xref: /linux-tools/bpf/seccomp/filter3.c (revision 221b0c1edbfd1ce7d1c890ca36c712a3208d6de0) 
1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <unistd.h>
4 #include <stddef.h>
5 #include <sys/prctl.h>
6 #include <linux/seccomp.h>
7 #include <linux/filter.h>
8 #include <linux/audit.h>
9 #include <errno.h>
10 #include <linux/unistd.h>
11 #include <asm/unistd.h>
12 #include <sys/wait.h>
13 #include <fcntl.h>
14 
15 
16 
seccomp(unsigned int operation,unsigned int flags,void * args)17 static inline int seccomp(unsigned int operation, unsigned int flags, void *args) {
18     return syscall(__NR_seccomp, operation, flags, args);
19 }
20 
21 // black list filter
22 // bpf_asm -c ...
23 // ========================================
24 // ld [4]                  /* offsetof(struct seccomp_data, arch) */
25 // jne #0xc000003e, bad    /* AUDIT_ARCH_X86_64 */
26 // ld [0]                  /* offsetof(struct seccomp_data, nr) */
27 // jeq #200, bad           /* __NR_bind */
28 // jeq #201, bad           /* __NR_listen */
29 // jeq #202, bad           /* __NR_accept */
30 // good: ret #0x7fff0000   /* SECCOMP_RET_ALLOW */
31 // bad: ret #0x80000000    /* SECCOMP_RET_KILL_PROCESS */
32 // ========================================
33 
34 static struct sock_filter filter[] = {
35 { 0x20,  0,  0, 0x00000004 },
36 { 0x15,  0,  5, 0xc000003e },
37 { 0x20,  0,  0, 0000000000 },
38 { 0x15,  3,  0, 0x000000c8 },
39 { 0x15,  2,  0, 0x000000c9 },
40 { 0x15,  1,  0, 0x000000ca },
41 { 0x06,  0,  0, 0x7fff0000 },
42 { 0x06,  0,  0, 0x80000000 },
43 };
44 
main(int argc,char * argv[])45 int main(int argc, char *argv[]) {
46     int status;
47     if (argc<2) { printf("usage: %s <cmd> <args...?>\n", argv[0]); return 1; }
48     pid_t pid = fork();
49     if (pid==0) {
50         printf("start forking thirdparty binary...\n");
51         struct sock_fprog prog = {
52             .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
53             .filter = filter,
54         };
55         if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) {
56             perror("seccomp");
57             return 1;
58         }
59         execv(argv[1], &argv[1]);
60     } else {
61         wait(&status);
62         if (WIFEXITED(status)) printf("secure computing done, exit status %d\n", WEXITSTATUS(status));
63         else if (WIFSIGNALED(status)||WIFSTOPPED(status)) {
64             printf("secure computing killed/stopped by signal %d\n", WTERMSIG(status));
65         } else {
66             printf("secure computing aborted.");
67         }
68     }
69     return 0;
70 }
71 
72