seccomp-tioscti-filter.c

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <seccomp.h>
#include <linux/seccomp.h>
#include <poll.h>
#include <sched.h>
#include <pwd.h>
#include <grp.h>
#include <sys/mount.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/eventfd.h>
#include <sys/fsuid.h>
#include <sys/signalfd.h>
#include <sys/prctl.h>
#include <linux/sched.h>
#include <linux/filter.h>
#include <errno.h>

void die(const char *msg) {
  fputs(msg, stderr);
  exit(1);
}

int main() {
  scmp_filter_ctx ctx = NULL;
  uint32_t extra_arches[][2] = {
    {SCMP_ARCH_X86_64, SCMP_ARCH_X86},
    {SCMP_ARCH_AARCH64, SCMP_ARCH_ARM},
    {0}
  };
  int i;

  ctx = seccomp_init(SCMP_ACT_ALLOW);
  if (!ctx) die("Initialize seccomp failed\n");

  for (i = 0; extra_arches[i][0] != 0; i++) {
    if (seccomp_arch_native() == extra_arches[i][0]) {
      int res = seccomp_arch_add(ctx, extra_arches[i][1]);
      if (res < 0) die("Error adding extra arch\n");
    }
  }

  if (
    seccomp_rule_add(
      ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(ioctl), 1,
      SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)
    ) < 0
  ) {
    die("Failed to add TIOCSTI rule\n");
  }

  seccomp_export_bpf(ctx, 1);
}