1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <unistd.h>
4 #include <stddef.h>
5 #include <sys/prctl.h>
6 #include <linux/seccomp.h>
7 #include <linux/filter.h>
8 #include <linux/audit.h>
9 #include <errno.h>
10 #include <linux/unistd.h>
11 #include <asm/unistd.h>
12 #include <sys/wait.h>
13 #include <fcntl.h>
14
15
16
seccomp(unsigned int operation,unsigned int flags,void * args)17 static inline int seccomp(unsigned int operation, unsigned int flags, void *args) {
18 return syscall(__NR_seccomp, operation, flags, args);
19 }
20
thirdparty_func(int fd)21 void thirdparty_func(int fd) {
22 // seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL);
23 int i, v, x=0; for (i=0; i<8; i++) {
24 read(fd, &v, 4);
25 x^=v;
26 }
27 printf("running some library code ==> 0x%x\n", x);
28 }
29
30 //-------------------------------------------------------------
31 // ld [4] /* offsetof(struct seccomp_data, arch) */
32 // jne #0xc000003e, bad /* AUDIT_ARCH_X86_64 */
33 // ld [0] /* offsetof(struct seccomp_data, nr) */
34 // jeq #15, good /* __NR_rt_sigreturn */
35 // jeq #231, good /* __NR_exit_group */
36 // jeq #60, good /* __NR_exit */
37 // jeq #0, good /* __NR_read */
38 // jeq #1, good /* __NR_write */
39 // jeq #5, good /* __NR_fstat */
40 // jeq #9, good /* __NR_mmap */
41 // jeq #14, good /* __NR_rt_sigprocmask */
42 // jeq #13, good /* __NR_rt_sigaction */
43 // jeq #35, good /* __NR_nanosleep */
44 // bad: ret #0 /* SECCOMP_RET_KILL_THREAD */
45 // good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */
46 //-------------------------------------------------------------
47
48 static struct sock_filter filter[] = {
49 { 0x20, 0, 0, 0x00000004 },
50 { 0x15, 0, 11, 0xc000003e },
51 { 0x20, 0, 0, 0000000000 },
52 { 0x15, 10, 0, 0x0000000f },
53 { 0x15, 9, 0, 0x000000e7 },
54 { 0x15, 8, 0, 0x0000003c },
55 { 0x15, 7, 0, 0000000000 },
56 { 0x15, 6, 0, 0x00000001 },
57 { 0x15, 5, 0, 0x00000005 },
58 { 0x15, 4, 0, 0x00000009 },
59 { 0x15, 3, 0, 0x0000000e },
60 { 0x15, 2, 0, 0x0000000d },
61 { 0x15, 1, 0, 0x00000023 },
62 { 0x06, 0, 0, 0000000000 },
63 { 0x06, 0, 0, 0x7fff0000 },
64 };
65
main(int argc,char * argv[])66 int main(int argc, char *argv[]) {
67 int status;
68 pid_t pid = fork();
69 int fd = open("/dev/urandom", O_CLOEXEC|O_RDONLY);
70 if (pid==0) {
71 printf("start thirdpart library\n");
72 struct sock_fprog prog = {
73 .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
74 .filter = filter,
75 };
76 if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) {
77 perror("seccomp");
78 return 1;
79 }
80 thirdparty_func(fd);
81 } else {
82 wait(&status);
83 if (WIFEXITED(status)) printf("secure computing done, exit status %d\n", WEXITSTATUS(status));
84 else if (WIFSIGNALED(status)||WIFSTOPPED(status)) {
85 printf("secure computing killed/stopped by signal %d\n", WTERMSIG(status));
86 } else {
87 printf("secure computing aborted.");
88 }
89 close(fd);
90 }
91 return 0;
92 }
93
94