Created
September 6, 2017 14:19
-
-
Save geofft/257a9a8b09474d6a6490f7ece4761126 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <linux/seccomp.h> | |
#include <linux/filter.h> | |
#include <linux/audit.h> | |
#include <sys/prctl.h> | |
#include <asm/unistd.h> | |
#include <stddef.h> | |
#include <unistd.h> | |
int main(int argc, char *argv[]) { | |
if (argc < 2) { | |
return 1; | |
} | |
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); | |
struct sock_filter filter[] = { | |
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch)), | |
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_X86_64, 1, 0), | |
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL), | |
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)), | |
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_wait4, 0, 3), | |
BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[0])), | |
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, -1, 0, 1), | |
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP), | |
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), | |
}; | |
struct sock_fprog fprog = { | |
.len = sizeof(filter) / sizeof(filter[0]), | |
.filter = filter, | |
}; | |
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &fprog, 0, 0); | |
execvp(argv[1], &argv[1]); | |
return 1; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
def handler(x, y): | |
raise RuntimeError("signal caught") | |
import signal | |
signal.signal(signal.SIGSYS, handler) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment