xref: /linux-tools/bpf/seccomp/filter1.c (revision 221b0c1edbfd1ce7d1c890ca36c712a3208d6de0) 
1*221b0c1eSDavid Wang #include <stdio.h>
2*221b0c1eSDavid Wang #include <stdlib.h>
3*221b0c1eSDavid Wang #include <unistd.h>
4*221b0c1eSDavid Wang #include <stddef.h>
5*221b0c1eSDavid Wang #include <sys/prctl.h>
6*221b0c1eSDavid Wang #include <linux/seccomp.h>
7*221b0c1eSDavid Wang #include <linux/filter.h>
8*221b0c1eSDavid Wang #include <linux/audit.h>
9*221b0c1eSDavid Wang #include <errno.h>
10*221b0c1eSDavid Wang #include <linux/unistd.h>
11*221b0c1eSDavid Wang #include <asm/unistd.h>
12*221b0c1eSDavid Wang #include <sys/wait.h>
13*221b0c1eSDavid Wang #include <fcntl.h>
14*221b0c1eSDavid Wang 
15*221b0c1eSDavid Wang 
16*221b0c1eSDavid Wang 
seccomp(unsigned int operation,unsigned int flags,void * args)17*221b0c1eSDavid Wang static inline int seccomp(unsigned int operation, unsigned int flags, void *args) {
18*221b0c1eSDavid Wang     return syscall(__NR_seccomp, operation, flags, args);
19*221b0c1eSDavid Wang }
20*221b0c1eSDavid Wang 
thirdparty_func(int fd)21*221b0c1eSDavid Wang void thirdparty_func(int fd) {
22*221b0c1eSDavid Wang     // seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL);
23*221b0c1eSDavid Wang     int i, v, x=0; for (i=0; i<8; i++) {
24*221b0c1eSDavid Wang         read(fd, &v, 4);
25*221b0c1eSDavid Wang         x^=v;
26*221b0c1eSDavid Wang     }
27*221b0c1eSDavid Wang     printf("running some library code ==> 0x%x\n", x);
28*221b0c1eSDavid Wang }
29*221b0c1eSDavid Wang 
30*221b0c1eSDavid Wang //-------------------------------------------------------------
31*221b0c1eSDavid Wang // ld [4]                  /* offsetof(struct seccomp_data, arch) */
32*221b0c1eSDavid Wang // jne #0xc000003e, bad    /* AUDIT_ARCH_X86_64 */
33*221b0c1eSDavid Wang // ld [0]                  /* offsetof(struct seccomp_data, nr) */
34*221b0c1eSDavid Wang // jeq #15, good           /* __NR_rt_sigreturn */
35*221b0c1eSDavid Wang // jeq #231, good          /* __NR_exit_group */
36*221b0c1eSDavid Wang // jeq #60, good           /* __NR_exit */
37*221b0c1eSDavid Wang // jeq #0, good            /* __NR_read */
38*221b0c1eSDavid Wang // jeq #1, good            /* __NR_write */
39*221b0c1eSDavid Wang // jeq #5, good            /* __NR_fstat */
40*221b0c1eSDavid Wang // jeq #9, good            /* __NR_mmap */
41*221b0c1eSDavid Wang // jeq #14, good           /* __NR_rt_sigprocmask */
42*221b0c1eSDavid Wang // jeq #13, good           /* __NR_rt_sigaction */
43*221b0c1eSDavid Wang // jeq #35, good           /* __NR_nanosleep */
44*221b0c1eSDavid Wang // bad: ret #0             /* SECCOMP_RET_KILL_THREAD */
45*221b0c1eSDavid Wang // good: ret #0x7fff0000   /* SECCOMP_RET_ALLOW */
46*221b0c1eSDavid Wang //-------------------------------------------------------------
47*221b0c1eSDavid Wang 
48*221b0c1eSDavid Wang static struct sock_filter filter[] = {
49*221b0c1eSDavid Wang     { 0x20,  0,  0, 0x00000004 },
50*221b0c1eSDavid Wang     { 0x15,  0, 11, 0xc000003e },
51*221b0c1eSDavid Wang     { 0x20,  0,  0, 0000000000 },
52*221b0c1eSDavid Wang     { 0x15, 10,  0, 0x0000000f },
53*221b0c1eSDavid Wang     { 0x15,  9,  0, 0x000000e7 },
54*221b0c1eSDavid Wang     { 0x15,  8,  0, 0x0000003c },
55*221b0c1eSDavid Wang     { 0x15,  7,  0, 0000000000 },
56*221b0c1eSDavid Wang     { 0x15,  6,  0, 0x00000001 },
57*221b0c1eSDavid Wang     { 0x15,  5,  0, 0x00000005 },
58*221b0c1eSDavid Wang     { 0x15,  4,  0, 0x00000009 },
59*221b0c1eSDavid Wang     { 0x15,  3,  0, 0x0000000e },
60*221b0c1eSDavid Wang     { 0x15,  2,  0, 0x0000000d },
61*221b0c1eSDavid Wang     { 0x15,  1,  0, 0x00000023 },
62*221b0c1eSDavid Wang     { 0x06,  0,  0, 0000000000 },
63*221b0c1eSDavid Wang     { 0x06,  0,  0, 0x7fff0000 },
64*221b0c1eSDavid Wang };
65*221b0c1eSDavid Wang 
main(int argc,char * argv[])66*221b0c1eSDavid Wang int main(int argc, char *argv[]) {
67*221b0c1eSDavid Wang     int status;
68*221b0c1eSDavid Wang     pid_t pid = fork();
69*221b0c1eSDavid Wang     int fd = open("/dev/urandom", O_CLOEXEC|O_RDONLY);
70*221b0c1eSDavid Wang     if (pid==0) {
71*221b0c1eSDavid Wang         printf("start thirdpart library\n");
72*221b0c1eSDavid Wang         struct sock_fprog prog = {
73*221b0c1eSDavid Wang             .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
74*221b0c1eSDavid Wang             .filter = filter,
75*221b0c1eSDavid Wang         };
76*221b0c1eSDavid Wang         if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) {
77*221b0c1eSDavid Wang             perror("seccomp");
78*221b0c1eSDavid Wang             return 1;
79*221b0c1eSDavid Wang         }
80*221b0c1eSDavid Wang         thirdparty_func(fd);
81*221b0c1eSDavid Wang     } else {
82*221b0c1eSDavid Wang         wait(&status);
83*221b0c1eSDavid Wang         if (WIFEXITED(status)) printf("secure computing done, exit status %d\n", WEXITSTATUS(status));
84*221b0c1eSDavid Wang         else if (WIFSIGNALED(status)||WIFSTOPPED(status)) {
85*221b0c1eSDavid Wang             printf("secure computing killed/stopped by signal %d\n", WTERMSIG(status));
86*221b0c1eSDavid Wang         } else {
87*221b0c1eSDavid Wang             printf("secure computing aborted.");
88*221b0c1eSDavid Wang         }
89*221b0c1eSDavid Wang         close(fd);
90*221b0c1eSDavid Wang     }
91*221b0c1eSDavid Wang     return 0;
92*221b0c1eSDavid Wang }
93*221b0c1eSDavid Wang 
94