mstemm · November 18, 2016 19:48
diff --git a/seccomp_policy.c b/seccomp_policy.c
 #include <fcntl.h>
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
 #include <assert.h>
 #include <linux/seccomp.h>
 #include <sys/prctl.h>
 #include "seccomp-bpf.h"

 void install_syscall_filter()
 {
        struct sock_filter filter[] = {
                /* Validate architecture. */
                VALIDATE_ARCHITECTURE,
                /* Grab the system call number. */
                EXAMINE_SYSCALL,
                /* List allowed syscalls. We add open() to the set of
                   allowed syscalls by the strict policy, but not
                   close(). */
                ALLOW_SYSCALL(rt_sigreturn),
 #ifdef __NR_sigreturn
                ALLOW_SYSCALL(sigreturn),
 #endif
                ALLOW_SYSCALL(exit_group),
                ALLOW_SYSCALL(exit),
                ALLOW_SYSCALL(read),
                ALLOW_SYSCALL(write),
                ALLOW_SYSCALL(open),
                KILL_PROCESS,
        };
        struct sock_fprog prog = {
                .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
                .filter = filter,
        };

        assert(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0);

        assert(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == 0);
 }

 int main(int argc, char **argv)
 {
        int output = open("output.txt", O_WRONLY);
        const char *val = "test";

        printf("Calling prctl() to set seccomp with filter...\n");

        install_syscall_filter();

        printf("Writing to an already open file...\n");
        write(output, val, strlen(val)+1);

        printf("Trying to open file for reading...\n");
        int input = open("output.txt", O_RDONLY);

        printf("Note that open() worked. However, close() will not\n");
        close(input);

        printf("You will not see this message--the process will be killed first\n");
 }
	#include <fcntl.h>
	#include <stdio.h>
	#include <string.h>
	#include <unistd.h>
	#include <assert.h>
	#include <linux/seccomp.h>
	#include <sys/prctl.h>
	#include "seccomp-bpf.h"

	void install_syscall_filter()
	{
	struct sock_filter filter[] = {
	/* Validate architecture. */
	VALIDATE_ARCHITECTURE,
	/* Grab the system call number. */
	EXAMINE_SYSCALL,
	/* List allowed syscalls. We add open() to the set of
	allowed syscalls by the strict policy, but not
	close(). */
	ALLOW_SYSCALL(rt_sigreturn),
	#ifdef __NR_sigreturn
	ALLOW_SYSCALL(sigreturn),
	#endif
	ALLOW_SYSCALL(exit_group),
	ALLOW_SYSCALL(exit),
	ALLOW_SYSCALL(read),
	ALLOW_SYSCALL(write),
	ALLOW_SYSCALL(open),
	KILL_PROCESS,
	};
	struct sock_fprog prog = {
	.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
	.filter = filter,
	};

	assert(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0);

	assert(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == 0);
	}

	int main(int argc, char **argv)
	{
	int output = open("output.txt", O_WRONLY);
	const char *val = "test";

	printf("Calling prctl() to set seccomp with filter...\n");

	install_syscall_filter();

	printf("Writing to an already open file...\n");
	write(output, val, strlen(val)+1);

	printf("Trying to open file for reading...\n");
	int input = open("output.txt", O_RDONLY);

	printf("Note that open() worked. However, close() will not\n");
	close(input);

	printf("You will not see this message--the process will be killed first\n");
	}