2 This file is part of systemd.
4 Copyright 2014 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include <linux/seccomp.h>
25 #include <sys/prctl.h>
29 #include "alloc-util.h"
32 #include "seccomp-util.h"
33 #include "string-util.h"
35 #include "errno-list.h"
37 const uint32_t seccomp_local_archs
[] = {
39 #if defined(__i386__) || defined(__x86_64__)
44 #elif defined(__arm__) || defined(__aarch64__)
48 #elif defined(__mips__) || defined(__mips64__)
54 SCMP_ARCH_MIPSEL64N32
,
56 #elif defined(__powerpc__) || defined(__powerpc64__)
61 #elif defined(__s390__) || defined(__s390x__)
68 const char* seccomp_arch_to_string(uint32_t c
) {
69 /* Maintain order used in <seccomp.h>.
71 * Names used here should be the same as those used for ConditionArchitecture=,
72 * except for "subarchitectures" like x32. */
75 case SCMP_ARCH_NATIVE
:
79 case SCMP_ARCH_X86_64
:
85 case SCMP_ARCH_AARCH64
:
89 case SCMP_ARCH_MIPS64
:
91 case SCMP_ARCH_MIPS64N32
:
93 case SCMP_ARCH_MIPSEL
:
95 case SCMP_ARCH_MIPSEL64
:
97 case SCMP_ARCH_MIPSEL64N32
:
98 return "mips64-le-n32";
101 case SCMP_ARCH_PPC64
:
103 case SCMP_ARCH_PPC64LE
:
107 case SCMP_ARCH_S390X
:
114 int seccomp_arch_from_string(const char *n
, uint32_t *ret
) {
120 if (streq(n
, "native"))
121 *ret
= SCMP_ARCH_NATIVE
;
122 else if (streq(n
, "x86"))
123 *ret
= SCMP_ARCH_X86
;
124 else if (streq(n
, "x86-64"))
125 *ret
= SCMP_ARCH_X86_64
;
126 else if (streq(n
, "x32"))
127 *ret
= SCMP_ARCH_X32
;
128 else if (streq(n
, "arm"))
129 *ret
= SCMP_ARCH_ARM
;
130 else if (streq(n
, "arm64"))
131 *ret
= SCMP_ARCH_AARCH64
;
132 else if (streq(n
, "mips"))
133 *ret
= SCMP_ARCH_MIPS
;
134 else if (streq(n
, "mips64"))
135 *ret
= SCMP_ARCH_MIPS64
;
136 else if (streq(n
, "mips64-n32"))
137 *ret
= SCMP_ARCH_MIPS64N32
;
138 else if (streq(n
, "mips-le"))
139 *ret
= SCMP_ARCH_MIPSEL
;
140 else if (streq(n
, "mips64-le"))
141 *ret
= SCMP_ARCH_MIPSEL64
;
142 else if (streq(n
, "mips64-le-n32"))
143 *ret
= SCMP_ARCH_MIPSEL64N32
;
144 else if (streq(n
, "ppc"))
145 *ret
= SCMP_ARCH_PPC
;
146 else if (streq(n
, "ppc64"))
147 *ret
= SCMP_ARCH_PPC64
;
148 else if (streq(n
, "ppc64-le"))
149 *ret
= SCMP_ARCH_PPC64LE
;
150 else if (streq(n
, "s390"))
151 *ret
= SCMP_ARCH_S390
;
152 else if (streq(n
, "s390x"))
153 *ret
= SCMP_ARCH_S390X
;
160 int seccomp_init_for_arch(scmp_filter_ctx
*ret
, uint32_t arch
, uint32_t default_action
) {
161 scmp_filter_ctx seccomp
;
164 /* Much like seccomp_init(), but initializes the filter for one specific architecture only, without affecting
165 * any others. Also, turns off the NNP fiddling. */
167 seccomp
= seccomp_init(default_action
);
171 if (arch
!= SCMP_ARCH_NATIVE
&&
172 arch
!= seccomp_arch_native()) {
174 r
= seccomp_arch_remove(seccomp
, seccomp_arch_native());
178 r
= seccomp_arch_add(seccomp
, arch
);
182 assert(seccomp_arch_exist(seccomp
, arch
) >= 0);
183 assert(seccomp_arch_exist(seccomp
, SCMP_ARCH_NATIVE
) == -EEXIST
);
184 assert(seccomp_arch_exist(seccomp
, seccomp_arch_native()) == -EEXIST
);
186 assert(seccomp_arch_exist(seccomp
, SCMP_ARCH_NATIVE
) >= 0);
187 assert(seccomp_arch_exist(seccomp
, seccomp_arch_native()) >= 0);
190 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_ACT_BADARCH
, SCMP_ACT_ALLOW
);
194 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
202 seccomp_release(seccomp
);
206 static bool is_basic_seccomp_available(void) {
207 return prctl(PR_GET_SECCOMP
, 0, 0, 0, 0) >= 0;
210 static bool is_seccomp_filter_available(void) {
211 return prctl(PR_SET_SECCOMP
