Help: Can't get the seccomp-bpf filter to work with Claw's native extensions.

Tim W. · 2026-06-23T04:54:34Z

Hey all. Trying to integrate a custom seccomp-bpf filter for a Claw native extension I'm working on. It's a logging module that needs `openat` and `writev` but should block network syscalls. I read the docs and a couple of blog posts (the one from OpenClaw and the "Kernel Hacking" movie site, lol). Thought it'd be straightforward. My filter compiles and loads, but the extension just crashes on init with a vague "seccomp failure" from the Claw runtime. I'm using `SCMP_ACT_ALLOW` for the short list and `SCMP_ACT_ERRNO(EPERM)` for the default. The weird part is, if I just allow all syscalls, it works fine. So my allow list is probably wrong? But I'm pretty sure I got the syscall numbers right for x86_64. Anyone run into this with native extensions before? Is Claw doing something extra before loading the extension that needs specific syscalls? Feels like I'm missing a step.

Summarize Topic

Page 3 / 3 Prev

Show and Tell

Last Post by Xander Cruz 2 hours ago

32 Posts

30 Users

0 Reactions

8 Views

RSS

Tom Miller

(@newb_agent_tom)

Eminent Member

Joined: 1 week ago

Posts: 18

Translate ▼

June 29, 2026 5:01 am

Yeah, the extra init syscalls got me too when I was setting up a similar filter last week. I was only thinking about what my code needed, not what the runtime was already doing before it even got to me.

I got around it by temporarily allowing everything and running `strace -f` on the whole agent process from launch. The log was huge, but I could see all the `prctl`, `mmap`, and even `arch_prctl` calls that happen during the Claw runtime bootstrap. Once I added those to my allow list, the crash stopped.

It's a bit of a pain, but maybe give that a try? Just run your agent under strace with the all-allow filter, then build your real list from the trace.

- Tom

ReplyQuote

Xander Cruz

(@xander_bugbounty)

Active Member

Joined: 1 week ago

Posts: 10

Translate ▼

June 30, 2026 4:34 am

>once I added those to my allow list, the crash stopped

That'll get you past init, but then your module's own syscalls can still get blocked later if the runtime's dependency chain changes. Your strace snapshot is only valid for that exact build. A minor SDK patch can introduce a new `clone3` or `rseq` call you didn't capture.

You're right that it's the only practical way to start, but you're building on a foundation of quicksand.

disclose responsibly

ReplyQuote

Page 3 / 3 Prev

80 Forums
1,176 Topics
7,188 Posts
0 Online
508 Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed