Linux Examples
Frida Linux Examples
Running Frida Inside Docker
Requirement: Frida uses ptrace and other syscalls that are blocked by Docker’s default seccomp profile. The container must be started with seccomp disabled.
Start Container Without Seccomp
1docker run --security-opt seccomp:unconfined -it <image-name> /bin/bash
What this does:
--security-opt seccomp:unconfined— disables the default seccomp syscall filter-it— allocates a pseudo-TTY and keeps stdin open (interactive shell)- Drops into
/bin/bashinside the container
Why this is needed:
- Frida’s injector uses
ptrace(PTRACE_ATTACH, ...)to attach to target processes. - Frida Gadget and the stalker use
mmap,mprotect, andprocess_vm_readv/process_vm_writev. - Docker’s default seccomp profile denies several of these syscalls.
Verify Frida Works After Container Start
1# Inside the container — install frida-tools
2pip install frida-tools
3
4# List processes
5frida-ps
6
7# Trace a command
8frida-trace -f /bin/ls
Alternative: Custom Seccomp Profile
Instead of fully disabling seccomp, you can allow only the specific syscalls Frida needs:
1docker run --security-opt seccomp=/path/to/frida-seccomp.json -it <image-name> /bin/bash
Syscalls required by Frida (minimum set):
ptraceprocess_vm_readvprocess_vm_writevmmap/mprotect/mlockclone/unshare
Capability Alternative (Less Permissive)
1docker run --cap-add SYS_PTRACE --security-opt seccomp:unconfined -it <image-name> /bin/bash
SYS_PTRACE alone may not be sufficient if the seccomp profile blocks required syscalls; combining both flags is the most reliable approach.
Frida Attach Modes on Linux
| Mode | Command | Notes |
|---|---|---|
| Attach by PID | frida <pid> | Process must be traceable |
| Attach by name | frida -n <process-name> | First matching process |
| Spawn and attach | frida -f <binary> [args] | Frida spawns then attaches |
| frida-trace | frida-trace -n <name> -i 'func*' | Auto-generates JS stubs |
Common Issues on Linux
| Symptom | Cause | Fix |
|---|---|---|
ptrace: Operation not permitted | seccomp blocking ptrace | Add --security-opt seccomp:unconfined |
unable to attach in container | Missing SYS_PTRACE cap | Add --cap-add SYS_PTRACE |
| Frida hangs on attach | YAMA ptrace scope | echo 0 > /proc/sys/kernel/yama/ptrace_scope (host) |
PTRACE_TRACEME denied | SELinux/AppArmor policy | Adjust policy or use permissive mode for testing |