This post demonstrates the use of seccomp user notifications to inject a shared library into a Linux process. I haven’t seen this combination documented as a process injection technique before, and it has some benefits over alternatives. In summary, seccomp user notifications enable user-space injection from parent to child without any LD_* environment variables or privileged capabilities, regardless of the ptrace_scope configuration. However, seccomp user notifications have some notable limitations:

1. Seccomp user notifications were introduced in Linux kernel version 5.0, but this PoC relies on SECCOMP_ADDFD_FLAG_SEND (Linux 5.14+) to avoid TOCTOU issues when hooking openat.
2. Requires you to create the target process (parent-to-child injection only).
3. The injected code runs with the same UID, namespaces, and LSM label as the target process.

Tags: Injection, Linux

Read full post