Hi,
I want to add seccomp filters at run time and not at compile time. I want to
pass list of syscalls that needs to be blocked to a c executable which spawns
new child process with these filters in place.
Source code:
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <linux/limits.h>
#include <string.h>
#include <seccomp.h> /* libseccomp */
#include <sys/prctl.h> /* prctl */
int show_usage(char *argv)
{
printf("Usage: %s <command> <syscalls>\n\tcommand: command to be executed
with command line arguments\n\tsyscalls: space separated list of syscalls\n",
argv);
return 0;
}
int main(int argc, char **argv)
{
int iterator;
if (argc < 2)
{
show_usage(argv[0]);
return 0;
}
if (argc >= 3)
{
//Add seccomp filters
// ensure none of our children will ever be granted more privileges
// (via setuid, capabilities, ...)
prctl(PR_SET_NO_NEW_PRIVS, 1);
// ensure no escape is possible via ptrace
prctl(PR_SET_DUMPABLE, 0);
// Init the filter
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_KILL); // default action: kill
// setup basic whitelisting
for (iterator = 2; iterator < argc; iterator++)
{
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(argv[iterator]), 0);
}
seccomp_load(ctx);
}
FILE *pipe_fp;
/* Create one way pipe line with call to popen() */
char path[PATH_MAX];
//Run command present in argv[1]
if ((pipe_fp = popen(strcat(argv[1], " 2>&1"), "r")) == NULL)
{
perror("Error in popen");
exit(EXIT_FAILURE);
}
// Get output from child's stdout/stderr
/* Processing loop */
while (fgets(path, PATH_MAX, pipe_fp) != NULL)
{
printf("%s", path);
}
/* Close the pipe */
int close_status = pclose(pipe_fp);
if (close_status != 0)
{
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
--
You received this message because you are subscribed to the Google Groups
"libseccomp" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/d/optout.
