seccomp

elasticsearch will not start: Seccomp is present, but bootstrap check fails (Centos 7 / ES 6.4.2) [closed]

前提是你 提交于 2019-12-25 20:03:25
问题 Closed. This question is off-topic. It is not currently accepting answers. Want to improve this question? Update the question so it's on-topic for Stack Overflow. Closed last year . CentOS Linux release 7.5.1804 (Core) Configuring a production cluster, and ES refuses to start: 1:33:56,454][INFO ][o.e.t.TransportService ] [node-68795-C] publish_address {192.168.200.162:9300}, bound_addresses {192.168.200.162:9300} [2018-10-28T21:33:56,467][INFO ][o.e.b.BootstrapChecks ] [node-68795-C] bound or

Why does a seccomp process always get killed?

此生再无相见时 提交于 2019-12-07 13:48:26
问题 Why does a process that has gone into seccomp mode always get killed on exit? $ cat simple.c #include <stdio.h> #include <stdlib.h> #include <linux/prctl.h> int main( int argc, char **argv ) { printf("Starting\n"); prctl(PR_SET_SECCOMP, 1); printf("Running\n"); exit(0); } $ cc -o simple simple.c $ ./simple || echo "Returned $?" Starting Running Killed Returned 137 回答1: From the man page, under PR_SET_SECCOMP, the only allowed system calls are read, write, exit, and sigreturn. When you call

How do you cleanly exit after enabling seccomp in Python?

会有一股神秘感。 提交于 2019-12-07 08:27:13
问题 I have enabled seccomp via python-prctl in a project. I can't quite figure out how to exit cleanly - the result is always a kill. I saw some examples that use ctypes or ffi to try to reference libc, but if I expect them with WIFEXITED they also seem to have the same issue. Example code below. The result is always "We were killed to death". def main(): pid = os.fork() if not pid: prctl.set_seccomp(True) os.write(0, 'Hi\n') # os._exit(0) # _exit(0) # sys._exit(0) # return # ?!@#(*! What do?

Restrict system calls inside docker container

邮差的信 提交于 2019-12-06 00:32:14
问题 How can I restrict any system call made inside a docker container. If the given process makes a system call it will be blocked. Or how can I use seccomp with docker. 回答1: You can see more at "Seccomp security profiles for Docker" (the eature is available only if the kernel is configured with CONFIG_SECCOMP enabled.) The supoprt for docker containers will be in docker 1.10: see issue 17142 allowing the Engine to accept a seccomp profile at container run time. In the future, we might want to

Why does a seccomp process always get killed?

谁都会走 提交于 2019-12-05 20:41:39
Why does a process that has gone into seccomp mode always get killed on exit? $ cat simple.c #include <stdio.h> #include <stdlib.h> #include <linux/prctl.h> int main( int argc, char **argv ) { printf("Starting\n"); prctl(PR_SET_SECCOMP, 1); printf("Running\n"); exit(0); } $ cc -o simple simple.c $ ./simple || echo "Returned $?" Starting Running Killed Returned 137 From the man page, under PR_SET_SECCOMP, the only allowed system calls are read, write, exit, and sigreturn. When you call exit(0) in the standard library (in recent Linux), you call the exit_group system call, not exit. This is not

How do you cleanly exit after enabling seccomp in Python?

自古美人都是妖i 提交于 2019-12-05 14:12:28
I have enabled seccomp via python-prctl in a project. I can't quite figure out how to exit cleanly - the result is always a kill. I saw some examples that use ctypes or ffi to try to reference libc, but if I expect them with WIFEXITED they also seem to have the same issue. Example code below. The result is always "We were killed to death". def main(): pid = os.fork() if not pid: prctl.set_seccomp(True) os.write(0, 'Hi\n') # os._exit(0) # _exit(0) # sys._exit(0) # return # ?!@#(*! What do? endpid, status = os.waitpid(pid, 0) print 'Child forked as %d and returned with %d' % (endpid, status) if

Restrict system calls inside docker container

杀马特。学长 韩版系。学妹 提交于 2019-12-04 06:46:56
How can I restrict any system call made inside a docker container. If the given process makes a system call it will be blocked. Or how can I use seccomp with docker. You can see more at " Seccomp security profiles for Docker " (the eature is available only if the kernel is configured with CONFIG_SECCOMP enabled.) The supoprt for docker containers will be in docker 1.10: see issue 17142 allowing the Engine to accept a seccomp profile at container run time. In the future, we might want to ship builtin profiles, or bake profiles in the images. PR 17989 has been merged. It allows for passing a

seccomp — how to EXIT_SUCCESS?

寵の児 提交于 2019-11-29 09:08:50
Ηow to EXIT_SUCCESS after strict mode seccomp is set. Is it the correct practice, to call syscall(SYS_exit, EXIT_SUCCESS); at the end of main? #include <stdlib.h> #include <unistd.h> #include <sys/prctl.h> #include <linux/seccomp.h> #include <sys/syscall.h> int main(int argc, char **argv) { prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT); //return EXIT_SUCCESS; // does not work //_exit(EXIT_SUCCESS); // does not work // syscall(__NR_exit, EXIT_SUCCESS); // (EDIT) This works! Is this the ultimate answer and the right way to exit success from seccomp-ed programs? syscall(SYS_exit, EXIT_SUCCESS); //

seccomp — how to EXIT_SUCCESS?

拜拜、爱过 提交于 2019-11-28 02:51:18
问题 Ηow to EXIT_SUCCESS after strict mode seccomp is set. Is it the correct practice, to call syscall(SYS_exit, EXIT_SUCCESS); at the end of main? #include <stdlib.h> #include <unistd.h> #include <sys/prctl.h> #include <linux/seccomp.h> #include <sys/syscall.h> int main(int argc, char **argv) { prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT); //return EXIT_SUCCESS; // does not work //_exit(EXIT_SUCCESS); // does not work // syscall(__NR_exit, EXIT_SUCCESS); // (EDIT) This works! Is this the ultimate