Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // logs mount/umount2 syscalls to syslog
- // gcc -shared -fPIC -o wrapper.so seccomp_log_mount.c
- // LD_PRELOAD=/.../wrapper.so mount ...
- #include <stddef.h>
- #include <stdio.h>
- #include <sys/syscall.h>
- #include <sys/prctl.h>
- #include <linux/audit.h>
- #include <linux/filter.h>
- #include <linux/seccomp.h>
- #ifdef __x86_64__
- #define MY_ARCH AUDIT_ARCH_X86_64
- #else
- #error invalid arch
- #endif
- __attribute__((constructor))
- void install_wrapper(void)
- {
- printf("hello\n");
- struct sock_filter filter[] = {
- BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, arch)),
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, MY_ARCH, 1, 0),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
- BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_mount, 2, 0),
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_umount2, 1, 0),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
- BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_LOG),
- };
- struct sock_fprog prog = {
- .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
- .filter = filter,
- };
- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
- perror("no_new_privs fail");
- return;
- }
- if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
- perror("bpf fail");
- return;
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
