libseccomp 2.3.1 uses negative (pseudo) syscall numbers by default

Jamie Strandboge jamie at
Fri Jun 10 18:11:38 UTC 2016

On Fri, 2016-06-10 at 18:32 +0100, Dimitri John Ledkov wrote:
> Hello,
> New libseccomp is in yakkety proposed. There is a change, on some
> architecutres, w.r.t. to canonical representation of syscall
> numbers.....
> There are normal syscall numbers and multiplexed ones. And some are
> exposed as both - direct numbers and negative pseudo syscall numbers.
> All filtering should remain in place for both direct and pseudo
> numbers.
That's interesting.

> But I had to adjust our autopkgtests for this, and I'm wondering if
> there are any other pieces of software to fix as a result of this
> upstream change on some architectures (e.g. lxc, apparmor, click,
> snapd, juju, etc....)
AppArmor shouldn't care and click doesn't do anything with seccomp.

snapd does, but we take the syscall and use seccomp_syscall_resolve_name() from
libseccomp to get the syscall number to feed into seccomp_rule_add_* so it
should be fine.

Jamie Strandboge             |

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the ubuntu-devel mailing list