xref: /linux-tools/bpf/seccomp/restrict.c (revision 221b0c1edbfd1ce7d1c890ca36c712a3208d6de0) 
1*221b0c1eSDavid Wang #include <stdio.h>
2*221b0c1eSDavid Wang #include <stdlib.h>
3*221b0c1eSDavid Wang #include <unistd.h>
4*221b0c1eSDavid Wang #include <stddef.h>
5*221b0c1eSDavid Wang #include <sys/prctl.h>
6*221b0c1eSDavid Wang #include <linux/seccomp.h>
7*221b0c1eSDavid Wang #include <linux/filter.h>
8*221b0c1eSDavid Wang #include <linux/audit.h>
9*221b0c1eSDavid Wang #include <errno.h>
10*221b0c1eSDavid Wang // #include <linux/unistd.h>
11*221b0c1eSDavid Wang #include <asm/unistd.h>
12*221b0c1eSDavid Wang #include <sys/wait.h>
13*221b0c1eSDavid Wang #include <fcntl.h>
14*221b0c1eSDavid Wang 
15*221b0c1eSDavid Wang 
16*221b0c1eSDavid Wang 
seccomp(unsigned int operation,unsigned int flags,void * args)17*221b0c1eSDavid Wang static inline int seccomp(unsigned int operation, unsigned int flags, void *args) {
18*221b0c1eSDavid Wang     return syscall(__NR_seccomp, operation, flags, args);
19*221b0c1eSDavid Wang }
20*221b0c1eSDavid Wang 
thirdparty_func(int fd)21*221b0c1eSDavid Wang void thirdparty_func(int fd) {
22*221b0c1eSDavid Wang     seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL);
23*221b0c1eSDavid Wang     int i, v, x=0; for (i=0; i<8; i++) {
24*221b0c1eSDavid Wang         read(fd, &v, 4);
25*221b0c1eSDavid Wang         x^=v;
26*221b0c1eSDavid Wang     }
27*221b0c1eSDavid Wang     printf("running some library code ==> 0x%x\n", x);
28*221b0c1eSDavid Wang     syscall(__NR_exit, 0);
29*221b0c1eSDavid Wang }
30*221b0c1eSDavid Wang 
main(int argc,char * argv[])31*221b0c1eSDavid Wang int main(int argc, char *argv[]) {
32*221b0c1eSDavid Wang     int status;
33*221b0c1eSDavid Wang     pid_t pid = fork();
34*221b0c1eSDavid Wang     int fd = open("/dev/urandom", O_CLOEXEC|O_RDONLY);
35*221b0c1eSDavid Wang     if (pid==0) {
36*221b0c1eSDavid Wang         printf("start thirdpart library\n");
37*221b0c1eSDavid Wang         if (seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL)) {
38*221b0c1eSDavid Wang             perror("seccomp fail");
39*221b0c1eSDavid Wang             return 1;
40*221b0c1eSDavid Wang         }
41*221b0c1eSDavid Wang         thirdparty_func(fd);
42*221b0c1eSDavid Wang     } else {
43*221b0c1eSDavid Wang         wait(&status);
44*221b0c1eSDavid Wang         if (WIFEXITED(status)) printf("secure computing done, exit status %d\n", WEXITSTATUS(status));
45*221b0c1eSDavid Wang         else if (WIFSIGNALED(status)||WIFSTOPPED(status)) {
46*221b0c1eSDavid Wang             printf("secure computing killed/stopped by signal %d\n", WTERMSIG(status));
47*221b0c1eSDavid Wang         } else {
48*221b0c1eSDavid Wang             printf("secure computing aborted.");
49*221b0c1eSDavid Wang         }
50*221b0c1eSDavid Wang     }
51*221b0c1eSDavid Wang     close(fd);
52*221b0c1eSDavid Wang     return 0;
53*221b0c1eSDavid Wang }
54*221b0c1eSDavid Wang 
55