Hi Pautl.
Thanks for the swift response.
But i'm getting following error while compiling above code.
#gcc test-seccomp.c -l seccomp -o seccomp
In file included from test-seccomp.c:6:0:
test-seccomp.c: In function ‘main’:
test-seccomp.c:37:51: error: ‘__NR_argv’ undeclared (first use in this function)
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(argv[iterator]), 0);
^
test-seccomp.c:37:51: note: each undeclared identifier is reported only once
for each function it appears in
Am i doing something wrong here? Can this be achieved differently?
On Tuesday, May 22, 2018 at 3:34:21 AM UTC+5:30, Paul Moore wrote:
> On Mon, May 21, 2018 at 4:24 PM, Amit Malav <[email protected]> wrote:
> > Hi,
> > I want to add seccomp filters at run time and not at compile time. I want
> > to pass list of syscalls that needs to be blocked to a c executable which
> > spawns new child process with these filters in place.
>
> Hi Amit,
>
> Yes, the libseccomp filters are generated at run time. Also, you
> shouldn't need to manually set PR_SET_NO_NEW_PRIVS, it is enabled by
> default when libseccomp loads the seccomp-bpf filter into the kernel;
> see the seccomp_attr_set(3) manpage, especially the
> SCMP_FLTATR_CTL_NNP attribute.
>
> > Source code:
> >
> > #include <stdlib.h>
> > #include <unistd.h>
> > #include <stdio.h>
> > #include <linux/limits.h>
> > #include <string.h>
> > #include <seccomp.h> /* libseccomp */
> > #include <sys/prctl.h> /* prctl */
> >
> > int show_usage(char *argv)
> > {
> > printf("Usage: %s <command> <syscalls>\n\tcommand: command to be
> > executed with command line arguments\n\tsyscalls: space separated list of
> > syscalls\n", argv);
> > return 0;
> > }
> >
> > int main(int argc, char **argv)
> > {
> > int iterator;
> > if (argc < 2)
> > {
> > show_usage(argv[0]);
> > return 0;
> > }
> > if (argc >= 3)
> > {
> > //Add seccomp filters
> > // ensure none of our children will ever be granted more privileges
> > // (via setuid, capabilities, ...)
> > prctl(PR_SET_NO_NEW_PRIVS, 1);
> > // ensure no escape is possible via ptrace
> > prctl(PR_SET_DUMPABLE, 0);
> > // Init the filter
> > scmp_filter_ctx ctx;
> > ctx = seccomp_init(SCMP_ACT_KILL); // default action: kill
> > // setup basic whitelisting
> > for (iterator = 2; iterator < argc; iterator++)
> > {
> > seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(argv[iterator]),
> > 0);
> > }
> > seccomp_load(ctx);
> > }
> > FILE *pipe_fp;
> > /* Create one way pipe line with call to popen() */
> > char path[PATH_MAX];
> > //Run command present in argv[1]
> > if ((pipe_fp = popen(strcat(argv[1], " 2>&1"), "r")) == NULL)
> > {
> > perror("Error in popen");
> > exit(EXIT_FAILURE);
> > }
> > // Get output from child's stdout/stderr
> > /* Processing loop */
> > while (fgets(path, PATH_MAX, pipe_fp) != NULL)
> > {
> > printf("%s", path);
> > }
> > /* Close the pipe */
> > int close_status = pclose(pipe_fp);
> > if (close_status != 0)
> > {
> > exit(EXIT_FAILURE);
> > }
> > exit(EXIT_SUCCESS);
> > }
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "libseccomp" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > To post to this group, send email to [email protected].
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> paul moore
> www.paul-moore.com
On Tuesday, May 22, 2018 at 3:34:21 AM UTC+5:30, Paul Moore wrote:
> On Mon, May 21, 2018 at 4:24 PM, Amit Malav <[email protected]> wrote:
> > Hi,
> > I want to add seccomp filters at run time and not at compile time. I want
> > to pass list of syscalls that needs to be blocked to a c executable which
> > spawns new child process with these filters in place.
>
> Hi Amit,
>
> Yes, the libseccomp filters are generated at run time. Also, you
> shouldn't need to manually set PR_SET_NO_NEW_PRIVS, it is enabled by
> default when libseccomp loads the seccomp-bpf filter into the kernel;
> see the seccomp_attr_set(3) manpage, especially the
> SCMP_FLTATR_CTL_NNP attribute.
>
> > Source code:
> >
> > #include <stdlib.h>
> > #include <unistd.h>
> > #include <stdio.h>
> > #include <linux/limits.h>
> > #include <string.h>
> > #include <seccomp.h> /* libseccomp */
> > #include <sys/prctl.h> /* prctl */
> >
> > int show_usage(char *argv)
> > {
> > printf("Usage: %s <command> <syscalls>\n\tcommand: command to be
> > executed with command line arguments\n\tsyscalls: space separated list of
> > syscalls\n", argv);
> > return 0;
> > }
> >
> > int main(int argc, char **argv)
> > {
> > int iterator;
> > if (argc < 2)
> > {
> > show_usage(argv[0]);
> > return 0;
> > }
> > if (argc >= 3)
> > {
> > //Add seccomp filters
> > // ensure none of our children will ever be granted more privileges
> > // (via setuid, capabilities, ...)
> > prctl(PR_SET_NO_NEW_PRIVS, 1);
> > // ensure no escape is possible via ptrace
> > prctl(PR_SET_DUMPABLE, 0);
> > // Init the filter
> > scmp_filter_ctx ctx;
> > ctx = seccomp_init(SCMP_ACT_KILL); // default action: kill
> > // setup basic whitelisting
> > for (iterator = 2; iterator < argc; iterator++)
> > {
> > seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(argv[iterator]),
> > 0);
> > }
> > seccomp_load(ctx);
> > }
> > FILE *pipe_fp;
> > /* Create one way pipe line with call to popen() */
> > char path[PATH_MAX];
> > //Run command present in argv[1]
> > if ((pipe_fp = popen(strcat(argv[1], " 2>&1"), "r")) == NULL)
> > {
> > perror("Error in popen");
> > exit(EXIT_FAILURE);
> > }
> > // Get output from child's stdout/stderr
> > /* Processing loop */
> > while (fgets(path, PATH_MAX, pipe_fp) != NULL)
> > {
> > printf("%s", path);
> > }
> > /* Close the pipe */
> > int close_status = pclose(pipe_fp);
> > if (close_status != 0)
> > {
> > exit(EXIT_FAILURE);
> > }
> > exit(EXIT_SUCCESS);
> > }
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "libseccomp" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > To post to this group, send email to [email protected].
> > For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> paul moore
> www.paul-moore.com
--
You received this message because you are subscribed to the Google Groups
"libseccomp" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/d/optout.