, SECCOMP_MODE_FILTER
, NULL
, 0, 0) < 0 &&
215 bool is_seccomp_available(void) {
216 static int cached_enabled
= -1;
218 if (cached_enabled
< 0)
220 is_basic_seccomp_available() &&
221 is_seccomp_filter_available();
223 return cached_enabled
;
226 const SyscallFilterSet syscall_filter_sets
[_SYSCALL_FILTER_SET_MAX
] = {
227 [SYSCALL_FILTER_SET_DEFAULT
] = {
229 .help
= "System calls that are always permitted",
237 "getrlimit\0" /* make sure processes can query stack size and such */
245 [SYSCALL_FILTER_SET_BASIC_IO
] = {
263 [SYSCALL_FILTER_SET_CLOCK
] = {
265 .help
= "Change the system time",
273 [SYSCALL_FILTER_SET_CPU_EMULATION
] = {
274 .name
= "@cpu-emulation",
275 .help
= "System calls for CPU emulation functionality",
283 [SYSCALL_FILTER_SET_DEBUG
] = {
285 .help
= "Debugging, performance monitoring and tracing functionality",
290 "process_vm_writev\0"
293 #ifdef __NR_s390_runtime_instr
294 "s390_runtime_instr\0"
296 "sys_debug_setcontext\0"
298 [SYSCALL_FILTER_SET_FILE_SYSTEM
] = {
299 .name
= "@file-system",
300 .help
= "File system operations",
329 "inotify_add_watch\0"
370 [SYSCALL_FILTER_SET_IO_EVENT
] = {
372 .help
= "Event loop system calls",
389 [SYSCALL_FILTER_SET_IPC
] = {
391 .help
= "SysV IPC, POSIX Message Queues or other IPC",
408 "process_vm_writev\0"
418 [SYSCALL_FILTER_SET_KEYRING
] = {
420 .help
= "Kernel keyring access",
426 [SYSCALL_FILTER_SET_MODULE
] = {
428 .help
= "Loading and unloading of kernel modules",
434 [SYSCALL_FILTER_SET_MOUNT
] = {
436 .help
= "Mounting and unmounting of file systems",
444 [SYSCALL_FILTER_SET_NETWORK_IO
] = {
445 .name
= "@network-io",
446 .help
= "Network or Unix socket IO, should not be needed if not network facing",
470 [SYSCALL_FILTER_SET_OBSOLETE
] = {
471 /* some unknown even to libseccomp */
473 .help
= "Unusual, obsolete or unimplemented system calls",
501 [SYSCALL_FILTER_SET_PRIVILEGED
] = {
502 .name
= "@privileged",
503 .help
= "All system calls which need super-user capabilities",
542 [SYSCALL_FILTER_SET_PROCESS
] = {
544 .help
= "Process control, execution, namespaceing operations",
558 [SYSCALL_FILTER_SET_RAW_IO
] = {
560 .help
= "Raw I/O port access",
567 #ifdef __NR_s390_pci_mmio_read
568 "s390_pci_mmio_read\0"
570 #ifdef __NR_s390_pci_mmio_write
571 "s390_pci_mmio_write\0"
574 [SYSCALL_FILTER_SET_REBOOT
] = {
576 .help
= "Reboot and reboot preparation/kexec",
582 [SYSCALL_FILTER_SET_RESOURCES
] = {
583 .name
= "@resources",
584 .help
= "Alter resource settings",
587 "sched_setscheduler\0"
588 "sched_setaffinity\0"
598 [SYSCALL_FILTER_SET_SWAP
] = {
600 .help
= "Enable/disable swap devices",
607 const SyscallFilterSet
*syscall_filter_set_find(const char *name
) {
610 if (isempty(name
) || name
[0] != '@')
613 for (i
= 0; i
< _SYSCALL_FILTER_SET_MAX
; i
++)
614 if (streq(syscall_filter_sets
[i
].name
, name
))
615 return syscall_filter_sets
+ i
;
620 static int seccomp_add_syscall_filter_set(
621 scmp_filter_ctx seccomp
,
622 uint32_t default_action
,
623 const SyscallFilterSet
*set
,
632 NULSTR_FOREACH(sys
, set
->value
) {
636 const SyscallFilterSet
*other
;
638 other
= syscall_filter_set_find(sys
);
642 r
= seccomp_add_syscall_filter_set(seccomp
, default_action
, other
, action
);
646 id
= seccomp_syscall_resolve_name(sys
);
647 if (id
== __NR_SCMP_ERROR
)
648 return -EINVAL
; /* Not known at all? Then that's a real error */
650 r
= seccomp_rule_add_exact(seccomp
, action
, id
, 0);
652 /* If the system call is not known on this architecture, then that's fine, let's ignore it */
