#ifdef HAVE_CONFIG_H # include "config.h" #endif #include <stddef.h> #include <unistd.h> #include <stdio.h> #include <errno.h> #include <sys/syscall.h> #ifdef HAVE_PRCTL # include <sys/prctl.h> #endif #ifdef HAVE_LINUX_SECCOMP_H # include <linux/seccomp.h> #endif #ifdef HAVE_LINUX_FILTER_H # include <linux/filter.h> #endif #if defined HAVE_PRCTL \ && defined PR_SET_NO_NEW_PRIVS \ && defined PR_SET_SECCOMP \ && defined SECCOMP_MODE_FILTER \ && defined SECCOMP_RET_ERRNO \ && defined BPF_JUMP \ && defined BPF_STMT #define SOCK_FILTER_ALLOW_SYSCALL(nr) \ BPF_JUMP(BPF_JMP | BPF_K | BPF_JEQ, __NR_ ## nr, 0, 1), \ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW) #define SOCK_FILTER_DENY_SYSCALL(nr, err) \ BPF_JUMP(BPF_JMP | BPF_K | BPF_JEQ, __NR_ ## nr, 0, 1), \ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | (SECCOMP_RET_DATA & (err))) #define SOCK_FILTER_KILL_PROCESS \ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL) #define PRINT_ALLOW_SYSCALL(nr) \ printf("BPF_JUMP(BPF_JMP | BPF_K | BPF_JEQ, %#x, 0, 0x1), " \ "BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), ", \ __NR_ ## nr) #define PRINT_DENY_SYSCALL(nr, err) \ printf("BPF_JUMP(BPF_JMP | BPF_K | BPF_JEQ, %#x, 0, 0x1), " \ "BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | %#x), ", \ __NR_ ## nr, err) static const struct sock_filter filter[] = { /* load syscall number */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)), /* allow syscalls */ SOCK_FILTER_ALLOW_SYSCALL(close), SOCK_FILTER_ALLOW_SYSCALL(exit), SOCK_FILTER_ALLOW_SYSCALL(exit_group), /* deny syscalls */ SOCK_FILTER_DENY_SYSCALL(sync, EBUSY), SOCK_FILTER_DENY_SYSCALL(setsid, EPERM), /* kill process */ SOCK_FILTER_KILL_PROCESS }; static const struct sock_fprog prog = { .len = sizeof(filter) / sizeof(filter[0]), .filter = (struct sock_filter *) filter, }; int main(void) { int fds[2]; puts("prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0"); printf("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, ["); printf("BPF_STMT(BPF_LD | BPF_W | BPF_ABS, %#x), ", (unsigned) offsetof(struct seccomp_data, nr)); PRINT_ALLOW_SYSCALL(close); PRINT_ALLOW_SYSCALL(exit); PRINT_ALLOW_SYSCALL(exit_group); PRINT_DENY_SYSCALL(sync, EBUSY), PRINT_DENY_SYSCALL(setsid, EPERM), printf("BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL)"); puts("]) = 0"); puts("+++ exited with 0 +++"); fflush(stdout); close(0); close(1); if (pipe(fds) || prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) || prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) || close(0) || close(1)) _exit(77); _exit(0); } #else int main(void) { return 77; } #endif