2 * seccomp example with syscall reporting
4 * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
6 * Kees Cook <keescook@chromium.org>
7 * Will Drewry <wad@chromium.org>
9 * Use of this source code is governed by a BSD-style license that can be
10 * found in the LICENSE file.
17 #include <libubox/utils.h>
18 #include <libubox/blobmsg.h>
19 #include <libubox/blobmsg_json.h>
21 #include "seccomp-bpf.h"
23 #include "../syscall-names.h"
25 static int max_syscall
= ARRAY_SIZE(syscall_names
);
27 static int find_syscall(const char *name
)
31 for (i
= 0; i
< max_syscall
; i
++)
32 if (syscall_names
[i
] && !strcmp(syscall_names
[i
], name
))
38 static void set_filter(struct sock_filter
*filter
, __u16 code
, __u8 jt
, __u8 jf
, __u32 k
)
46 int install_syscall_filter(const char *argv
, const char *file
)
53 static const struct blobmsg_policy policy
[__SECCOMP_MAX
] = {
54 [SECCOMP_WHITELIST
] = { .name
= "whitelist", .type
= BLOBMSG_TYPE_ARRAY
},
55 [SECCOMP_POLICY
] = { .name
= "policy", .type
= BLOBMSG_TYPE_INT32
},
57 struct blob_buf b
= { 0 };
58 struct blob_attr
*tb
[__SECCOMP_MAX
];
59 struct blob_attr
*cur
;
62 struct sock_filter
*filter
;
63 struct sock_fprog prog
= { 0 };
64 int sz
= 5, idx
= 0, default_policy
= 0;
66 INFO("%s: setting up syscall filter\n", argv
);
69 if (!blobmsg_add_json_from_file(&b
, file
)) {
70 INFO("%s: failed to load %s\n", argv
, file
);
74 blobmsg_parse(policy
, __SECCOMP_MAX
, tb
, blob_data(b
.head
), blob_len(b
.head
));
75 if (!tb
[SECCOMP_WHITELIST
]) {
76 INFO("%s: %s is missing the syscall table\n", argv
, file
);
80 if (tb
[SECCOMP_POLICY
])
81 default_policy
= blobmsg_get_u32(tb
[SECCOMP_POLICY
]);
83 blobmsg_for_each_attr(cur
, tb
[SECCOMP_WHITELIST
], rem
)
86 filter
= calloc(sz
, sizeof(struct sock_filter
));
88 INFO("failed to allocate filter memory\n");
93 set_filter(&filter
[idx
++], BPF_LD
+ BPF_W
+ BPF_ABS
, 0, 0, arch_nr
);
94 set_filter(&filter
[idx
++], BPF_JMP
+ BPF_JEQ
+ BPF_K
, 1, 0, ARCH_NR
);
95 set_filter(&filter
[idx
++], BPF_RET
+ BPF_K
, 0, 0, SECCOMP_RET_KILL
);
98 set_filter(&filter
[idx
++], BPF_LD
+ BPF_W
+ BPF_ABS
, 0, 0, syscall_nr
);
100 blobmsg_for_each_attr(cur
, tb
[SECCOMP_WHITELIST
], rem
) {
101 char *name
= blobmsg_get_string(cur
);
105 INFO("%s: invalid syscall name\n", argv
);
109 nr
= find_syscall(name
);
111 INFO("%s: unknown syscall %s\n", argv
, name
);
116 set_filter(&filter
[idx
++], BPF_JMP
+ BPF_JEQ
+ BPF_K
, 0, 1, nr
);
117 set_filter(&filter
[idx
++], BPF_RET
+ BPF_K
, 0, 0, SECCOMP_RET_ALLOW
);
121 /* return -1 and set errno */
122 set_filter(&filter
[idx
], BPF_RET
+ BPF_K
, 0, 0, SECCOMP_RET_LOGGER(default_policy
));
124 /* kill the process */
125 set_filter(&filter
[idx
], BPF_RET
+ BPF_K
, 0, 0, SECCOMP_RET_KILL
);
127 if (prctl(PR_SET_NO_NEW_PRIVS
, 1, 0, 0, 0)) {
128 INFO("%s: prctl(PR_SET_NO_NEW_PRIVS) failed: %s\n", argv
, strerror(errno
));
132 prog
.len
= (unsigned short) idx
+ 1;
133 prog
.filter
= filter
;
135 if (prctl(PR_SET_SECCOMP
, SECCOMP_MODE_FILTER
, &prog
)) {
136 INFO("%s: prctl(PR_SET_SECCOMP) failed: %s\n", argv
, strerror(errno
));