xref: /linux-tools/bpf/seccomp/filter1.c (revision 74ce4ce33d5b8318cee71b38976a25818e666ff3) 
1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <unistd.h>
4 #include <stddef.h>
5 #include <sys/prctl.h>
6 #include <linux/seccomp.h>
7 #include <linux/filter.h>
8 #include <linux/audit.h>
9 #include <errno.h>
10 #include <linux/unistd.h>
11 #include <asm/unistd.h>
12 #include <sys/wait.h>
13 #include <fcntl.h>
14 
15 
16 
17 static inline int seccomp(unsigned int operation, unsigned int flags, void *args) {
18     return syscall(__NR_seccomp, operation, flags, args);
19 }
20 
21 void thirdparty_func(int fd) {
22     // seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL);
23     int i, v, x=0; for (i=0; i<8; i++) {
24         read(fd, &v, 4);
25         x^=v;
26     }
27     printf("running some library code ==> 0x%x\n", x);
28 }
29 
30 //-------------------------------------------------------------
31 // ld [4]                  /* offsetof(struct seccomp_data, arch) */
32 // jne #0xc000003e, bad    /* AUDIT_ARCH_X86_64 */
33 // ld [0]                  /* offsetof(struct seccomp_data, nr) */
34 // jeq #15, good           /* __NR_rt_sigreturn */
35 // jeq #231, good          /* __NR_exit_group */
36 // jeq #60, good           /* __NR_exit */
37 // jeq #0, good            /* __NR_read */
38 // jeq #1, good            /* __NR_write */
39 // jeq #5, good            /* __NR_fstat */
40 // jeq #9, good            /* __NR_mmap */
41 // jeq #14, good           /* __NR_rt_sigprocmask */
42 // jeq #13, good           /* __NR_rt_sigaction */
43 // jeq #35, good           /* __NR_nanosleep */
44 // bad: ret #0             /* SECCOMP_RET_KILL_THREAD */
45 // good: ret #0x7fff0000   /* SECCOMP_RET_ALLOW */
46 //-------------------------------------------------------------
47 
48 static struct sock_filter filter[] = {
49     { 0x20,  0,  0, 0x00000004 },
50     { 0x15,  0, 11, 0xc000003e },
51     { 0x20,  0,  0, 0000000000 },
52     { 0x15, 10,  0, 0x0000000f },
53     { 0x15,  9,  0, 0x000000e7 },
54     { 0x15,  8,  0, 0x0000003c },
55     { 0x15,  7,  0, 0000000000 },
56     { 0x15,  6,  0, 0x00000001 },
57     { 0x15,  5,  0, 0x00000005 },
58     { 0x15,  4,  0, 0x00000009 },
59     { 0x15,  3,  0, 0x0000000e },
60     { 0x15,  2,  0, 0x0000000d },
61     { 0x15,  1,  0, 0x00000023 },
62     { 0x06,  0,  0, 0000000000 },
63     { 0x06,  0,  0, 0x7fff0000 },
64 };
65 
66 int main(int argc, char *argv[]) {
67     int status;
68     pid_t pid = fork();
69     int fd = open("/dev/urandom", O_CLOEXEC|O_RDONLY);
70     if (pid==0) {
71         printf("start thirdpart library\n");
72         struct sock_fprog prog = {
73             .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
74             .filter = filter,
75         };
76         if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) {
77             perror("seccomp");
78             return 1;
79         }
80         thirdparty_func(fd);
81     } else {
82         wait(&status);
83         if (WIFEXITED(status)) printf("secure computing done, exit status %d\n", WEXITSTATUS(status));
84         else if (WIFSIGNALED(status)||WIFSTOPPED(status)) {
85             printf("secure computing killed/stopped by signal %d\n", WTERMSIG(status));
86         } else {
87             printf("secure computing aborted.");
88         }
89         close(fd);
90     }
91     return 0;
92 }
93 
94