SHARE
TWEET

Untitled

a guest Dec 17th, 2018 12 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <stdio.h>   /* printf */
  2. #include <seccomp.h> /* libseccomp */
  3. #include <fcntl.h>  /* openat */
  4. #include <gnu/libc-version.h>
  5.  
  6. #undef SCMP_CMP
  7. #define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0})
  8. #define SCMP_CMP_STR(a,b,c) \
  9.   ((struct scmp_arg_cmp) {(a),(b),(intptr_t)(void*)(c),0})
  10. #define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)})
  11. /* We use a wrapper here because these masked comparisons seem to be pretty
  12.  * verbose. Also, it's important to cast to scmp_datum_t before negating the
  13.  * mask, since otherwise the negation might get applied to a 32 bit value, and
  14.  * the high bits of the value might get masked out improperly. */
  15. #define SCMP_CMP_MASKED(a,b,c) \
  16.   SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c))
  17.  
  18.  
  19. /* These macros help avoid the error where the number of filters we add on a
  20.  * single rule don't match the arg_cnt param. */
  21. #define seccomp_rule_add_0(ctx,act,call) \
  22.   seccomp_rule_add((ctx),(act),(call),0)
  23. #define seccomp_rule_add_1(ctx,act,call,f1) \
  24.   seccomp_rule_add((ctx),(act),(call),1,(f1))
  25. #define seccomp_rule_add_2(ctx,act,call,f1,f2)  \
  26.   seccomp_rule_add((ctx),(act),(call),2,(f1),(f2))
  27. #define seccomp_rule_add_3(ctx,act,call,f1,f2,f3)       \
  28.   seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3))
  29. #define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4)      \
  30.   seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4))
  31.  
  32.  
  33. int main(int argc, char **argv) {
  34.  
  35.   // Init the filter
  36.   scmp_filter_ctx ctx;
  37.   ctx = seccomp_init(SCMP_ACT_KILL); // default action: kill
  38.  
  39.   // setup basic whitelist
  40.   seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
  41.   seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
  42.   seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
  43.   seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
  44.   seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
  45.   seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat64), 0);
  46.  
  47.   const char *fname = "/tmp/test";
  48.  
  49.   // setup our rule
  50.   if (argc >= 1) {
  51.     // before fix
  52.     printf("Testing rule before fix.\n");
  53.     seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
  54.                             SCMP_CMP_STR(0, SCMP_CMP_EQ, AT_FDCWD),
  55.                             SCMP_CMP_STR(1, SCMP_CMP_EQ, fname));
  56.   } else {
  57.     // after fix
  58.     printf("Testing rule after fix.\n");
  59.     seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
  60.                             SCMP_CMP(0, SCMP_CMP_EQ, (unsigned int)AT_FDCWD),
  61.                             SCMP_CMP_STR(1, SCMP_CMP_EQ, fname));
  62.  
  63.  
  64.   }
  65.  
  66.   if (seccomp_export_pfc(ctx, 1)) {
  67.     printf("Error exporting seccomp filter.\n");
  68.   }
  69.  
  70.   // build and load the filter
  71.   if (seccomp_load(ctx)) {
  72.     printf("Error loading seccomp filter.\n");
  73.   }
  74.  
  75.   const char *libc_version = gnu_get_libc_version();
  76.   if (libc_version) {
  77.     printf("GNU libc version: %s\n", libc_version);
  78.   }
  79.   const char *libc_release = gnu_get_libc_release();
  80.   if (libc_release) {
  81.     printf("GNU libc release: %s\n", libc_release);
  82.   }
  83.  
  84.   const struct scmp_version *scmp_version = seccomp_version();
  85.   if (scmp_version) {
  86.     printf("libseccomp %d.%d.%d\n", scmp_version->major, scmp_version->minor, scmp_version->micro);
  87.   }
  88.  
  89.   scmp_datum_t datum_old = SCMP_CMP_STR(0, SCMP_CMP_EQ, AT_FDCWD).datum_a;
  90.   scmp_datum_t datum_new = SCMP_CMP(0, SCMP_CMP_EQ, (unsigned int)AT_FDCWD).datum_a;
  91.   printf("%lu %lu\n", datum_old, datum_new);
  92.   printf("%llu %llu\n", AT_FDCWD, (unsigned int)AT_FDCWD);
  93.  
  94.   printf("Before openat\n");
  95.   int fd = open(fname, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0600);
  96.   printf("After openat fd = %d\n", fd);
  97.  
  98.   return 0;
  99. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top