{"id":3766,"library":"pyseccomp","title":"pyseccomp","description":"Pyseccomp is a pure Python interface to the libseccomp library, leveraging ctypes to provide syscall filtering capabilities via Linux's seccomp mechanism. It aims for API compatibility with libseccomp's official Python bindings. The library is actively maintained, with its latest release (version 0.1.2) published in January 2021.","status":"active","version":"0.1.2","language":"en","source_language":"en","source_url":"https://github.com/cptpcrd/pyseccomp","tags":["seccomp","security","linux","syscall","ctypes"],"install":[{"cmd":"pip install pyseccomp","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Pyseccomp is a Python interface to the C library `libseccomp`, which must be installed on the operating system for pyseccomp to function. It uses `ctypes.util.find_library('seccomp')` to locate it.","package":"libseccomp","optional":false}],"imports":[{"note":"The pyseccomp library recommends using a `try...except ImportError` block to import `seccomp` first, and then falling back to `pyseccomp as seccomp`. This ensures compatibility if the official `libseccomp` Python bindings are installed.","wrong":"import seccomp # without a fallback","symbol":"SyscallFilter, ALLOW, LOG, ERRNO","correct":"from pyseccomp import SyscallFilter, ALLOW, LOG, ERRNO"}],"quickstart":{"code":"import errno\ntry:\n    import seccomp\nexcept ImportError:\n    import pyseccomp as seccomp\n\ndef setup_seccomp_filter(log_only: bool = False):\n    \"\"\"\n    Sets up a basic seccomp filter to restrict process execution.\n    \"\"\"\n    f = seccomp.SyscallFilter(seccomp.ALLOW)\n    # Always log, even when returning an error\n    f.set_attr(seccomp.Attr.CTL_LOG, 1)\n\n    # Define action: LOG for logging or ERRNO(EACCES) for denying and returning EACCES\n    action = seccomp.LOG if log_only else seccomp.ERRNO(errno.EACCES)\n\n    # Deny execution of new processes\n    f.add_rule(action, \"execve\")\n    f.add_rule(action, \"execveat\")\n    f.add_rule(action, \"vfork\")\n    f.add_rule(action, \"fork\")\n\n    f.load()\n    print(f'Seccomp filter enabled with action: {\"LOG\" if log_only else \"ERRNO(EACCES)\"}')\n\nif __name__ == \"__main__\":\n    print(\"Applying seccomp filter to prevent fork/execve...\")\n    setup_seccomp_filter(log_only=False)\n    \n    # Attempt to fork (this should be blocked by seccomp)\n    try:\n        import os\n        pid = os.fork()\n        if pid == 0:\n            print(\"Child process created (THIS SHOULD NOT HAPPEN IF SECCOMP WORKS!)\")\n            os._exit(0)\n        else:\n            print(f\"Parent process: Child PID {pid}\")\n            os.waitpid(pid, 0)\n    except OSError as e:\n        print(f\"Fork failed as expected due to seccomp: {e}\")\n    except Exception as e:\n        print(f\"An unexpected error occurred: {e}\")\n\n    print(\"Filter applied. Program will now exit.\")","lang":"python","description":"This quickstart demonstrates how to initialize a `SyscallFilter` with a default `ALLOW` action. It then adds rules to deny specific syscalls such as `execve`, `execveat`, `vfork`, and `fork`. The example shows how to configure an action (e.g., `LOG` or `ERRNO`) for denied syscalls before loading the filter into the kernel. An attempt to `os.fork()` is included to illustrate how the applied seccomp filter prevents this operation, resulting in an `OSError`."},"warnings":[{"fix":"Upgrade `pyseccomp` to version 0.1.2 or later, which includes a fix for `libseccomp < 2.4` compatibility. It is also recommended to keep your system's `libseccomp` library updated.","message":"Older versions of pyseccomp may have compatibility issues with `libseccomp` versions prior to 2.4, potentially leading to incorrect behavior or crashes.","severity":"breaking","affected_versions":"< 0.1.2"},{"fix":"Update `pyseccomp` to version 0.1.1 or newer to ensure all necessary function prototypes are included, resolving potential segfaults.","message":"Missing C function prototypes in pyseccomp versions prior to 0.1.1 could lead to segmentation faults when certain library functionalities were invoked.","severity":"gotcha","affected_versions":"< 0.1.1"},{"fix":"Ensure that the `libseccomp` development package (e.g., `libseccomp-dev` on Debian/Ubuntu, `libseccomp-devel` on Fedora/CentOS) is installed on your operating system.","message":"Pyseccomp is a wrapper for the `libseccomp` C library. If `libseccomp` is not installed on the system, pyseccomp will raise a `RuntimeError` during initialization, stating 'Unable to find libseccomp'.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Start with a permissive policy (`ALLOW`) and progressively add `DENY` rules, or start with a restrictive policy (`KILL`, `TRAP`) and incrementally `ALLOW` only necessary syscalls. Utilize the `CTL_LOG` attribute (`f.set_attr(seccomp.Attr.CTL_LOG, 1)`) to log blocked syscalls during development, aiding in debugging. Thoroughly test the application under the seccomp filter.","message":"Applying seccomp filters too broadly or without a complete understanding of required syscalls can easily break an application, leading to unexpected crashes, hangs, or incorrect behavior. Common omissions include syscalls for file I/O (`openat`, `read`, `write`), process management (`exit_group`), and system information (`stat`).","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}