jail/seccomp.c

   1 /*
   2  * seccomp example with syscall reporting
   3  *
   4  * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
   5  * Authors:
   6  *  Kees Cook <keescook@chromium.org>
   7  *  Will Drewry <wad@chromium.org>
   8  *
   9  * Use of this source code is governed by a BSD-style license that can be
  10  * found in the LICENSE file.
  11  */
  12 #define _GNU_SOURCE 1
  13 #include <stddef.h>
  14 #include <stdlib.h>
  15 #include <unistd.h>
  16
  17 #include <libubox/utils.h>
  18 #include <libubox/blobmsg.h>
  19 #include <libubox/blobmsg_json.h>
  20
  21 #include "log.h"
  22 #include "seccomp.h"
  23 #include "seccomp-oci.h"
  24
  25 int install_syscall_filter(const char *argv, const char *file)
  26 {
  27         struct blob_buf b = { 0 };
  28         struct sock_fprog *prog = NULL;
  29
  30         DEBUG("%s: setting up syscall filter\n", argv);
  31
  32         blob_buf_init(&b, 0);
  33         if (!blobmsg_add_json_from_file(&b, file)) {
  34                 ERROR("%s: failed to load %s\n", argv, file);
  35                 return -1;
  36         }
  37
  38         prog = parseOCIlinuxseccomp(b.head);
  39         if (!prog) {
  40                 ERROR("%s: failed to parse seccomp filter rules %s\n", argv, file);
  41                 return -1;
  42         }
  43
  44         return applyOCIlinuxseccomp(prog);
  45 }