1 #include <stdio.h> 2 #include <stdlib.h> 3 #include <unistd.h> 4 #include <stddef.h> 5 #include <sys/prctl.h> 6 #include <linux/seccomp.h> 7 #include <linux/filter.h> 8 #include <linux/audit.h> 9 #include <errno.h> 10 #include <linux/unistd.h> 11 #include <asm/unistd.h> 12 #include <sys/wait.h> 13 #include <fcntl.h> 14 15 16 17 static inline int seccomp(unsigned int operation, unsigned int flags, void *args) { 18 return syscall(__NR_seccomp, operation, flags, args); 19 } 20 21 void thirdparty_func(int fd) { 22 // seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL); 23 int i, v, x=0; for (i=0; i<8; i++) { 24 read(fd, &v, 4); 25 x^=v; 26 } 27 printf("running some library code ==> 0x%x\n", x); 28 } 29 30 //------------------------------------------------------------- 31 // ld [4] /* offsetof(struct seccomp_data, arch) */ 32 // jne #0xc000003e, bad /* AUDIT_ARCH_X86_64 */ 33 // ld [0] /* offsetof(struct seccomp_data, nr) */ 34 // jeq #15, good /* __NR_rt_sigreturn */ 35 // jeq #231, good /* __NR_exit_group */ 36 // jeq #60, good /* __NR_exit */ 37 // jeq #0, good /* __NR_read */ 38 // jeq #1, good /* __NR_write */ 39 // jeq #5, good /* __NR_fstat */ 40 // jeq #9, good /* __NR_mmap */ 41 // jeq #14, good /* __NR_rt_sigprocmask */ 42 // jeq #13, good /* __NR_rt_sigaction */ 43 // jeq #35, good /* __NR_nanosleep */ 44 // bad: ret #0 /* SECCOMP_RET_KILL_THREAD */ 45 // good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */ 46 //------------------------------------------------------------- 47 48 static struct sock_filter filter[] = { 49 { 0x20, 0, 0, 0x00000004 }, 50 { 0x15, 0, 11, 0xc000003e }, 51 { 0x20, 0, 0, 0000000000 }, 52 { 0x15, 10, 0, 0x0000000f }, 53 { 0x15, 9, 0, 0x000000e7 }, 54 { 0x15, 8, 0, 0x0000003c }, 55 { 0x15, 7, 0, 0000000000 }, 56 { 0x15, 6, 0, 0x00000001 }, 57 { 0x15, 5, 0, 0x00000005 }, 58 { 0x15, 4, 0, 0x00000009 }, 59 { 0x15, 3, 0, 0x0000000e }, 60 { 0x15, 2, 0, 0x0000000d }, 61 { 0x15, 1, 0, 0x00000023 }, 62 { 0x06, 0, 0, 0000000000 }, 63 { 0x06, 0, 0, 0x7fff0000 }, 64 }; 65 66 int main(int argc, char *argv[]) { 67 int status; 68 pid_t pid = fork(); 69 int fd = open("/dev/urandom", O_CLOEXEC|O_RDONLY); 70 if (pid==0) { 71 printf("start thirdpart library\n"); 72 struct sock_fprog prog = { 73 .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])), 74 .filter = filter, 75 }; 76 if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) { 77 perror("seccomp"); 78 return 1; 79 } 80 thirdparty_func(fd); 81 } else { 82 wait(&status); 83 if (WIFEXITED(status)) printf("secure computing done, exit status %d\n", WEXITSTATUS(status)); 84 else if (WIFSIGNALED(status)||WIFSTOPPED(status)) { 85 printf("secure computing killed/stopped by signal %d\n", WTERMSIG(status)); 86 } else { 87 printf("secure computing aborted."); 88 } 89 close(fd); 90 } 91 return 0; 92 } 93 94