On Mon, May 21, 2018 at 4:24 PM, Amit Malav <[email protected]> wrote:
> Hi,
> I want to add seccomp filters at run time and not at compile time. I want to
> pass list of syscalls that needs to be blocked to a c executable which spawns
> new child process with these filters in place.
Hi Amit,
Yes, the libseccomp filters are generated at run time. Also, you
shouldn't need to manually set PR_SET_NO_NEW_PRIVS, it is enabled by
default when libseccomp loads the seccomp-bpf filter into the kernel;
see the seccomp_attr_set(3) manpage, especially the
SCMP_FLTATR_CTL_NNP attribute.
> Source code:
>
> #include <stdlib.h>
> #include <unistd.h>
> #include <stdio.h>
> #include <linux/limits.h>
> #include <string.h>
> #include <seccomp.h> /* libseccomp */
> #include <sys/prctl.h> /* prctl */
>
> int show_usage(char *argv)
> {
> printf("Usage: %s <command> <syscalls>\n\tcommand: command to be executed
> with command line arguments\n\tsyscalls: space separated list of syscalls\n",
> argv);
> return 0;
> }
>
> int main(int argc, char **argv)
> {
> int iterator;
> if (argc < 2)
> {
> show_usage(argv[0]);
> return 0;
> }
> if (argc >= 3)
> {
> //Add seccomp filters
> // ensure none of our children will ever be granted more privileges
> // (via setuid, capabilities, ...)
> prctl(PR_SET_NO_NEW_PRIVS, 1);
> // ensure no escape is possible via ptrace
> prctl(PR_SET_DUMPABLE, 0);
> // Init the filter
> scmp_filter_ctx ctx;
> ctx = seccomp_init(SCMP_ACT_KILL); // default action: kill
> // setup basic whitelisting
> for (iterator = 2; iterator < argc; iterator++)
> {
> seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(argv[iterator]),
> 0);
> }
> seccomp_load(ctx);
> }
> FILE *pipe_fp;
> /* Create one way pipe line with call to popen() */
> char path[PATH_MAX];
> //Run command present in argv[1]
> if ((pipe_fp = popen(strcat(argv[1], " 2>&1"), "r")) == NULL)
> {
> perror("Error in popen");
> exit(EXIT_FAILURE);
> }
> // Get output from child's stdout/stderr
> /* Processing loop */
> while (fgets(path, PATH_MAX, pipe_fp) != NULL)
> {
> printf("%s", path);
> }
> /* Close the pipe */
> int close_status = pclose(pipe_fp);
> if (close_status != 0)
> {
> exit(EXIT_FAILURE);
> }
> exit(EXIT_SUCCESS);
> }
>
> --
> You received this message because you are subscribed to the Google Groups
> "libseccomp" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
paul moore
www.paul-moore.com
--
You received this message because you are subscribed to the Google Groups
"libseccomp" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/d/optout.