653 log_debug_errno(r
, "Failed to add rule for system call %s, ignoring: %m", sys
);
660 int seccomp_load_syscall_filter_set(uint32_t default_action
, const SyscallFilterSet
*set
, uint32_t action
) {
666 /* The one-stop solution: allocate a seccomp object, add the specified filter to it, and apply it. Once for
667 * earch local arch. */
669 SECCOMP_FOREACH_LOCAL_ARCH(arch
) {
670 _cleanup_(seccomp_releasep
) scmp_filter_ctx seccomp
= NULL
;
672 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch
));
674 r
= seccomp_init_for_arch(&seccomp
, arch
, default_action
);
678 r
= seccomp_add_syscall_filter_set(seccomp
, default_action
, set
, action
);
680 log_debug_errno(r
, "Failed to add filter set, ignoring: %m");
684 r
= seccomp_load(seccomp
);
685 if (IN_SET(r
, -EPERM
, -EACCES
))
688 log_debug_errno(r
, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
694 int seccomp_load_syscall_filter_set_raw(uint32_t default_action
, Set
* set
, uint32_t action
) {
698 /* Similar to seccomp_load_syscall_filter_set(), but takes a raw Set* of syscalls, instead of a
699 * SyscallFilterSet* table. */
701 if (set_isempty(set
) && default_action
== SCMP_ACT_ALLOW
)
704 SECCOMP_FOREACH_LOCAL_ARCH(arch
) {
705 _cleanup_(seccomp_releasep
) scmp_filter_ctx seccomp
= NULL
;
709 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch
));
711 r
= seccomp_init_for_arch(&seccomp
, arch
, default_action
);
715 SET_FOREACH(id
, set
, i
) {
716 r
= seccomp_rule_add_exact(seccomp
, action
, PTR_TO_INT(id
) - 1, 0);
718 /* If the system call is not known on this architecture, then that's fine, let's ignore it */
719 _cleanup_free_
char *n
= NULL
;
721 n
= seccomp_syscall_resolve_num_arch(arch
, PTR_TO_INT(id
) - 1);
722 log_debug_errno(r
, "Failed to add rule for system call %s, ignoring: %m", strna(n
));
726 r
= seccomp_load(seccomp
);
727 if (IN_SET(r
, -EPERM
, -EACCES
))
730 log_debug_errno(r
, "Failed to install filter set for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
736 int seccomp_restrict_namespaces(unsigned long retain
) {
740 if (log_get_max_level() >= LOG_DEBUG
) {
741 _cleanup_free_
char *s
= NULL
;
743 (void) namespace_flag_to_string_many(retain
, &s
);
744 log_debug("Restricting namespace to: %s.", strna(s
));
748 if ((retain
& NAMESPACE_FLAGS_ALL
) == NAMESPACE_FLAGS_ALL
)
751 SECCOMP_FOREACH_LOCAL_ARCH(arch
) {
752 _cleanup_(seccomp_releasep
) scmp_filter_ctx seccomp
= NULL
;
755 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch
));
757 r
= seccomp_init_for_arch(&seccomp
, arch
, SCMP_ACT_ALLOW
);
761 if ((retain
& NAMESPACE_FLAGS_ALL
) == 0)
762 /* If every single kind of namespace shall be prohibited, then let's block the whole setns() syscall
764 r
= seccomp_rule_add_exact(
766 SCMP_ACT_ERRNO(EPERM
),
770 /* Otherwise, block only the invocations with the appropriate flags in the loop below, but also the
771 * special invocation with a zero flags argument, right here. */
772 r
= seccomp_rule_add_exact(
774 SCMP_ACT_ERRNO(EPERM
),
777 SCMP_A1(SCMP_CMP_EQ
, 0));
779 log_debug_errno(r
, "Failed to add setns() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
783 for (i
= 0; namespace_flag_map
[i
].name
; i
++) {
786 f
= namespace_flag_map
[i
].flag
;
787 if ((retain
& f
) == f
) {
788 log_debug("Permitting %s.", namespace_flag_map
[i
].name
);
792 log_debug("Blocking %s.", namespace_flag_map
[i
].name
);
794 r
= seccomp_rule_add_exact(
796 SCMP_ACT_ERRNO(EPERM
),
799 SCMP_A0(SCMP_CMP_MASKED_EQ
, f
, f
));
801 log_debug_errno(r
