~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/samples/seccomp/dropper.c

Version: ~ [ linux-6.11.5 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.58 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.114 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.169 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.228 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.284 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.322 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 // SPDX-License-Identifier: GPL-2.0
  2 /*
  3  * Naive system call dropper built on seccomp_filter.
  4  *
  5  * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
  6  * Author: Will Drewry <wad@chromium.org>
  7  *
  8  * The code may be used by anyone for any purpose,
  9  * and can serve as a starting point for developing
 10  * applications using prctl(PR_SET_SECCOMP, 2, ...).
 11  *
 12  * When run, returns the specified errno for the specified
 13  * system call number against the given architecture.
 14  *
 15  */
 16 
 17 #include <errno.h>
 18 #include <linux/audit.h>
 19 #include <linux/filter.h>
 20 #include <linux/seccomp.h>
 21 #include <linux/unistd.h>
 22 #include <stdio.h>
 23 #include <stddef.h>
 24 #include <stdlib.h>
 25 #include <sys/prctl.h>
 26 #include <unistd.h>
 27 
 28 static int install_filter(int arch, int nr, int error)
 29 {
 30         struct sock_filter filter[] = {
 31                 BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
 32                          (offsetof(struct seccomp_data, arch))),
 33                 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, arch, 0, 3),
 34                 BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
 35                          (offsetof(struct seccomp_data, nr))),
 36                 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, nr, 0, 1),
 37                 BPF_STMT(BPF_RET+BPF_K,
 38                          SECCOMP_RET_ERRNO|(error & SECCOMP_RET_DATA)),
 39                 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
 40         };
 41         struct sock_fprog prog = {
 42                 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
 43                 .filter = filter,
 44         };
 45         if (error == -1) {
 46                 struct sock_filter kill = BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL);
 47                 filter[4] = kill;
 48         }
 49         if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
 50                 perror("prctl(NO_NEW_PRIVS)");
 51                 return 1;
 52         }
 53         if (prctl(PR_SET_SECCOMP, 2, &prog)) {
 54                 perror("prctl(PR_SET_SECCOMP)");
 55                 return 1;
 56         }
 57         return 0;
 58 }
 59 
 60 int main(int argc, char **argv)
 61 {
 62         if (argc < 5) {
 63                 fprintf(stderr, "Usage:\n"
 64                         "dropper <arch> <syscall_nr> <errno> <prog> [<args>]\n"
 65                         "Hint:  AUDIT_ARCH_I386: 0x%X\n"
 66                         "       AUDIT_ARCH_X86_64: 0x%X\n"
 67                         "       errno == -1 means SECCOMP_RET_KILL\n"
 68                         "\n", AUDIT_ARCH_I386, AUDIT_ARCH_X86_64);
 69                 return 1;
 70         }
 71         if (install_filter(strtol(argv[1], NULL, 0), strtol(argv[2], NULL, 0),
 72                            strtol(argv[3], NULL, 0)))
 73                 return 1;
 74         execv(argv[4], &argv[4]);
 75         printf("Failed to execv\n");
 76         return 255;
 77 }
 78 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php