Hi,
I'm using the following program to allow a bunch of syscalls, then
calling exec. According to Documentation/prctl/seccomp* I would
expect that to work so long as NR_exec (59) is allowed (it should
be, if I'm not mis-using libseccomp). But I'm getting -EPERM from
execve. I do recall there were discussions of not allowing execve,
but Documentation doesn't mention this.
Should this work?
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <seccomp.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
int main()
{
int i;
int ret;
ret = seccomp_init(SCMP_ACT_ERRNO(5));
for (i=0; i<273; i++)
ret = seccomp_rule_add(SCMP_ACT_ALLOW, i, 0);
ret = seccomp_load();
if (ret)
printf("error setting seccomp\n");
ret = execlp("/bin/ls", "/bin/ls", "/tmp", NULL);
printf("execlp returned %d %d\n", ret, errno);
exit(0);
}
thanks,
-serge
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss
