1*221b0c1eSDavid Wang #include <stdio.h>
2*221b0c1eSDavid Wang #include <stdlib.h>
3*221b0c1eSDavid Wang #include <unistd.h>
4*221b0c1eSDavid Wang #include <stddef.h>
5*221b0c1eSDavid Wang #include <sys/prctl.h>
6*221b0c1eSDavid Wang #include <linux/seccomp.h>
7*221b0c1eSDavid Wang #include <linux/filter.h>
8*221b0c1eSDavid Wang #include <linux/audit.h>
9*221b0c1eSDavid Wang #include <errno.h>
10*221b0c1eSDavid Wang #include <linux/unistd.h>
11*221b0c1eSDavid Wang #include <asm/unistd.h>
12*221b0c1eSDavid Wang #include <sys/wait.h>
13*221b0c1eSDavid Wang #include <fcntl.h>
14*221b0c1eSDavid Wang
15*221b0c1eSDavid Wang
16*221b0c1eSDavid Wang
seccomp(unsigned int operation,unsigned int flags,void * args)17*221b0c1eSDavid Wang static inline int seccomp(unsigned int operation, unsigned int flags, void *args) {
18*221b0c1eSDavid Wang return syscall(__NR_seccomp, operation, flags, args);
19*221b0c1eSDavid Wang }
20*221b0c1eSDavid Wang //--------------------------------------------------------------
21*221b0c1eSDavid Wang // ld [4] /* offsetof(struct seccomp_data, arch) */
22*221b0c1eSDavid Wang // jne #0xc000003e, bad /* AUDIT_ARCH_X86_64 */
23*221b0c1eSDavid Wang // ld [0] /* offsetof(struct seccomp_data, nr) */
24*221b0c1eSDavid Wang // jne #0, good
25*221b0c1eSDavid Wang // ld [36] /* offsetof(struct seccomp_data, args[2]>>32) */
26*221b0c1eSDavid Wang // jgt #0, bad
27*221b0c1eSDavid Wang // ld [32] /* offsetof(struct seccomp_data, args[2]) */
28*221b0c1eSDavid Wang // jlt #4097, good
29*221b0c1eSDavid Wang // bad: ret #0 /* SECCOMP_RET_KILL_THREAD */
30*221b0c1eSDavid Wang // good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */
31*221b0c1eSDavid Wang
32*221b0c1eSDavid Wang //--------------------------------------------------------------
33*221b0c1eSDavid Wang
34*221b0c1eSDavid Wang static struct sock_filter filter[] = {
35*221b0c1eSDavid Wang { 0x20, 0, 0, 0x00000004 },
36*221b0c1eSDavid Wang { 0x15, 0, 6, 0xc000003e },
37*221b0c1eSDavid Wang { 0x20, 0, 0, 0000000000 },
38*221b0c1eSDavid Wang { 0x15, 0, 5, 0000000000 },
39*221b0c1eSDavid Wang { 0x20, 0, 0, 0x00000024 },
40*221b0c1eSDavid Wang { 0x25, 2, 0, 0000000000 },
41*221b0c1eSDavid Wang { 0x20, 0, 0, 0x00000020 },
42*221b0c1eSDavid Wang { 0x35, 0, 1, 0x00001001 },
43*221b0c1eSDavid Wang { 0x06, 0, 0, 0x80000000 },
44*221b0c1eSDavid Wang { 0x06, 0, 0, 0x7fff0000 },
45*221b0c1eSDavid Wang };
46*221b0c1eSDavid Wang
main(int argc,char * argv[])47*221b0c1eSDavid Wang int main(int argc, char *argv[]) {
48*221b0c1eSDavid Wang int status;
49*221b0c1eSDavid Wang if (argc<2) { printf("usage: %s <cmd> <args...?>\n", argv[0]); return 1; }
50*221b0c1eSDavid Wang pid_t pid = fork();
51*221b0c1eSDavid Wang if (pid==0) {
52*221b0c1eSDavid Wang printf("start forking thirdparty binary...\n");
53*221b0c1eSDavid Wang struct sock_fprog prog = {
54*221b0c1eSDavid Wang .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
55*221b0c1eSDavid Wang .filter = filter,
56*221b0c1eSDavid Wang };
57*221b0c1eSDavid Wang if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) {
58*221b0c1eSDavid Wang perror("seccomp");
59*221b0c1eSDavid Wang return 1;
60*221b0c1eSDavid Wang }
61*221b0c1eSDavid Wang execv(argv[1], &argv[1]);
62*221b0c1eSDavid Wang } else {
63*221b0c1eSDavid Wang wait(&status);
64*221b0c1eSDavid Wang if (WIFEXITED(status)) printf("secure computing done, exit status %d\n", WEXITSTATUS(status));
65*221b0c1eSDavid Wang else if (WIFSIGNALED(status)||WIFSTOPPED(status)) {
66*221b0c1eSDavid Wang printf("secure computing killed/stopped by signal %d\n", WTERMSIG(status));
67*221b0c1eSDavid Wang } else {
68*221b0c1eSDavid Wang printf("secure computing aborted.");
69*221b0c1eSDavid Wang }
70*221b0c1eSDavid Wang }
71*221b0c1eSDavid Wang return 0;
72*221b0c1eSDavid Wang }
73*221b0c1eSDavid Wang
74