Re: [PATCH RESEND 1/2] seccomp: Allow using `SECCOMP_MODE_STRICT` with `SECCOMP_MODE_FILTER`

Next message: Sebastian Reichel: "Re: [PATCH 1/1] MAINTAINERS: hand over I2C to Andi Shyti"
Previous message: Nam Cao: "Re: [PATCH] riscv: drop __init from vec_check_unaligned_access_speed_all_cpus"
In reply to: Will Drewry: "Re: [PATCH RESEND 1/2] seccomp: Allow using `SECCOMP_MODE_STRICT` with `SECCOMP_MODE_FILTER`"
Next in thread: clubby789: "Re: [PATCH RESEND 1/2] seccomp: Allow using `SECCOMP_MODE_STRICT` with `SECCOMP_MODE_FILTER`"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Lutomirski

Date: Fri Jun 12 2026 - 17:24:29 EST

On Fri, Jun 12, 2026 at 12:25 PM Will Drewry <wad@xxxxxxxxxxxx> wrote:
>
> On Tue, May 26, 2026 at 10:42 AM Jamie Hill-Daniel <clubby789@xxxxxxxxx> wrote:
> >
> > It is currently impossible to enable `SECCOMP_MODE_STRICT` if
> > `SECCOMP_MODE_FILTER` is enabled, and vice-versa. This makes using
> > seccomp difficult in environments such as Docker, which installs a
> > seccomp filter by default.
>
> Some quick thoughts on your resend -- the original reasons for
> this approach:
> (a) filter policy != strict policy
> (b) filter can implement strict, if layering is desired
> (c) minimize checks in the syscall entry/return path
>
> I'd expected folks to simply create the ~80 byte strict filter and install
> it if they needed STRICT policy.

I wonder if It would be reasonable to have the kernel do this on
behalf of the user program that's asking for STRICT. The
implementation would probably be trivial.

--Andy