, "Failed to add unshare() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
805 r
= seccomp_rule_add_exact(
807 SCMP_ACT_ERRNO(EPERM
),
810 SCMP_A0(SCMP_CMP_MASKED_EQ
, f
, f
));
812 log_debug_errno(r
, "Failed to add clone() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
816 if ((retain
& NAMESPACE_FLAGS_ALL
) != 0) {
817 r
= seccomp_rule_add_exact(
819 SCMP_ACT_ERRNO(EPERM
),
822 SCMP_A1(SCMP_CMP_MASKED_EQ
, f
, f
));
824 log_debug_errno(r
, "Failed to add setns() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
832 r
= seccomp_load(seccomp
);
833 if (IN_SET(r
, -EPERM
, -EACCES
))
836 log_debug_errno(r
, "Failed to install namespace restriction rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
842 int seccomp_protect_sysctl(void) {
846 SECCOMP_FOREACH_LOCAL_ARCH(arch
) {
847 _cleanup_(seccomp_releasep
) scmp_filter_ctx seccomp
= NULL
;
849 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch
));
851 r
= seccomp_init_for_arch(&seccomp
, arch
, SCMP_ACT_ALLOW
);
855 r
= seccomp_rule_add_exact(
857 SCMP_ACT_ERRNO(EPERM
),
861 log_debug_errno(r
, "Failed to add _sysctl() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
865 r
= seccomp_load(seccomp
);
866 if (IN_SET(r
, -EPERM
, -EACCES
))
869 log_debug_errno(r
, "Failed to install sysctl protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
875 int seccomp_restrict_address_families(Set
*address_families
, bool whitelist
) {
879 SECCOMP_FOREACH_LOCAL_ARCH(arch
) {
880 _cleanup_(seccomp_releasep
) scmp_filter_ctx seccomp
= NULL
;
883 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch
));
885 r
= seccomp_init_for_arch(&seccomp
, arch
, SCMP_ACT_ALLOW
);
890 int af
, first
= 0, last
= 0;
893 /* If this is a whitelist, we first block the address families that are out of range and then
894 * everything that is not in the set. First, we find the lowest and highest address family in
897 SET_FOREACH(afp
, address_families
, i
) {
898 af
= PTR_TO_INT(afp
);
900 if (af
<= 0 || af
>= af_max())
903 if (first
== 0 || af
< first
)
906 if (last
== 0 || af
> last
)
910 assert((first
== 0) == (last
== 0));
914 /* No entries in the valid range, block everything */
915 r
= seccomp_rule_add_exact(
917 SCMP_ACT_ERRNO(EAFNOSUPPORT
),
921 log_debug_errno(r
, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
927 /* Block everything below the first entry */
928 r
= seccomp_rule_add_exact(
930 SCMP_ACT_ERRNO(EAFNOSUPPORT
),
933 SCMP_A0(SCMP_CMP_LT
, first
));
935 log_debug_errno(r
, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
939 /* Block everything above the last entry */
940 r
= seccomp_rule_add_exact(
942 SCMP_ACT_ERRNO(EAFNOSUPPORT
),
945 SCMP_A0(SCMP_CMP_GT
, last
));
947 log_debug_errno(r
, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
951 /* Block everything between the first and last entry */
952 for (af
= 1; af
< af_max(); af
++) {
954 if (set_contains(address_families
, INT_TO_PTR(af
)))
957 r
= seccomp_rule_add_exact(
959 SCMP_ACT_ERRNO(EAFNOSUPPORT
),
962 SCMP_A0(SCMP_CMP_EQ
, af
));
968 log_debug_errno(r
, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
976 /* If this is a blacklist, then generate one rule for
977 * each address family that are then combined in OR
980 SET_FOREACH(af
, address_families
, i
) {
982 r
= seccomp_rule_add_exact(
984 SCMP_ACT_ERRNO(EAFNOSUPPORT
),
987 SCMP_A0(SCMP_CMP_EQ
, PTR_TO_INT(af
)));
993 log_debug_errno(r
, "Failed to add socket() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
998 r
= seccomp_load(seccomp
);
999 if (IN_SET(r
