LSS2019 Seccomp/Libseccomp Tutorial

forkexample.c

#include <errno.h>	// errno, duh
#include <seccomp.h>	// seccomp, duh
#include <stdio.h>	// fprintf
#include <stdlib.h>	// exit
#include <sys/types.h>	// fork
#include <unistd.h>	// fork

static const char const mystring[] = "allow this fprintf\n";

void run_child(void)
{
	scmp_filter_ctx ctx;
	int rc;

	fprintf(stdout, "child process, pid = %d\n", getpid());
	fprintf(stdout, "mystring = %p\n", mystring);

	ctx = seccomp_init(SCMP_ACT_ERRNO(EPERM));
	if (ctx == NULL) {
		fprintf(stderr, "ctx == null\n");
		exit(-1);
	}

	// tests/44-live-a2_order.c has a good example of argument filtering
	// https://github.com/seccomp/libseccomp/blob/master/tests/44-live-a2_order.c

	// Here's a link to using pointers in parameter filtering
	// https://gist.github.com/drakenclimber/ba98c9745456e8efaa5a17ffcb8b21f4#file-50-live-openat-c

	// other calls worth considering allowing:
	// 	brk, clone, exit, fstat, futex, getppid, mmap, mprotect, open
	rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 2,
			SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO),
			SCMP_A1(SCMP_CMP_EQ, (uint64_t)mystring));
	if (rc < 0) {
		fprintf(stderr, "rule add failed: %d\n", rc);
		goto out;
	}

	rc = seccomp_load(ctx);
	if (rc < 0) {
		fprintf(stderr, "load failed: %d\n", rc);
		goto out;
	}

	fprintf(stderr, mystring);

	fprintf(stderr, "pid = %d\n", getppid());
	// getpid() uses vdso and doesn't call into the kernel
	//fprintf(stdout, "pid = %d\n", getpid());

out:
	seccomp_release(ctx);
	exit(0);
}

int main(void)
{
	pid_t cpid;

	cpid = fork();
	if (cpid < 0) {
		fprintf(stderr, "Fork failed: %d\n", errno);
		return -1;
	}

	if (cpid == 0) {
		// child
		run_child();
	} else {
		// parent
		fprintf(stdout, "parent process,\n\tpid = %d parentpid = %d\n",
			getpid(), getppid());
	}

	return 0;
}