nonaughty.c

#include <unistd.h>
#include <stddef.h>
#include <stdio.h>

#include <sys/prctl.h>
#include <sys/syscall.h>

#include <linux/bpf.h>
#include <linux/seccomp.h>
#include <linux/filter.h>
#include <linux/audit.h>

#define TRAP_OR_KILL SECCOMP_RET_KILL

#define Block(syscall) \
    BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##syscall, 0, 1), \
    BPF_STMT(BPF_RET+BPF_K, TRAP_OR_KILL)


struct sock_filter filter[] = {
    /* reject anything that isn't x86-64 */
    BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, arch)),
    BPF_JUMP( BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0),
    BPF_STMT(BPF_RET+BPF_K, TRAP_OR_KILL),

    /* load syscall */
    BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),

    /* block some syscalls we definitely do not want to allow */
    Block(fork),
    Block(vfork),
    Block(clone),
    Block(socket),

    /* allow everything else */
    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
};

struct sock_fprog bpf_prog = {
    .len = sizeof(filter)/sizeof(filter[0]),
    .filter = filter
};

int main(int argc, char** argv) {
    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) {
        perror("prctl(PR_SET_NO_NEW_PRIVS");
        return 1;
    }
    if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_prog) < 0) {
        perror("prctl(PR_SET_SECCOMP)");
        return 1;
    }
    if (argc < 1) {
        fprintf(stderr, "Usage: nonaughty /path/to/executable [args...]");
        return 1;
    }
    if (execvp(argv[1], argv + 1) < 0) {
        perror("Unable to execv");
        return 1;
    }
    return 0;
}