1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <unistd.h>
4 #include <stddef.h>
5 #include <sys/prctl.h>
6 #include <linux/seccomp.h>
7 #include <linux/filter.h>
8 #include <linux/audit.h>
9 #include <errno.h>
10 #include <linux/unistd.h>
11 #include <asm/unistd.h>
12 #include <sys/wait.h>
13 #include <fcntl.h>
14
15
16
seccomp(unsigned int operation,unsigned int flags,void * args)17 static inline int seccomp(unsigned int operation, unsigned int flags, void *args) {
18 return syscall(__NR_seccomp, operation, flags, args);
19 }
20 //--------------------------------------------------------------
21 // ld [4] /* offsetof(struct seccomp_data, arch) */
22 // jne #0xc000003e, bad /* AUDIT_ARCH_X86_64 */
23 // ld [0] /* offsetof(struct seccomp_data, nr) */
24 // jne #0, good
25 // ld [36] /* offsetof(struct seccomp_data, args[2]>>32) */
26 // jgt #0, bad
27 // ld [32] /* offsetof(struct seccomp_data, args[2]) */
28 // jlt #4097, good
29 // bad: ret #0 /* SECCOMP_RET_KILL_THREAD */
30 // good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */
31
32 //--------------------------------------------------------------
33
34 static struct sock_filter filter[] = {
35 { 0x20, 0, 0, 0x00000004 },
36 { 0x15, 0, 6, 0xc000003e },
37 { 0x20, 0, 0, 0000000000 },
38 { 0x15, 0, 5, 0000000000 },
39 { 0x20, 0, 0, 0x00000024 },
40 { 0x25, 2, 0, 0000000000 },
41 { 0x20, 0, 0, 0x00000020 },
42 { 0x35, 0, 1, 0x00001001 },
43 { 0x06, 0, 0, 0x80000000 },
44 { 0x06, 0, 0, 0x7fff0000 },
45 };
46
main(int argc,char * argv[])47 int main(int argc, char *argv[]) {
48 int status;
49 if (argc<2) { printf("usage: %s <cmd> <args...?>\n", argv[0]); return 1; }
50 pid_t pid = fork();
51 if (pid==0) {
52 printf("start forking thirdparty binary...\n");
53 struct sock_fprog prog = {
54 .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
55 .filter = filter,
56 };
57 if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) {
58 perror("seccomp");
59 return 1;
60 }
61 execv(argv[1], &argv[1]);
62 } else {
63 wait(&status);
64 if (WIFEXITED(status)) printf("secure computing done, exit status %d\n", WEXITSTATUS(status));
65 else if (WIFSIGNALED(status)||WIFSTOPPED(status)) {
66 printf("secure computing killed/stopped by signal %d\n", WTERMSIG(status));
67 } else {
68 printf("secure computing aborted.");
69 }
70 }
71 return 0;
72 }
73
74