On Tue, May 26, 2026 at 04:32:14PM +0100, Jamie Hill-Daniel wrote: > This patch adjusts the logic used by seccomp to allow applying both > `SECCOMP_MODE_FILTER` and `SECCOMP_MODE_STRICT` to the same process.
Honestly, SECCOMP_MODE_STRICT is kinda deprecated. Nothing new should be using it. > Currently, once seccomp has been initialized, a process may not > transition to a different mode (only add additional filters). > This means that in container environments such as Docker, which by > default runs with `SECCOMP_MODE_FILTER`, processes may not enable > `SECCOMP_MODE_STRICT`. This is an obstacle to using applications > requiring `SECCOMP_MODE_STRICT` in these environments, and requires > disabling these security measures. What applications do you have that need SECCOMP_MODE_STRICT and why can't they be modified to use FILTER? > When subsequently running secure computing checks, we run the strict > checks followed by any installed filters. > > Link: https://github.com/moby/moby/issues/42082 This doesn't show any particular application, just a demo program. I'd *really* prefer to only add complexity to seccomp if it is absolutely needed. -Kees -- Kees Cook
