2 * seccomp example with syscall reporting
4 * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
6 * Kees Cook <keescook@chromium.org>
7 * Will Drewry <wad@chromium.org>
9 * Use of this source code is governed by a BSD-style license that can be
10 * found in the LICENSE file.
17 #include <libubox/utils.h>
18 #include <libubox/blobmsg.h>
19 #include <libubox/blobmsg_json.h>
21 #include "seccomp-bpf.h"
23 #include "../syscall-names.h"
25 static int max_syscall = ARRAY_SIZE(syscall_names);
27 static int find_syscall(const char *name)
31 for (i = 0; i < max_syscall; i++)
32 if (syscall_names[i] && !strcmp(syscall_names[i], name))
38 static void set_filter(struct sock_filter *filter, __u16 code, __u8 jt, __u8 jf, __u32 k)
46 int install_syscall_filter(const char *argv, const char *file)
53 static const struct blobmsg_policy policy[__SECCOMP_MAX] = {
54 [SECCOMP_WHITELIST] = { .name = "whitelist", .type = BLOBMSG_TYPE_ARRAY },
55 [SECCOMP_POLICY] = { .name = "policy", .type = BLOBMSG_TYPE_INT32 },
57 struct blob_buf b = { 0 };
58 struct blob_attr *tb[__SECCOMP_MAX];
59 struct blob_attr *cur;
62 struct sock_filter *filter;
63 struct sock_fprog prog = { 0 };
64 int sz = 5, idx = 0, default_policy = 0;
66 INFO("%s: setting up syscall filter\n", argv);
69 if (!blobmsg_add_json_from_file(&b, file)) {
70 INFO("%s: failed to load %s\n", argv, file);
74 blobmsg_parse(policy, __SECCOMP_MAX, tb, blob_data(b.head), blob_len(b.head));
75 if (!tb[SECCOMP_WHITELIST]) {
76 INFO("%s: %s is missing the syscall table\n", argv, file);
80 if (tb[SECCOMP_POLICY])
81 default_policy = blobmsg_get_u32(tb[SECCOMP_POLICY]);
83 blobmsg_for_each_attr(cur, tb[SECCOMP_WHITELIST], rem)
86 filter = calloc(sz, sizeof(struct sock_filter));
88 INFO("failed to allocate filter memory\n");
93 set_filter(&filter[idx++], BPF_LD + BPF_W + BPF_ABS, 0, 0, arch_nr);
94 set_filter(&filter[idx++], BPF_JMP + BPF_JEQ + BPF_K, 1, 0, ARCH_NR);
95 set_filter(&filter[idx++], BPF_RET + BPF_K, 0, 0, SECCOMP_RET_KILL);
98 set_filter(&filter[idx++], BPF_LD + BPF_W + BPF_ABS, 0, 0, syscall_nr);
100 blobmsg_for_each_attr(cur, tb[SECCOMP_WHITELIST], rem) {
101 char *name = blobmsg_get_string(cur);
105 INFO("%s: invalid syscall name\n", argv);
109 nr = find_syscall(name);
111 INFO("%s: unknown syscall %s\n", argv, name);
116 set_filter(&filter[idx++], BPF_JMP + BPF_JEQ + BPF_K, 0, 1, nr);
117 set_filter(&filter[idx++], BPF_RET + BPF_K, 0, 0, SECCOMP_RET_ALLOW);
121 /* notify tracer; without tracer return -1 and set errno to ENOSYS */
122 set_filter(&filter[idx], BPF_RET + BPF_K, 0, 0, SECCOMP_RET_TRACE);
124 /* kill the process */
125 set_filter(&filter[idx], BPF_RET + BPF_K, 0, 0, SECCOMP_RET_KILL);
127 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
128 INFO("%s: prctl(PR_SET_NO_NEW_PRIVS) failed: %s\n", argv, strerror(errno));
132 prog.len = (unsigned short) idx + 1;
133 prog.filter = filter;
135 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
136 INFO("%s: prctl(PR_SET_SECCOMP) failed: %s\n", argv, strerror(errno));