1 #include <stdio.h> 2 #include <stdlib.h> 3 #include <unistd.h> 4 #include <stddef.h> 5 #include <sys/prctl.h> 6 #include <linux/seccomp.h> 7 #include <linux/filter.h> 8 #include <linux/audit.h> 9 #include <errno.h> 10 // #include <linux/unistd.h> 11 #include <asm/unistd.h> 12 #include <sys/wait.h> 13 #include <fcntl.h> 14 15 16 17 static inline int seccomp(unsigned int operation, unsigned int flags, void *args) { 18 return syscall(__NR_seccomp, operation, flags, args); 19 } 20 21 void thirdparty_func(int fd) { 22 seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL); 23 int i, v, x=0; for (i=0; i<8; i++) { 24 read(fd, &v, 4); 25 x^=v; 26 } 27 printf("running some library code ==> 0x%x\n", x); 28 syscall(__NR_exit, 0); 29 } 30 31 int main(int argc, char *argv[]) { 32 int status; 33 pid_t pid = fork(); 34 int fd = open("/dev/urandom", O_CLOEXEC|O_RDONLY); 35 if (pid==0) { 36 printf("start thirdpart library\n"); 37 if (seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL)) { 38 perror("seccomp fail"); 39 return 1; 40 } 41 thirdparty_func(fd); 42 } else { 43 wait(&status); 44 if (WIFEXITED(status)) printf("secure computing done, exit status %d\n", WEXITSTATUS(status)); 45 else if (WIFSIGNALED(status)||WIFSTOPPED(status)) { 46 printf("secure computing killed/stopped by signal %d\n", WTERMSIG(status)); 47 } else { 48 printf("secure computing aborted."); 49 } 50 } 51 close(fd); 52 return 0; 53 } 54 55