1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <unistd.h>
4 #include <stddef.h>
5 #include <sys/prctl.h>
6 #include <linux/seccomp.h>
7 #include <linux/filter.h>
8 #include <linux/audit.h>
9 #include <errno.h>
10 #include <linux/unistd.h>
11 #include <asm/unistd.h>
12 #include <sys/wait.h>
13 #include <fcntl.h>
14
15
16
seccomp(unsigned int operation,unsigned int flags,void * args)17 static inline int seccomp(unsigned int operation, unsigned int flags, void *args) {
18 return syscall(__NR_seccomp, operation, flags, args);
19 }
20
21 // black list filter
22 // bpf_asm -c ...
23 // ========================================
24 // ld [4] /* offsetof(struct seccomp_data, arch) */
25 // jne #0xc000003e, bad /* AUDIT_ARCH_X86_64 */
26 // ld [0] /* offsetof(struct seccomp_data, nr) */
27 // jeq #200, bad /* __NR_bind */
28 // jeq #201, bad /* __NR_listen */
29 // jeq #202, bad /* __NR_accept */
30 // good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */
31 // bad: ret #0x80000000 /* SECCOMP_RET_KILL_PROCESS */
32 // ========================================
33
34 static struct sock_filter filter[] = {
35 { 0x20, 0, 0, 0x00000004 },
36 { 0x15, 0, 5, 0xc000003e },
37 { 0x20, 0, 0, 0000000000 },
38 { 0x15, 3, 0, 0x000000c8 },
39 { 0x15, 2, 0, 0x000000c9 },
40 { 0x15, 1, 0, 0x000000ca },
41 { 0x06, 0, 0, 0x7fff0000 },
42 { 0x06, 0, 0, 0x80000000 },
43 };
44
main(int argc,char * argv[])45 int main(int argc, char *argv[]) {
46 int status;
47 if (argc<2) { printf("usage: %s <cmd> <args...?>\n", argv[0]); return 1; }
48 pid_t pid = fork();
49 if (pid==0) {
50 printf("start forking thirdparty binary...\n");
51 struct sock_fprog prog = {
52 .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
53 .filter = filter,
54 };
55 if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) {
56 perror("seccomp");
57 return 1;
58 }
59 execv(argv[1], &argv[1]);
60 } else {
61 wait(&status);
62 if (WIFEXITED(status)) printf("secure computing done, exit status %d\n", WEXITSTATUS(status));
63 else if (WIFSIGNALED(status)||WIFSTOPPED(status)) {
64 printf("secure computing killed/stopped by signal %d\n", WTERMSIG(status));
65 } else {
66 printf("secure computing aborted.");
67 }
68 }
69 return 0;
70 }
71
72