, -EPERM
, -EACCES
))
1002 log_debug_errno(r
, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
1008 int seccomp_restrict_realtime(void) {
1009 static const int permitted_policies
[] = {
1015 int r
, max_policy
= 0;
1019 /* Determine the highest policy constant we want to allow */
1020 for (i
= 0; i
< ELEMENTSOF(permitted_policies
); i
++)
1021 if (permitted_policies
[i
] > max_policy
)
1022 max_policy
= permitted_policies
[i
];
1024 SECCOMP_FOREACH_LOCAL_ARCH(arch
) {
1025 _cleanup_(seccomp_releasep
) scmp_filter_ctx seccomp
= NULL
;
1028 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch
));
1030 r
= seccomp_init_for_arch(&seccomp
, arch
, SCMP_ACT_ALLOW
);
1034 /* Go through all policies with lower values than that, and block them -- unless they appear in the
1036 for (p
= 0; p
< max_policy
; p
++) {
1039 /* Check if this is in the whitelist. */
1040 for (i
= 0; i
< ELEMENTSOF(permitted_policies
); i
++)
1041 if (permitted_policies
[i
] == p
) {
1049 /* Deny this policy */
1050 r
= seccomp_rule_add_exact(
1052 SCMP_ACT_ERRNO(EPERM
),
1053 SCMP_SYS(sched_setscheduler
),
1055 SCMP_A1(SCMP_CMP_EQ
, p
));
1057 log_debug_errno(r
, "Failed to add scheduler rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
1062 /* Blacklist all other policies, i.e. the ones with higher values. Note that all comparisons are
1063 * unsigned here, hence no need no check for < 0 values. */
1064 r
= seccomp_rule_add_exact(
1066 SCMP_ACT_ERRNO(EPERM
),
1067 SCMP_SYS(sched_setscheduler
),
1069 SCMP_A1(SCMP_CMP_GT
, max_policy
));
1071 log_debug_errno(r
, "Failed to add scheduler rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
1075 r
= seccomp_load(seccomp
);
1076 if (IN_SET(r
, -EPERM
, -EACCES
))
1079 log_debug_errno(r
, "Failed to install realtime protection rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
1085 int seccomp_memory_deny_write_execute(void) {
1089 SECCOMP_FOREACH_LOCAL_ARCH(arch
) {
1090 _cleanup_(seccomp_releasep
) scmp_filter_ctx seccomp
= NULL
;
1092 log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch
));
1094 r
= seccomp_init_for_arch(&seccomp
, arch
, SCMP_ACT_ALLOW
);
1098 r
= seccomp_rule_add_exact(
1100 SCMP_ACT_ERRNO(EPERM
),
1103 SCMP_A2(SCMP_CMP_MASKED_EQ
, PROT_EXEC
|PROT_WRITE
, PROT_EXEC
|PROT_WRITE
));
1105 log_debug_errno(r
, "Failed to add mmap() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
1109 r
= seccomp_rule_add_exact(
1111 SCMP_ACT_ERRNO(EPERM
),
1114 SCMP_A2(SCMP_CMP_MASKED_EQ
, PROT_EXEC
, PROT_EXEC
));
1116 log_debug_errno(r
, "Failed to add mprotect() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
1120 r
= seccomp_rule_add_exact(
1122 SCMP_ACT_ERRNO(EPERM
),
1125 SCMP_A2(SCMP_CMP_MASKED_EQ
, SHM_EXEC
, SHM_EXEC
));
1127 log_debug_errno(r
, "Failed to add shmat() rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
1131 r
= seccomp_load(seccomp
);
1132 if (IN_SET(r
, -EPERM
, -EACCES
))
1135 log_debug_errno(r
, "Failed to install MemoryDenyWriteExecute= rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch
));
1141 int seccomp_restrict_archs(Set
*archs
) {
1142 _cleanup_(seccomp_releasep
) scmp_filter_ctx seccomp
= NULL
;
1147 /* This installs a filter with no rules, but that restricts the system call architectures to the specified
1150 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
1154 SET_FOREACH(id
, archs
, i
) {
1155 r
= seccomp_arch_add(seccomp
, PTR_TO_UINT32(id
) - 1);
1162 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
1166 return seccomp_load(seccomp
);