.so.7", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\"\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=43280, ...}) = 0
mmap(NULL, 46728, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff549e44000
mprotect(0x7ff549e46000, 32768, PROT_NONE) = 0
mmap(0x7ff549e46000, 24576, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7ff549e46000
mmap(0x7ff549e4c000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x8000) = 0x7ff549e4c000
mmap(0x7ff549e4e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7ff549e4e000
close(3)                                = 0
openat(AT_FDCWD, "/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\21\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=14320, ...}) = 0
mmap(NULL, 16656, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff549e3f000
mmap(0x7ff549e40000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7ff549e40000
mmap(0x7ff549e41000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7ff549e41000
mmap(0x7ff549e42000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7ff549e42000
close(3)                                = 0
openat(AT_FDCWD, "/lib64/libblkid.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\237\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=328408, ...}) = 0
mmap(NULL, 331432, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7ff549dee000
mmap(0x7ff549df7000, 208896, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7ff549df7000
mmap(0x7ff549e2a000, 65536, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3c000) = 0x7ff549e2a000
mmap(0x7ff549e3a000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4b000) = 0x7ff549e3a000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff549dec000
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff549de9000
arch_prctl(ARCH_SET_FS, 0x7ff549de9740) = 0
mprotect(0x7ff54a19f000, 16384, PROT_READ) = 0
mprotect(0x7ff549e3a000, 16384, PROT_READ) = 0
mprotect(0x7ff549e42000, 4096, PROT_READ) = 0
mprotect(0x7ff549e4e000, 4096, PROT_READ) = 0
mprotect(0x7ff549e61000, 4096, PROT_READ) = 0
mprotect(0x7ff549ef1000, 4096, PROT_READ) = 0
mprotect(0x7ff549ed5000, 4096, PROT_READ) = 0
mprotect(0x7ff549f0b000, 4096, PROT_READ) = 0
mprotect(0x7ff549f6b000, 4096, PROT_READ) = 0
mprotect(0x7ff549f86000, 4096, PROT_READ) = 0
mprotect(0x7ff54a378000, 4096, PROT_READ) = 0
mprotect(0x7ff549f8c000, 4096, PROT_READ) = 0
mprotect(0x7ff549fea000, 12288, PROT_READ) = 0
mprotect(0x7ff54a1dc000, 102400, PROT_READ) = 0
mprotect(0x7ff54a21c000, 4096, PROT_READ) = 0
mprotect(0x7ff54a538000, 28672, PROT_READ) = 0
mprotect(0x55e04d057000, 4096, PROT_READ) = 0
mprotect(0x7ff54a56f000, 4096, PROT_READ) = 0
munmap(0x7ff54a21e000, 218596)          = 0
set_tid_address(0x7ff549de9a10)         = 20864
set_robust_list(0x7ff549de9a20, 24)     = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7ff549edd650, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7ff549ee9820}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7ff549edd6f0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7ff549ee9820}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
brk(NULL)                               = 0x55e04e3e3000
brk(0x55e04e404000)                     = 0x55e04e404000
futex(0x7ff54a37a618, FUTEX_WAKE_PRIVATE, 2147483647) = 0
futex(0x7ff54a37a618, FUTEX_WAKE_PRIVATE, 2147483647) = 0
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=225035648, ...}) = 0
mmap(NULL, 225035648, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7ff53c74c000
close(3)                                = 0
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)  = 0
prctl(PR_SET_DUMPABLE, SUID_DUMP_DISABLE) = 0
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)  = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, 0x55e04e3f0760) = 0
stat(0x55e04e3f0b30, 0x7ffc52d15900)    = -1 ENOENT (No such file or directory)
stat(0x55e04e3f0b30, 0x7ffc52d15900)    = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, 0x55e04e3f4270, O_RDONLY) = 3
fstat(3, 0x7ffc52d159e0)                = 0
mmap(NULL, 6652192, PROT_READ|PROT_WRITE, MAP_PRIVATE, 3, 0) = 0x7ff53c0f3000
close(3)                                = 0
mprotect(0x7ff53c0f3000, 6652192, PROT_READ) = 0
openat(AT_FDCWD, 0x7ff54a1724d0, O_RDONLY) = 3
fstat(3, 0x7ffc52d15710)                = 0
mmap(NULL, 26988, PROT_READ, MAP_SHARED, 3, 0) = 0x7ff54a24d000
close(3)                                = 0
futex(0x7ff54a1a4974, FUTEX_WAKE_PRIVATE, 2147483647) = ?
+++ killed by SIGSYS +++
    20861 invalid system call  strace file ~/.bashrc

It seems that kernel-headers rpm does not include seccomp.h, I am wondering where to find seccomp.h header file on centos6?

I was reading the documentation on seccomp(2) on my Debian system, and stumbled upon the following sentence from the paragraph below: > Such a malicious filter might, for example, cause an attempt > to use setuid(2) to set the caller's user IDs to non-zero values > to instead return 0 without actually making the system call. How can seccomp filters be abused to achieve what's described above? If the malicious filter disallows setuid(2), then the process will likely receive a SIGSYS signal and terminate and the syscall won't be executed. If the malicious filter allows setuid(2), then the execve(2)'d program will correctly change the UIDs of the user. What am I missing? man seccomp: > ... > > Otherwise, the SECCOMP_SET_MODE_FILTER operation will fail and > return EACCES in errno. This requirement ensures that an unprivileged > process cannot apply a malicious filter and then > invoke a set-user-ID or other privileged program using execve(2), thus potentially compromising that program. (Such a > malicious filter might, for example, cause an attempt to use > setuid(2) to set the caller's user IDs to non-zero values to instead return 0 without actually making the system call. > Thus, the program might be tricked into retaining superuser privi‐ > leges in circumstances where it is possible to influence it to do dangerous things because it did not actually drop > privileges.) > >...