Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <stdio.h> /* printf */
- #include <seccomp.h> /* libseccomp */
- #include <fcntl.h> /* openat */
- #include <gnu/libc-version.h>
- #undef SCMP_CMP
- #define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
- #define SCMP_CMP_STR(a,b,c) \
- ((struct scmp_arg_cmp) {(a),(b),(intptr_t)(void*)(c),0})
- #define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
- /* We use a wrapper here because these masked comparisons seem to be pretty
- * verbose. Also, it's important to cast to scmp_datum_t before negating the
- * mask, since otherwise the negation might get applied to a 32 bit value, and
- * the high bits of the value might get masked out improperly. */
- #define SCMP_CMP_MASKED(a,b,c) \
- SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
- /* These macros help avoid the error where the number of filters we add on a
- * single rule don't match the arg_cnt param. */
- #define seccomp_rule_add_0(ctx,act,call) \
- seccomp_rule_add((ctx),(act),(call),0)
- #define seccomp_rule_add_1(ctx,act,call,f1) \
- seccomp_rule_add((ctx),(act),(call),1,(f1))
- #define seccomp_rule_add_2(ctx,act,call,f1,f2) \
- seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
- #define seccomp_rule_add_3(ctx,act,call,f1,f2,f3) \
- seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
- #define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4) \
- seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))
- int main(int argc, char **argv) {
- // Init the filter
- scmp_filter_ctx ctx;
- ctx = seccomp_init(SCMP_ACT_KILL); // default action: kill
- // setup basic whitelist
- seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
- seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
- seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
- seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
- seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
- seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat64), 0);
- const char *fname = "/tmp/test";
- // setup our rule
- if (argc >= 1) {
- // before fix
- printf("Testing rule before fix.\n");
- seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
- SCMP_CMP_STR(0, SCMP_CMP_EQ, AT_FDCWD),
- SCMP_CMP_STR(1, SCMP_CMP_EQ, fname));
- } else {
- // after fix
- printf("Testing rule after fix.\n");
- seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
- SCMP_CMP(0, SCMP_CMP_EQ, (unsigned int)AT_FDCWD),
- SCMP_CMP_STR(1, SCMP_CMP_EQ, fname));
- }
- if (seccomp_export_pfc(ctx, 1)) {
- printf("Error exporting seccomp filter.\n");
- }
- // build and load the filter
- if (seccomp_load(ctx)) {
- printf("Error loading seccomp filter.\n");
- }
- const char *libc_version = gnu_get_libc_version();
- if (libc_version) {
- printf("GNU libc version: %s\n", libc_version);
- }
- const char *libc_release = gnu_get_libc_release();
- if (libc_release) {
- printf("GNU libc release: %s\n", libc_release);
- }
- const struct scmp_version *scmp_version = seccomp_version();
- if (scmp_version) {
- printf("libseccomp %d.%d.%d\n", scmp_version->major, scmp_version->minor, scmp_version->micro);
- }
- scmp_datum_t datum_old = SCMP_CMP_STR(0, SCMP_CMP_EQ, AT_FDCWD).datum_a;
- scmp_datum_t datum_new = SCMP_CMP(0, SCMP_CMP_EQ, (unsigned int)AT_FDCWD).datum_a;
- printf("%lu %lu\n", datum_old, datum_new);
- printf("%llu %llu\n", AT_FDCWD, (unsigned int)AT_FDCWD);
- printf("Before openat\n");
- int fd = open(fname, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0600);
- printf("After openat fd = %d\n", fd);
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement