[PATCH v2 0/3] seccomp: Allow using SECCOMP_MODE_STRICT with SECCOMP_MODE_FILTER

Next message: Vincent Mailhol: "[PATCH 14/19] block: add early_lookup_bdev_by_type_uuid()"
Previous message: Vincent Mailhol: "[PATCH 18/19] init: discover root by DPS partition type UUID"
Next in thread: Jamie Hill-Daniel: "[PATCH v2 1/3] seccomp: Store death as a separate field"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jamie Hill-Daniel

Date: Mon Jun 15 2026 - 12:23:31 EST

This patch adjusts the logic used by seccomp to allow applying both
SECCOMP_MODE_FILTER and SECCOMP_MODE_STRICT to the same process.

Currently, once seccomp has been initialized, a process may not
transition to a different mode (only add additional filters).
This means that in container environments such as Docker, which by
default runs with SECCOMP_MODE_FILTER, processes may not enable
SECCOMP_MODE_STRICT. This is an obstacle to using applications
requiring SECCOMP_MODE_STRICT in these environments, and requires
disabling these security measures.

This series adds a new 'strict upgrade' flag, which runs strict checks
after the filters.

Link: https://github.com/moby/moby/issues/42082

Signed-off-by: Jamie Hill-Daniel <jamie@xxxxxxxxxxxxxxxxx>
Reviewed-by: William Liu <will@xxxxxxxxxxxx>
---
Jamie Hill-Daniel (3):
seccomp: Store death as a separate field
seccomp: Allow upgrading to strict mode after enabling filters
selftest: seccomp: Adjust tests for using both STRICT and FILTER

include/linux/seccomp_types.h | 7 ++-
kernel/seccomp.c | 74 ++++++++++++---------------
tools/testing/selftests/seccomp/seccomp_bpf.c | 68 +++++++++++-------------
3 files changed, 68 insertions(+), 81 deletions(-)
---
base-commit: b9f0372b25cf3c41bf8eda02e65733afa5e8ad7c
change-id: 20260302-seccomp-combined-24bc3dbe32fd

Best regards,
--
Jamie Hill-Daniel <jamie@xxxxxxxxxxxxxxxxx>