1 #include <stdio.h> 2 #include <stdlib.h> 3 #include <unistd.h> 4 #include <stddef.h> 5 #include <sys/prctl.h> 6 #include <linux/seccomp.h> 7 #include <linux/filter.h> 8 #include <linux/audit.h> 9 #include <errno.h> 10 #include <linux/unistd.h> 11 #include <asm/unistd.h> 12 #include <sys/wait.h> 13 #include <fcntl.h> 14 15 16 17 static inline int seccomp(unsigned int operation, unsigned int flags, void *args) { 18 return syscall(__NR_seccomp, operation, flags, args); 19 } 20 21 // black list filter 22 // bpf_asm -c ... 23 // ======================================== 24 // ld [4] /* offsetof(struct seccomp_data, arch) */ 25 // jne #0xc000003e, bad /* AUDIT_ARCH_X86_64 */ 26 // ld [0] /* offsetof(struct seccomp_data, nr) */ 27 // jeq #200, bad /* __NR_bind */ 28 // jeq #201, bad /* __NR_listen */ 29 // jeq #202, bad /* __NR_accept */ 30 // good: ret #0x7fff0000 /* SECCOMP_RET_ALLOW */ 31 // bad: ret #0x80000000 /* SECCOMP_RET_KILL_PROCESS */ 32 // ======================================== 33 34 static struct sock_filter filter[] = { 35 { 0x20, 0, 0, 0x00000004 }, 36 { 0x15, 0, 5, 0xc000003e }, 37 { 0x20, 0, 0, 0000000000 }, 38 { 0x15, 3, 0, 0x000000c8 }, 39 { 0x15, 2, 0, 0x000000c9 }, 40 { 0x15, 1, 0, 0x000000ca }, 41 { 0x06, 0, 0, 0x7fff0000 }, 42 { 0x06, 0, 0, 0x80000000 }, 43 }; 44 45 int main(int argc, char *argv[]) { 46 int status; 47 if (argc<2) { printf("usage: %s <cmd> <args...?>\n", argv[0]); return 1; } 48 pid_t pid = fork(); 49 if (pid==0) { 50 printf("start forking thirdparty binary...\n"); 51 struct sock_fprog prog = { 52 .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])), 53 .filter = filter, 54 }; 55 if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)) { 56 perror("seccomp"); 57 return 1; 58 } 59 execv(argv[1], &argv[1]); 60 } else { 61 wait(&status); 62 if (WIFEXITED(status)) printf("secure computing done, exit status %d\n", WEXITSTATUS(status)); 63 else if (WIFSIGNALED(status)||WIFSTOPPED(status)) { 64 printf("secure computing killed/stopped by signal %d\n", WTERMSIG(status)); 65 } else { 66 printf("secure computing aborted."); 67 } 68 } 69 return 0; 70 } 71 72