{"id":16887341,"url":"https://github.com/giuseppe/easyseccomp","last_synced_at":"2025-09-04T16:36:12.100Z","repository":{"id":54545347,"uuid":"333426579","full_name":"giuseppe/easyseccomp","owner":"giuseppe","description":"DSL language to write seccomp filters","archived":false,"fork":false,"pushed_at":"2024-04-05T07:37:26.000Z","size":168,"stargazers_count":36,"open_issues_count":2,"forks_count":2,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-18T09:51:36.909Z","etag":null,"topics":["containers","seccomp","seccomp-bpf","seccomp-filter","security"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/giuseppe.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-27T13:19:12.000Z","updated_at":"2024-09-25T15:58:29.000Z","dependencies_parsed_at":"2024-06-19T02:48:23.878Z","dependency_job_id":null,"html_url":"https://github.com/giuseppe/easyseccomp","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giuseppe%2Feasyseccomp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giuseppe%2Feasyseccomp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giuseppe%2Feasyseccomp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/giuseppe%2Feasyseccomp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/giuseppe","download_url":"https://codeload.github.com/giuseppe/easyseccomp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244931424,"owners_count":20534006,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","seccomp","seccomp-bpf","seccomp-filter","security"],"created_at":"2024-10-13T16:43:29.647Z","updated_at":"2025-03-22T08:30:55.576Z","avatar_url":"https://github.com/giuseppe.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# easyseccomp\n\na domain specific language for defining seccomp profiles for\ncontainers in an easier way and having more control on the generated\nBPF that it is possible with libseccomp.  This blog post explains more\nin detail why the project was started:\nhttps://www.scrivano.org/posts/2021-01-30-easyseccomp/\n\nA seccomp profile can be defined as:\n\n```\n// Native support for comments without abusing JSON!\n\n#ifdef DENY_MKDIR_WITH_EINVAL\n$syscall in (@mkdir) =\u003e ERRNO(EINVAL);\n#endif\n\n#ifndef DENY_MKDIR_WITH_EINVAL\n$syscall in (@mkdir) =\u003e ERRNO(EPERM);\n#endif\n\n=\u003e ALLOW();\n```\n\nand generate the raw BPF as:\n\n```sh\n$ easyseccomp \u003c profile.seccomp \u003e seccomp.bpf\n$ easyseccomp -d DENY_MKDIR_WITH_EINVAL \u003c profile.seccomp \u003e seccomp.bpf\n```\n\n# Language\n\nThe policy is a list of `CONDITION =\u003e STATEMENT;` rules that are\nexecuted in the specified order.\nThe program terminates performing the action specified `STATEMENT`\nfor the first `CONDITION` that is true.\n\nIf the `CONDITION` is not specified (`=\u003e STATEMENT();`), then the\n`STATEMENT` is always performed.\n\n## Supported variables\n\n| Name       | Description                 |\n|------------|-----------------------------|\n| `$syscall` | The syscall number          |\n| `$arch`    | Architecture                |\n| `$arg0`    | 1st argument to the syscall |\n| `$arg1`    | 2nd argument to the syscall |\n| `$arg2`    | 3rd argument to the syscall |\n| `$arg3`    | 4th argument to the syscall |\n| `$arg4`    | 5th argument to the syscall |\n| `$arg5`    | 6th argument to the syscall |\n\n## Actions\n\n| Name             | Description                                           |\n|------------------|-------------------------------------------------------|\n| `ALLOW()`        | Allow the syscall                                     |\n| `TRAP()`         | Trap the syscall                                      |\n| `NOTIFY()`       | Handle the syscall through a user space handler       |\n| `LOG()`          | Log the syscall                                       |\n| `KILL()`         | Kill the process                                      |\n| `KILL_PROCESS()` | Kill the process                                      |\n| `KILL_THREAD()`  | Kill the thread                                       |\n| `ERRNO(ERRNO)`   | Return the specified error code                       |\n| `TRACE(ERRNO)`   | Trace the syscall and return the error specified