Skip to content

WP7: Seccomp game filter #13

Open
Open
WP7: Seccomp game filter#13
Labels
enhancementNew feature or request
@Brad-Edwards

Description

@Brad-Edwards
Brad-Edwards
opened on Mar 15, 2026

Context

Game can make any syscall. Injected code can call socket(), connect(), execve() freely. Seccomp restricts the game to needed syscalls only.

Work

  • New daemon/seccomp_policy.{h,c}: build BPF seccomp filter. Allowlist: read, write, open, close, mmap, mprotect, brk, ioctl, futex, clock_gettime, nanosleep, exit_group, sigreturn. Deny: ptrace, process_vm_readv/writev, socket, connect, execve, init_module.
  • New event OWL_EVENT_SECCOMP_VIOLATION (0x0800)
  • Game calls owl_seccomp_install() at startup (cooperative model)
  • New tests/test_seccomp_policy.c
  • Modify game/main.c

Tests

8 unit + 1 E2E.

Part of v2.0.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions