Remove PR_SET_SECCOMP from blocked prctl options

congwang-mk · congwang-mk · commit 491af9766406 · 2026-03-21T12:39:42.000-07:00
Signed-off-by: Cong Wang &lt;cwang@multikernel.io&gt;
diff --git a/src/sandlock/_seccomp.py b/src/sandlock/_seccomp.py
@@ -90,12 +90,13 @@
 # Dangerous prctl(2) options — these allow a sandboxed process to
 # weaken its own confinement.
 PR_SET_DUMPABLE = 4          # re-enable /proc/pid/mem writes
-PR_SET_SECCOMP_OPT = 22      # change seccomp mode from within sandbox
 PR_SET_SECUREBITS = 28       # alter LSM security bits
 PR_SET_PTRACER = 0x59616d61  # allow arbitrary ptrace attach
+# Note: PR_SET_SECCOMP is intentionally NOT blocked — seccomp filters
+# can only tighten (never loosen) when NO_NEW_PRIVS is set, and the
+# sandbox itself needs to stack filters via prctl(PR_SET_SECCOMP).
 _DANGEROUS_PRCTL_OPS = (
     PR_SET_DUMPABLE,
-    PR_SET_SECCOMP_OPT,
     PR_SET_SECUREBITS,
     PR_SET_PTRACER,
 )
diff --git a/tests/test_seccomp.py b/tests/test_seccomp.py
@@ -114,11 +114,11 @@ def test_prctl_in_syscall_map(self):
         assert "prctl" in _SYSCALL_NR
 
     def test_dangerous_prctl_ops_defined(self):
-        assert len(_DANGEROUS_PRCTL_OPS) == 4
+        assert len(_DANGEROUS_PRCTL_OPS) == 3
         assert 4 in _DANGEROUS_PRCTL_OPS           # PR_SET_DUMPABLE
-        assert 22 in _DANGEROUS_PRCTL_OPS          # PR_SET_SECCOMP
         assert 28 in _DANGEROUS_PRCTL_OPS          # PR_SET_SECUREBITS
         assert 0x59616d61 in _DANGEROUS_PRCTL_OPS  # PR_SET_PTRACER
+        assert 22 not in _DANGEROUS_PRCTL_OPS      # PR_SET_SECCOMP — safe under NO_NEW_PRIVS
 
 
 class TestBuildFilter:
