Ok, as it happens, upstream golang-seccomp 0.9.0 has a bug where it will incorrectly OR. The following commit is in upstream master but not a new release of golang-seccomp:
In the upstream library, when added with a single API call,
multiple syscall argument rules should be matched with AND
logic - if all of them match, the rule matches.
At present, the Golang bindings apply OR logic to this case.
This commit resolves this and reverts to the behavior of the
main library.
Signed-off-by: Matthew Heon <email address hidden>
Ubuntu uses a git snapshot: https://github.com/mvo5/libseccomp-golang/commits/master which has this fix. Any distro that doesn't use snapd's vendored golang-seccomp is not correctly mediating arg filtered rules, which explains why Ubuntu has proper ANDing while Debian and Fedora do not.
Ok, as it happens, upstream golang-seccomp 0.9.0 has a bug where it will incorrectly OR. The following commit is in upstream master but not a new release of golang-seccomp:
https:/ /github. com/seccomp/ libseccomp- golang/ commit/ 06e7a29f36a34b8 cf419aeb87b979e e508e58f9e
In the upstream library, when added with a single API call,
multiple syscall argument rules should be matched with AND
logic - if all of them match, the rule matches.
At present, the Golang bindings apply OR logic to this case.
This commit resolves this and reverts to the behavior of the
main library.
Signed-off-by: Matthew Heon <email address hidden>
Ubuntu uses a git snapshot: https:/ /github. com/mvo5/ libseccomp- golang/ commits/ master which has this fix. Any distro that doesn't use snapd's vendored golang-seccomp is not correctly mediating arg filtered rules, which explains why Ubuntu has proper ANDing while Debian and Fedora do not.