This patch adjusts the logic used by seccomp to allow applying both `SECCOMP_MODE_FILTER` and `SECCOMP_MODE_STRICT` to the same process.
Currently, once seccomp has been initialized, a process may not transition to a different mode (only add additional filters). This means that in container environments such as Docker, which by default runs with `SECCOMP_MODE_FILTER`, processes may not enable `SECCOMP_MODE_STRICT`. This is an obstacle to using applications requiring `SECCOMP_MODE_STRICT` in these environments, and requires disabling these security measures. This patch introduces a new `SECCOMP_MODE_COMBINED` (used internally, not exposed to userspace). When a process attempts to apply `SECCOMP_MODE_FILTER` or `SECCOMP_MODE_STRICT`, this mode will be used instead if the other mode is already enabled. When subsequently running secure computing checks, we run the strict checks followed by any installed filters. Link: https://github.com/moby/moby/issues/42082 Signed-off-by: Jamie Hill-Daniel <[email protected]> --- Jamie Hill-Daniel (2): seccomp: Allow using `SECCOMP_MODE_STRICT` with `SECCOMP_MODE_FILTER` selftest: seccomp: Adjust test for using both `STRICT` and `FILTER` kernel/seccomp.c | 46 +++++++++++++++------------ tools/testing/selftests/seccomp/seccomp_bpf.c | 5 ++- 2 files changed, 28 insertions(+), 23 deletions(-) --- base-commit: 7d0a66e4bb9081d75c82ec4957c50034cb0ea449 change-id: 20260302-seccomp-combined-24bc3dbe32fd Best regards, -- Jamie Hill-Daniel <[email protected]>
