Results 1 to 2 of 2

Thread: No Seccomp for most Ubuntu 24 processes?

  1. #1
    Join Date
    May 2024

    No Seccomp for most Ubuntu 24 processes?

    I was looking around the process table on Ubuntu 24 and noticed all but a few processes are missing seccomp:

    >>> set(yes)
    {'pipewire-pulse', 'pipewire', 'snapd-desktop-i', 'wireplumber', '0'}

    >>> set(no)
    {'dbus-daemon', 'gvfs-afc-volume', 'evolution-sourc', 'gsd-housekeepin', 'gjs', 'gvfsd', 'ibus-daemon', 'goa-identity-se', 'gsd-media-keys', 'gsd-power', 'gvfsd-metadata', 'gsd-keyboard', 'gsd-smartcard', 'gnome-shell', 'ibus-portal', 'gsd-sharing', 'gsd-sound', 'xdg-document-po', 'dconf-service', 'zsh', 'gsd-color', 'gvfs-mtp-volume', 'gsd-a11y-settin', 'Xwayland', 'tmux: client', 'gsd-disk-utilit', 'gcr-ssh-agent', 'at-spi-bus-laun', 'ibus-memconf', 'gsd-datetime', 'gvfs-goa-volume', 'ibus-engine-sim', 'ibus-x11', 'gvfsd-fuse', 'gnome-session-c', 'gdm-wayland-ses', 'gsd-wacom', 'evolution-alarm', 'gvfs-udisks2-vo', 'goa-daemon', 'xdg-desktop-por', 'tmux: server', 'update-notifier', 'gsd-printer', 'evolution-calen', 'ibus-extension-', 'mutter-x11-fram', 'gvfsd-network', 'evolution-addre', 'tracker-miner-f', 'st', 'gnome-shell-cal', 'at-spi2-registr', 'gsd-print-notif', 'gsd-xsettings', 'gvfs-gphoto2-vo', 'gvfsd-dnssd', 'less', 'gsd-rfkill', 'gvfsd-trash', 'gsd-screensaver', 'gnome-keyring-d', 'gnome-session-b', 'xdg-permission-'}

    Why is seccomp-bpf not enabled on most of these processes? Do I need to do something to further harden them?


  2. #2
    Join Date
    Jun 2024
    Ubuntu Development Release

    Re: No Seccomp for most Ubuntu 24 processes?

    The good news is that many of your applications are likely managed with a snap seccomp profile.

    You can check which seccomp profiles are located on your local computer from this directory in 24.04 LTS - /var/lib/snapd/seccomp/bpf/

    It appears these processes do not have seccomp profiles.

    They can be created with a tool like easyseccomp.

    I wanted to see if simply having a seccomp profile for snap would solve your issues, but it appears that it's only used to notify you when snaps are due to reset.

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts