pyseccomp

0.1.2 · active · verified Sat Apr 11

Pyseccomp is a pure Python interface to the libseccomp library, leveraging ctypes to provide syscall filtering capabilities via Linux's seccomp mechanism. It aims for API compatibility with libseccomp's official Python bindings. The library is actively maintained, with its latest release (version 0.1.2) published in January 2021.

Warnings

breaking Older versions of pyseccomp may have compatibility issues with `libseccomp` versions prior to 2.4, potentially leading to incorrect behavior or crashes.
Fix: Upgrade `pyseccomp` to version 0.1.2 or later, which includes a fix for `libseccomp < 2.4` compatibility. It is also recommended to keep your system's `libseccomp` library updated.
gotcha Missing C function prototypes in pyseccomp versions prior to 0.1.1 could lead to segmentation faults when certain library functionalities were invoked.
Fix: Update `pyseccomp` to version 0.1.1 or newer to ensure all necessary function prototypes are included, resolving potential segfaults.
gotcha Pyseccomp is a wrapper for the `libseccomp` C library. If `libseccomp` is not installed on the system, pyseccomp will raise a `RuntimeError` during initialization, stating 'Unable to find libseccomp'.
Fix: Ensure that the `libseccomp` development package (e.g., `libseccomp-dev` on Debian/Ubuntu, `libseccomp-devel` on Fedora/CentOS) is installed on your operating system.
gotcha Applying seccomp filters too broadly or without a complete understanding of required syscalls can easily break an application, leading to unexpected crashes, hangs, or incorrect behavior. Common omissions include syscalls for file I/O (`openat`, `read`, `write`), process management (`exit_group`), and system information (`stat`).
Fix: Start with a permissive policy (`ALLOW`) and progressively add `DENY` rules, or start with a restrictive policy (`KILL`, `TRAP`) and incrementally `ALLOW` only necessary syscalls. Utilize the `CTL_LOG` attribute (`f.set_attr(seccomp.Attr.CTL_LOG, 1)`) to log blocked syscalls during development, aiding in debugging. Thoroughly test the application under the seccomp filter.

Install

pip install pyseccomp Install latest version

Imports

SyscallFilter, ALLOW, LOG, ERRNO
```
from pyseccomp import SyscallFilter, ALLOW, LOG, ERRNO
```
The pyseccomp library recommends using a `try...except ImportError` block to import `seccomp` first, and then falling back to `pyseccomp as seccomp`. This ensures compatibility if the official `libseccomp` Python bindings are installed.

Quickstart

This quickstart demonstrates how to initialize a `SyscallFilter` with a default `ALLOW` action. It then adds rules to deny specific syscalls such as `execve`, `execveat`, `vfork`, and `fork`. The example shows how to configure an action (e.g., `LOG` or `ERRNO`) for denied syscalls before loading the filter into the kernel. An attempt to `os.fork()` is included to illustrate how the applied seccomp filter prevents this operation, resulting in an `OSError`.

import errno
try:
    import seccomp
except ImportError:
    import pyseccomp as seccomp

def setup_seccomp_filter(log_only: bool = False):
    """
    Sets up a basic seccomp filter to restrict process execution.
    """
    f = seccomp.SyscallFilter(seccomp.ALLOW)
    # Always log, even when returning an error
    f.set_attr(seccomp.Attr.CTL_LOG, 1)

    # Define action: LOG for logging or ERRNO(EACCES) for denying and returning EACCES
    action = seccomp.LOG if log_only else seccomp.ERRNO(errno.EACCES)

    # Deny execution of new processes
    f.add_rule(action, "execve")
    f.add_rule(action, "execveat")
    f.add_rule(action, "vfork")
    f.add_rule(action, "fork")

    f.load()
    print(f'Seccomp filter enabled with action: {"LOG" if log_only else "ERRNO(EACCES)"}')

if __name__ == "__main__":
    print("Applying seccomp filter to prevent fork/execve...")
    setup_seccomp_filter(log_only=False)
    
    # Attempt to fork (this should be blocked by seccomp)
    try:
        import os
        pid = os.fork()
        if pid == 0:
            print("Child process created (THIS SHOULD NOT HAPPEN IF SECCOMP WORKS!)")
            os._exit(0)
        else:
            print(f"Parent process: Child PID {pid}")
            os.waitpid(pid, 0)
    except OSError as e:
        print(f"Fork failed as expected due to seccomp: {e}")
    except Exception as e:
        print(f"An unexpected error occurred: {e}")

    print("Filter applied. Program will now exit.")

view raw JSON →