Startseite Erkunden Hilfe
Anmelden
phreedom2600net
/
linux-libre
Beobachten 2
Favorit hinzufügen 0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Struktur: b4e9ce8144
Branches Tags
linux-libre
/
samples
/
seccomp
/
bpf-fancy.c

bpf-fancy.c 2.4 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105 
  1. /*
    2. 

  2.  * Seccomp BPF example using a macro-based generator.
    3. 

  3.  *
    4. 

  4.  * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
    5. 

  5.  * Author: Will Drewry <wad@chromium.org>
    6. 

  6.  *
    7. 

  7.  * The code may be used by anyone for any purpose,
    8. 

  8.  * and can serve as a starting point for developing
    9. 

  9.  * applications using prctl(PR_ATTACH_SECCOMP_FILTER).
    10. 

  10.  */
    11. 

  11. 

  12. #include <linux/filter.h>
    13. 

  13. #include <linux/seccomp.h>
    14. 

  14. #include <linux/unistd.h>
    15. 

  15. #include <stdio.h>
    16. 

  16. #include <string.h>
    17. 

  17. #include <sys/prctl.h>
    18. 

  18. #include <unistd.h>
    19. 

  19. 

  20. #include "bpf-helper.h"
    21. 

  21. 

  22. #ifndef PR_SET_NO_NEW_PRIVS
    23. 

  23. #define PR_SET_NO_NEW_PRIVS 38
    24. 

  24. #endif
    25. 

  25. 

  26. int main(int argc, char **argv)
    27. 

  27. {
    28. 

  28. 	struct bpf_labels l = {
    29. 

  29. 		.count = 0,
    30. 

  30. 	};
    31. 

  31. 	static const char msg1[] = "Please type something: ";
    32. 

  32. 	static const char msg2[] = "You typed: ";
    33. 

  33. 	char buf[256];
    34. 

  34. 	struct sock_filter filter[] = {
    35. 

  35. 		/* TODO: LOAD_SYSCALL_NR(arch) and enforce an arch */
    36. 

  36. 		LOAD_SYSCALL_NR,
    37. 

  37. 		SYSCALL(__NR_exit, ALLOW),
    38. 

  38. 		SYSCALL(__NR_exit_group, ALLOW),
    39. 

  39. 		SYSCALL(__NR_write, JUMP(&l, write_fd)),
    40. 

  40. 		SYSCALL(__NR_read, JUMP(&l, read)),
    41. 

  41. 		DENY,  /* Don't passthrough into a label */
    42. 

  42. 

  43. 		LABEL(&l, read),
    44. 

  44. 		ARG(0),
    45. 

  45. 		JNE(STDIN_FILENO, DENY),
    46. 

  46. 		ARG(1),
    47. 

  47. 		JNE((unsigned long)buf, DENY),
    48. 

  48. 		ARG(2),
    49. 

  49. 		JGE(sizeof(buf), DENY),
    50. 

  50. 		ALLOW,
    51. 

  51. 

  52. 		LABEL(&l, write_fd),
    53. 

  53. 		ARG(0),
    54. 

  54. 		JEQ(STDOUT_FILENO, JUMP(&l, write_buf)),
    55. 

  55. 		JEQ(STDERR_FILENO, JUMP(&l, write_buf)),
    56. 

  56. 		DENY,
    57. 

  57. 

  58. 		LABEL(&l, write_buf),
    59. 

  59. 		ARG(1),
    60. 

  60. 		JEQ((unsigned long)msg1, JUMP(&l, msg1_len)),
    61. 

  61. 		JEQ((unsigned long)msg2, JUMP(&l, msg2_len)),
    62. 

  62. 		JEQ((unsigned long)buf, JUMP(&l, buf_len)),
    63. 

  63. 		DENY,
    64. 

  64. 

  65. 		LABEL(&l, msg1_len),
    66. 

  66. 		ARG(2),
    67. 

  67. 		JLT(sizeof(msg1), ALLOW),
    68. 

  68. 		DENY,
    69. 

  69. 

  70. 		LABEL(&l, msg2_len),
    71. 

  71. 		ARG(2),
    72. 

  72. 		JLT(sizeof(msg2), ALLOW),
    73. 

  73. 		DENY,
    74. 

  74. 

  75. 		LABEL(&l, buf_len),
    76. 

  76. 		ARG(2),
    77. 

  77. 		JLT(sizeof(buf), ALLOW),
    78. 

  78. 		DENY,
    79. 

  79. 	};
    80. 

  80. 	struct sock_fprog prog = {
    81. 

  81. 		.filter = filter,
    82. 

  82. 		.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
    83. 

  83. 	};
    84. 

  84. 	ssize_t bytes;
    85. 

  85. 	bpf_resolve_jumps(&l, filter, sizeof(filter)/sizeof(*filter));
    86. 

  86. 

  87. 	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
    88. 

  88. 		perror("prctl(NO_NEW_PRIVS)");
    89. 

  89. 		return 1;
    90. 

  90. 	}
    91. 

  91. 

  92. 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
    93. 

  93. 		perror("prctl(SECCOMP)");
    94. 

  94. 		return 1;
    95. 

  95. 	}
    96. 

  96. 	syscall(__NR_write, STDOUT_FILENO, msg1, strlen(msg1));
    97. 

  97. 	bytes = syscall(__NR_read, STDIN_FILENO, buf, sizeof(buf)-1);
    98. 

  98. 	bytes = (bytes > 0 ? bytes : 0);
    99. 

  99. 	syscall(__NR_write, STDERR_FILENO, msg2, strlen(msg2));
    100. 

  100. 	syscall(__NR_write, STDERR_FILENO, buf, bytes);
    101. 

  101. 	/* Now get killed */
    102. 

  102. 	syscall(__NR_write, STDERR_FILENO, msg2, strlen(msg2)+2);
    103. 

  103. 	return 0;
    104. 

  104. }
    105. 

  105.