Master the fundamental concepts of system calls & kernel interface through this focused micro-challenge.
seccomp-bpf installs a bytecode program the kernel runs on every syscall. Allow read/write, deny execve, and untrusted code cannot spawn shells even with memory corruption.
Typical sandbox:
SECCOMP_RET_ALLOW or SECCOMP_RET_KILLFor example, a JSON parser sandbox might allow read, write, exit_group, brk, mmap and trap on socket.
seccomp-bpf is the exact mechanism behind Chrome's renderer sandbox, Docker's default seccomp profile, and systemd's SystemCallFilter=, all of which whitelist a minimal syscall set to shrink the kernel's attack surface for untrusted code. Getting the BPF comparison direction wrong here is a real security bug class: an inverted allow/deny check has shipped in real sandbox escapes, which is why filters are almost always reviewed line-by-line before merging.
Before you call the implementation done, walk failure modes on purpose. Test empty structures, single-element edge cases, maximum concurrency, and errno paths that must not crash the program. OS code usually fails in production when happy-path tests pass but invariants break under contention or memory pressure.
Keep structures small and name fields after kernel counterparts when possible. That lets you read man pages and kernel source side by side while you work. Print observable events during development; remove noisy logs once tests pass reliably.
You will write a seccomp-bpf filter, apply it with prctl, and demonstrate a blocked syscall. The task asks you to log the signal delivered when a forbidden syscall is attempted.
Implement seccomp sandbox with whitelist.
Requirements:
Success:
Three hints are available for this task, revealed one at a time inside the code workspace so you can struggle productively before seeing them.
All starter code and reference implementations are available for your local setup.
View on Github