Skip to content
/ pam_seccomp Public
forked from tinytaro/pam_seccomp

PAM module sets up seccomp syscall filter for a session.

License

Apache-2.0 license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

krallin/pam_seccomp

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits

kafel @ f664aca

kafel @ f664aca

 
 

test

test

 
 

.gitmodules

.gitmodules

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

pam_seccomp.c

pam_seccomp.c

 
 

Repository files navigation

The pam_seccomp PAM module can set up seccomp syscall filter for a session. It uses Kafel to describe policies, and compiled into BPF code that can be used by seccomp filter.

Build

$ sudo apt install build-essential bison flex
$ cd pam_seccomp
$ make

Usage

  • Copy pam_seccomp.so to the PAM modules directory. (/lib/x86_64-linux-gnu/security/ on debian stretch amd64)
  • Add PAM config in /etc/pam.d
session required pam_seccomp.so debug policy=/etc/security/seccomp.d/sshd
  • Add Policy config (/etc/security/seccomp.d/sshd)
POLICY sample {
	KILL {
		ptrace
	}
}

USE sample DEFAULT ALLOW

This configuration disables ptrace syscall for remote logined users.

About

PAM module sets up seccomp syscall filter for a session.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 88.3%
  • Makefile 11.7%