code |\n\n\n## Comparison Operators\n\n| Name                          | Description                                         |\n|-------------------------------|-----------------------------------------------------|\n| `$variable == VALUE`          | Equality                                            |\n| `$variable != VALUE`          | Disequality                                         |\n| `$variable \u003c VALUE`           | Less than                                           |\n| `$variable \u003c= VALUE`          | Less than or equal                                  |\n| `$variable \u003e VALUE`           | Greater than                                        |\n| `$variable \u003e= VALUE`          | Greater than or equal                               |\n| `$variable \u0026 MASK == VALUE`   | Bitwise AND                                         |\n| `$variable in (SET)`          | The variable value is part of SET                   |\n| `$variable not in (SET)`      | The variable value is not part of SET               |\n| `$syscall in KERNEL(VERSION)` | The syscall is part of the specified kernel version |\n\n## Lookups\n\nWhen the variable `$syscall` is used the value can be specified in the\nform `@name` and `name` refers to a syscall name that is looked up\nusing the current architecture.\n\nIt is possible to force the lookup for a specific architecture using\nthe format `@name@arch`\n\n# Directives\n\nIt is possible to define some rules that are conditionally included in\nthe final BPF:\n\n```\n#ifdef DIRECTIVE_NAME\n# ifdef ANOTHER_DIRECTIVE\n=\u003e ALLOW();\n# endif\n#endif\n```\n\nThe rules included between the `#ifdef` and the `#endif` are included\nonly if both `DIRECTIVE_NAME` and `ANOTHER_DIRECTIVE` are specified at\ncompile time.\n\nIt enables writing conditional policies such as:\n\n```\n#ifndef CAP_AUDIT_WRITE\n$syscall == @socket \u0026\u0026 $arg0 == 16 \u0026\u0026 $arg2 == 9 =\u003e ERRNO(EINVAL);\n#endif\n\n$syscall == @socket =\u003e ALLOW();\n```\n\nA higher level tool, such as a container engine, can specify different\nprofiles,  In the example above it specifies whether a capability is\nnot added to a container and define a different rule for handling the\n`socket` syscall.\n\n## Examples\n\n- `=\u003e ALLOW();`: Allow the syscall.\n- `$syscall in (@read, @write) =\u003e ALLOW();`: The syscall is one of `read` or `write`.\n- `$syscall not in (4, 5) =\u003e ALLOW();`: The syscall value is not included in the set `(4, 5)`.\n- `$syscall == @read \u0026\u0026 $arg0 == 2 =\u003e ALLOW();` The syscall is `read` and the first argument is `2`.\n- `$syscall ==@write \u0026\u0026 $arg0 \u003e 2 =\u003e ALLOW();`: Write to a fd bigger than 2.\n- `$syscall == @renameat2@aarch64 =\u003e ALLOW();`:  The syscall is value `renameat2` as\ndefined for the `aarch64` architecture.\n- `$syscall in KERNEL(5.3)`: The syscall is present in the kernel 5.3\n\n# Dependencies for OCI containers\n\nit currently requires this feature in crun: https://github.com/containers/crun/pull/578\n\nIt enables to load a custom raw bpf filter instead of the seccomp\nconfiguration specified in the container configuration file.\n\nWith that feature in crun, it is possible to create a container using\nthe seccomp profile as:\n\n```sh\n$ easyseccomp \u003c profile.seccomp \u003e seccomp.bpf\n$ podman run --annotation run.oci.seccomp_bpf_file=/tmp/seccomp.bpf --rm fedora mkdir /tmp/foo\nmkdir: cannot create directory '/tmp/foo': Operation not permitted\n\n$ easyseccomp DENY_MKDIR_WITH_EINVAL \u003c profile.seccomp \u003e seccomp.bpf\n$ podman run --annotation run.oci.seccomp_bpf_file=/tmp/seccomp.bpf --rm fedora mkdir /tmp/foo\nmkdir: cannot create directory '/tmp/foo': Invalid argument\n```\n\n# BPF generator\n\neasyseccomp uses libseccomp only for the syscall number lookup.  It is\nnot used for generating the bpf bytecode as libseccomp internally\nrewrites the rules.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgiuseppe%2Feasyseccomp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgiuseppe%2Feasyseccomp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgiuseppe%2Feasyseccomp/lists"}