xref: /linux-tools/bpf/seccomp/filter2.c (revision 08efb56e0eeb408ac7d4c6488994eeb8f587aaa0) 
1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <unistd.h>
4 #include <stddef.h>
5 #include <sys/prctl.h>
6 #include <linux/seccomp.h>
7 #include <linux/filter.h>
8 #include <linux/audit.h>
9 #include <errno.h>
10 #include <linux/unistd.h>
11 #include <asm/unistd.h>
12 #include <sys/wait.h>
13 #include <fcntl.h>
14 
15 
16 
17 static inline int seccomp(unsigned int operation, unsigned int flags, void *args) {
18     return syscall(__NR_seccomp, operation, flags, args);
19 }
20 //--------------------------------------------------------------
21 // ld [4]                  /* offsetof(struct seccomp_data, arch) */
22 // jne #0xc000003e, bad    /* AUDIT_ARCH_X86_64 */
23 // ld [0]                  /* offsetof(struct seccomp_data, nr) */
24 // jne #0, good
25 // ld [36]                /* offsetof(struct seccomp_data, args[2]>>32) */
26 // jgt #0, bad
27 // ld [32]                  /* offsetof(struct seccomp_data, args[2]) */
28 // jlt #4097, good
29 // bad: ret #0             /* SECCOMP_RET_KILL_THREAD */
30 // good: ret #0x7fff0000   /* SECCOMP_RET_ALLOW */
31 
32 //--------------------------------------------------------------
33 
34 static struct sock_filter filter[] = {
35 { 0x20,  0,  0, 0x00000004 },
36 { 0x15,  0,  6, 0xc000003e },
37 { 0x20,  0,  0, 0000000000 },
38 { 0x15,  0,  5, 0000000000 },
39 { 0x20,  0,  0, 0x00000024 },
40 { 0x25,  2,  0, 0000000000 },
41 { 0x20,  0,  0, 0x00000020 },
42 { 0x35,  0,  1, 0x00001001 },
43 { 0x06,  0,  0, 0x80000000 },
44 { 0x06,  0,  0, 0x7fff0000 },
45 };
46 
47 int main(int argc, char *argv[]) {
48     int status;
49     if (argc<2) { printf("usage: %s <cmd> <args...?>\n", argv[0]); return 1; }
50     pid_t pid = fork();
51     if (pid==0) {
52         printf("start forking thirdparty binary...\n");
53         struct sock_fprog prog = {
54             .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
55             .filter = filter,
56         };
57         if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) {
58             perror("seccomp");
59             return 1;
60         }
61         execv(argv[1], &argv[1]);
62     } else {
63         wait(&status);
64         if (WIFEXITED(status)) printf("secure computing done, exit status %d\n", WEXITSTATUS(status));
65         else if (WIFSIGNALED(status)||WIFSTOPPED(status)) {
66             printf("secure computing killed/stopped by signal %d\n", WTERMSIG(status));
67         } else {
68             printf("secure computing aborted.");
69         }
70     }
71     return 0;
72 }
73 
74