How to use seccomp to block socket(PF_PACKET, SOCK_RAW, ...)?

Hi All,

I am writing to a seccomp profile to block socket(PF_PACKET, SOCK_RAW, …);
e.g. domain == PF_PACKET(17) and type == SOCK_RAW(3).

I wrote the following seccomp profile with arguments checking.
However, I found the arguments checking is “OR” condition.
e.g. Either domain === PF_PACKET or type == SOCK_RAW is blocked.

socket(17, 3, 0) => blocked (expected)
socket(17, 0, 0) => blocked (not expected)
socket(2, 3, 0) => blocked (not expected)

I am wondering how to correctly describe the “AND” condition for syscall argument checking.

{
    "defaultAction": "SCMP_ACT_ALLOW",
    "architectures": [
        "SCMP_ARCH_X86_64",
        "SCMP_ARCH_X86",
        "SCMP_ARCH_X32"
    ],
    "syscalls": [
        {
            "name": "socket",
            "action": "SCMP_ACT_ERRNO",
	        "args": [
			{	
				"index": 0,
				"value": 17,
				"valueTwo": 0,
				"op": "SCMP_CMP_EQ"
			},
			{
				"index": 1,
				"value": 3,
				"valueTwo": 0,
				"op": "SCMP_CMP_EQ"
			}
	    ]
        }
    ]
}

My environemnt:
OS: CentOS7 (3.10.0-514.el7.x86_64)
Docker: 1.13.0

Best regards,

Aphyr