[libseccomp-discuss] Understanding libseccomp

Luis C Tue, 02 Oct 2012 08:11:03 -0700

Hi all!,

Recently I discover libseccomp and I'm trying to check the viability of add
to a project, but I have some doubts, probably due to my understanding of
the library.


On the example below the getpid syscall its not allowed to execute on the
child process, no? The basic idea is to deny some syscalls to the child
process but im missing something, any ideas?

Regards,

Luis

#include <stdio.h>

#include <seccomp.h>

#include <errno.h>

#include <sys/types.h>

#include <sys/wait.h>

int InitSeccomp(void) {

        int ret = 0;

        ret = seccomp_init(SCMP_ACT_KILL);

        if(ret == -1) return ret;

        ret = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);

        if(ret!= 0) return ret;

        ret = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(read), 0);

        if (ret != 0)return ret;

        ret = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(write), 0);

        if (ret != 0) return ret;

        ret = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(open), 0);

        if (ret != 0) return ret;

//        ret = seccomp_rule_add_exact(SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0);

//      if(ret!= 0) return ret;

        ret = seccomp_load();

        return ret;

}

int main(int argc, char *argv[])

{

        int ret;

        int status;

        pid_t pid;

        siginfo_t sig;

        pid = fork();

        if(pid == 0){

                printf("child executing\n");

                sleep(2);

                ret = InitSeccomp();

                printf("child on seccomp sandbox ret = %d\n",ret);

                printf("child pid %d\n",getpid());

                exit(0);

        }

        printf("parent waiting for %d\n",pid);

        status = waitpid(pid,&status,0);

        int ifexisted = WIFEXITED(status);

        int ifexisstatus = WEXITSTATUS(status);

        int ifsignaled = WIFSIGNALED(status);

        printf("process return status =
%d,ifexisted=%d,ifexitstatus=%d,ifsignaled=%d\n",

                status,ifexisted,ifexisstatus,ifsignaled);

        return 0;

}

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

_______________________________________________
libseccomp-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/libseccomp-discuss

[libseccomp-discuss] Understanding libseccomp

Reply via email to