Untitled

#include <stdio.h>   /* printf */
#include <seccomp.h> /* libseccomp */
#include <fcntl.h>  /* openat */
#include <gnu/libc-version.h>

#undef SCMP_CMP
#define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
#define SCMP_CMP_STR(a,b,c) \
  ((struct scmp_arg_cmp) {(a),(b),(intptr_t)(void*)(c),0})
#define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
/* We use a wrapper here because these masked comparisons seem to be pretty
 * verbose. Also, it's important to cast to scmp_datum_t before negating the
 * mask, since otherwise the negation might get applied to a 32 bit value, and
 * the high bits of the value might get masked out improperly. */
#define SCMP_CMP_MASKED(a,b,c) \
  SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))


/* These macros help avoid the error where the number of filters we add on a
 * single rule don't match the arg_cnt param. */
#define seccomp_rule_add_0(ctx,act,call) \
  seccomp_rule_add((ctx),(act),(call),0)
#define seccomp_rule_add_1(ctx,act,call,f1) \
  seccomp_rule_add((ctx),(act),(call),1,(f1))
#define seccomp_rule_add_2(ctx,act,call,f1,f2)  \
  seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
#define seccomp_rule_add_3(ctx,act,call,f1,f2,f3)       \
  seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
#define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4)      \
  seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))


int main(int argc, char **argv) {

  // Init the filter
  scmp_filter_ctx ctx;
  ctx = seccomp_init(SCMP_ACT_KILL); // default action: kill

  // setup basic whitelist
  seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
  seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
  seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
  seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
  seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
  seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat64), 0);

  const char *fname = "/tmp/test";

  // setup our rule
  if (argc >= 1) {
    // before fix
    printf("Testing rule before fix.\n");
    seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
                            SCMP_CMP_STR(0, SCMP_CMP_EQ, AT_FDCWD),
                            SCMP_CMP_STR(1, SCMP_CMP_EQ, fname));
  } else {
    // after fix
    printf("Testing rule after fix.\n");
    seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
                            SCMP_CMP(0, SCMP_CMP_EQ, (unsigned int)AT_FDCWD),
                            SCMP_CMP_STR(1, SCMP_CMP_EQ, fname));


  }

  if (seccomp_export_pfc(ctx, 1)) {
    printf("Error exporting seccomp filter.\n");
  }

  // build and load the filter
  if (seccomp_load(ctx)) {
    printf("Error loading seccomp filter.\n");
  }

  const char *libc_version = gnu_get_libc_version();
  if (libc_version) {
    printf("GNU libc version: %s\n", libc_version);
  }
  const char *libc_release = gnu_get_libc_release();
  if (libc_release) {
    printf("GNU libc release: %s\n", libc_release);
  }

  const struct scmp_version *scmp_version = seccomp_version();
  if (scmp_version) {
    printf("libseccomp %d.%d.%d\n", scmp_version->major, scmp_version->minor, scmp_version->micro);
  }

  scmp_datum_t datum_old = SCMP_CMP_STR(0, SCMP_CMP_EQ, AT_FDCWD).datum_a;
  scmp_datum_t datum_new = SCMP_CMP(0, SCMP_CMP_EQ, (unsigned int)AT_FDCWD).datum_a;
  printf("%lu %lu\n", datum_old, datum_new);
  printf("%llu %llu\n", AT_FDCWD, (unsigned int)AT_FDCWD);

  printf("Before openat\n");
  int fd = open(fname, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0600);
  printf("After openat fd = %d\n", fd);

  return 0;
}