The only way to invoke child processes on linux is via exec() and friends, so if you're invoking bwrap via popen() (even if via an abstraction) all you need to do is clear the O_CLOEXIT flag on a memfd you stuff the BPF code into (which would ideally be done by the abstraction, of course)
bwrap does it that way because seccomp stuff is "a bit too unwieldy" to describe in command line parameters, since it takes compiled BPF bytecode directly. Much easier to make a memfd and pass the blob along that way. (If I had to guess, the reason it takes an fd over a filename is because you can use anonymous memfds without needing a writeable tempdir? not sure why there's not a "from file" option though; at least there's *probably* a bash-fu way to pass an fd for a file to something. Never had a need to, so don't know off the top of my head)
Emelia/Emi
npub18a…7pj7v
2025-03-05 05:29:41 UTC
in reply to nevent1q…wd6p
Author Public Key
npub18awg073vadjxw7vst9v3dduvxjulc7x7jjyskvqkjfa99xn28zdqj7pj7vSeen on
wss://relay.momostr.pinkPublished at
2025-03-05 05:29:41 UTCEvent JSON
{
"id": "447b8adec0f5a1652bc7b9c317c4d52308098dc70dd1296027db901b28e83eba",
"pubkey": "3f5c87fa2ceb64677990595916b78c34b9fc78de94890b3016927a529a6a389a",
"created_at": 1741152581,
"kind": 1,
"tags": [
[
"p",
"4014f060ca2d2c1ededbca93ba6100f82d96b0bcadba56a82f0ecc9ab1d468c0"
],
[
"p",
"8ab44a84fb757fea3c983e68a9bcc8e331fa49ed99cfcfd06a4499d542eae93c"
],
[
"e",
"08da6b1504dd61bff073d16dfcabc0672e3d833f1a0277a6a272696d65f2d6db",
"",
"reply",
"8ab44a84fb757fea3c983e68a9bcc8e331fa49ed99cfcfd06a4499d542eae93c"
],
[
"e",
"65c2ab932b24ad388ebc7853cf37645c462438cf8289ff33bb25d7198323509f",
"",
"root",
"4014f060ca2d2c1ededbca93ba6100f82d96b0bcadba56a82f0ecc9ab1d468c0"
],
[
"p",
"3f5c87fa2ceb64677990595916b78c34b9fc78de94890b3016927a529a6a389a"
],
[
"proxy",
"https://tech.lgbt/@becomethewaifu/114108175582708167",
"web"
],
[
"proxy",
"https://tech.lgbt/users/becomethewaifu/statuses/114108175582708167",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://tech.lgbt/users/becomethewaifu/statuses/114108175582708167",
"pink.momostr"
],
[
"-"
]
],
"content": "The only way to invoke child processes on linux is via exec() and friends, so if you're invoking bwrap via popen() (even if via an abstraction) all you need to do is clear the O_CLOEXIT flag on a memfd you stuff the BPF code into (which would ideally be done by the abstraction, of course)\n\nbwrap does it that way because seccomp stuff is \"a bit too unwieldy\" to describe in command line parameters, since it takes compiled BPF bytecode directly. Much easier to make a memfd and pass the blob along that way. (If I had to guess, the reason it takes an fd over a filename is because you can use anonymous memfds without needing a writeable tempdir? not sure why there's not a \"from file\" option though; at least there's *probably* a bash-fu way to pass an fd for a file to something. Never had a need to, so don't know off the top of my head)",
"sig": "43b935215fd03c5fdecc5f7a441b887cb04f24184b619700ce49709fc9f7f8dbb4cc7ae6a00789c663410de2c2c8a098dd0ccd629edf3c456863b6089980ac4f"
}