Created
September 16, 2019 18:42
-
-
Save drakenclimber/bcbd699d344479a50aa864535f14f4bb to your computer and use it in GitHub Desktop.
LSS2019 Seccomp/Libseccomp Tutorial
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <errno.h> // errno, duh | |
#include <seccomp.h> // seccomp, duh | |
#include <stdio.h> // fprintf | |
#include <stdlib.h> // exit | |
#include <sys/types.h> // fork | |
#include <unistd.h> // fork | |
static const char const mystring[] = "allow this fprintf\n"; | |
void run_child(void) | |
{ | |
scmp_filter_ctx ctx; | |
int rc; | |
fprintf(stdout, "child process, pid = %d\n", getpid()); | |
fprintf(stdout, "mystring = %p\n", mystring); | |
ctx = seccomp_init(SCMP_ACT_ERRNO(EPERM)); | |
if (ctx == NULL) { | |
fprintf(stderr, "ctx == null\n"); | |
exit(-1); | |
} | |
// tests/44-live-a2_order.c has a good example of argument filtering | |
// https://github.com/seccomp/libseccomp/blob/master/tests/44-live-a2_order.c | |
// Here's a link to using pointers in parameter filtering | |
// https://gist.github.com/drakenclimber/ba98c9745456e8efaa5a17ffcb8b21f4#file-50-live-openat-c | |
// other calls worth considering allowing: | |
// brk, clone, exit, fstat, futex, getppid, mmap, mprotect, open | |
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 2, | |
SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO), | |
SCMP_A1(SCMP_CMP_EQ, (uint64_t)mystring)); | |
if (rc < 0) { | |
fprintf(stderr, "rule add failed: %d\n", rc); | |
goto out; | |
} | |
rc = seccomp_load(ctx); | |
if (rc < 0) { | |
fprintf(stderr, "load failed: %d\n", rc); | |
goto out; | |
} | |
fprintf(stderr, mystring); | |
fprintf(stderr, "pid = %d\n", getppid()); | |
// getpid() uses vdso and doesn't call into the kernel | |
//fprintf(stdout, "pid = %d\n", getpid()); | |
out: | |
seccomp_release(ctx); | |
exit(0); | |
} | |
int main(void) | |
{ | |
pid_t cpid; | |
cpid = fork(); | |
if (cpid < 0) { | |
fprintf(stderr, "Fork failed: %d\n", errno); | |
return -1; | |
} | |
if (cpid == 0) { | |
// child | |
run_child(); | |
} else { | |
// parent | |
fprintf(stdout, "parent process,\n\tpid = %d parentpid = %d\n", | |
getpid(), getppid()); | |
} | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment