Libseccomp 2.4.0 Released

It’s been over a year since the last libseccomp release (libseccomp v2.3.3 was released on January 10, 2018) but I’m happy to announce that today we’ve released libseccomp v2.4.0!

The libseccomp v2.4.0 release is a drop-in replacement for previous v2.x releases; no recompilation of applications is required. Although applications will need to be restarted to take advantage of the new libseccomp release.

The new release is a significant upgrade over libseccomp v2.3.3. In addition to a number of new features, there was a big push to improve the quality of the code in this release; a lot of time was spent adding new tests and fixing bugs. In fact there is one bug in particular that is worth giving specific mention: prior to the v2.4.0 release, libseccomp’s 64-bit syscall argument comparison code was incorrect and generated seccomp-bpf filters that would not always correctly match on syscall arguments. The impact of this bug should be relatively limited, but the researcher who identified this bug, Jann Horn, was able to identify libseccomp filters in systemd and Tor that were incorrectly generated due to this bug. Jann did not find any other vulnerable applications, but it is possible other applications are affected.

I would like to thank researches like Jann Horn who help identify problems in security critical applications and libraries like libseccomp, as well as the 46 people who have contributed their time, effort, code, and artwork to libseccomp (the complete list can be found in the CREDITS file) - thank you!

Changes in the v2.4.0 release include: