blob: 26f523e6ed74200e90bcda97fa82db711ac308e6 [file] [log] [blame]
Will Drewry8ac270d2012-04-12 16:48:04 -05001/*
2 * Seccomp filter example for x86 (32-bit and 64-bit) with BPF macros
3 *
4 * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
5 * Author: Will Drewry <wad@chromium.org>
6 *
7 * The code may be used by anyone for any purpose,
8 * and can serve as a starting point for developing
9 * applications using prctl(PR_SET_SECCOMP, 2, ...).
10 */
11#define __USE_GNU 1
12#define _GNU_SOURCE 1
13
14#include <linux/types.h>
15#include <linux/filter.h>
16#include <linux/seccomp.h>
17#include <linux/unistd.h>
18#include <signal.h>
19#include <stdio.h>
20#include <stddef.h>
21#include <string.h>
22#include <sys/prctl.h>
23#include <unistd.h>
24
25#define syscall_arg(_n) (offsetof(struct seccomp_data, args[_n]))
26#define syscall_nr (offsetof(struct seccomp_data, nr))
27
28#if defined(__i386__)
29#define REG_RESULT REG_EAX
30#define REG_SYSCALL REG_EAX
31#define REG_ARG0 REG_EBX
32#define REG_ARG1 REG_ECX
33#define REG_ARG2 REG_EDX
34#define REG_ARG3 REG_ESI
35#define REG_ARG4 REG_EDI
36#define REG_ARG5 REG_EBP
37#elif defined(__x86_64__)
38#define REG_RESULT REG_RAX
39#define REG_SYSCALL REG_RAX
40#define REG_ARG0 REG_RDI
41#define REG_ARG1 REG_RSI
42#define REG_ARG2 REG_RDX
43#define REG_ARG3 REG_R10
44#define REG_ARG4 REG_R8
45#define REG_ARG5 REG_R9
46#else
47#error Unsupported platform
48#endif
49
50#ifndef PR_SET_NO_NEW_PRIVS
51#define PR_SET_NO_NEW_PRIVS 38
52#endif
53
54#ifndef SYS_SECCOMP
55#define SYS_SECCOMP 1
56#endif
57
58static void emulator(int nr, siginfo_t *info, void *void_context)
59{
60 ucontext_t *ctx = (ucontext_t *)(void_context);
61 int syscall;
62 char *buf;
63 ssize_t bytes;
64 size_t len;
65 if (info->si_code != SYS_SECCOMP)
66 return;
67 if (!ctx)
68 return;
69 syscall = ctx->uc_mcontext.gregs[REG_SYSCALL];
70 buf = (char *) ctx->uc_mcontext.gregs[REG_ARG1];
71 len = (size_t) ctx->uc_mcontext.gregs[REG_ARG2];
72
73 if (syscall != __NR_write)
74 return;
75 if (ctx->uc_mcontext.gregs[REG_ARG0] != STDERR_FILENO)
76 return;
77 /* Redirect stderr messages to stdout. Doesn't handle EINTR, etc */
78 ctx->uc_mcontext.gregs[REG_RESULT] = -1;
79 if (write(STDOUT_FILENO, "[ERR] ", 6) > 0) {
80 bytes = write(STDOUT_FILENO, buf, len);
81 ctx->uc_mcontext.gregs[REG_RESULT] = bytes;
82 }
83 return;
84}
85
86static int install_emulator(void)
87{
88 struct sigaction act;
89 sigset_t mask;
90 memset(&act, 0, sizeof(act));
91 sigemptyset(&mask);
92 sigaddset(&mask, SIGSYS);
93
94 act.sa_sigaction = &emulator;
95 act.sa_flags = SA_SIGINFO;
96 if (sigaction(SIGSYS, &act, NULL) < 0) {
97 perror("sigaction");
98 return -1;
99 }
100 if (sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
101 perror("sigprocmask");
102 return -1;
103 }
104 return 0;
105}
106
107static int install_filter(void)
108{
109 struct sock_filter filter[] = {
110 /* Grab the system call number */
111 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr),
112 /* Jump table for the allowed syscalls */
113 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_rt_sigreturn, 0, 1),
114 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
115#ifdef __NR_sigreturn
116 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_sigreturn, 0, 1),
117 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
118#endif
119 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_exit_group, 0, 1),
120 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
121 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_exit, 0, 1),
122 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
123 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_read, 1, 0),
124 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_write, 3, 2),
125
126 /* Check that read is only using stdin. */
127 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_arg(0)),
128 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, STDIN_FILENO, 4, 0),
129 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
130
131 /* Check that write is only using stdout */
132 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_arg(0)),
133 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, STDOUT_FILENO, 1, 0),
134 /* Trap attempts to write to stderr */
135 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, STDERR_FILENO, 1, 2),
136
137 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
138 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP),
139 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
140 };
141 struct sock_fprog prog = {
142 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
143 .filter = filter,
144 };
145
146 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
147 perror("prctl(NO_NEW_PRIVS)");
148 return 1;
149 }
150
151
152 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
153 perror("prctl");
154 return 1;
155 }
156 return 0;
157}
158
159#define payload(_c) (_c), sizeof((_c))
160int main(int argc, char **argv)
161{
162 char buf[4096];
163 ssize_t bytes = 0;
164 if (install_emulator())
165 return 1;
166 if (install_filter())
167 return 1;
168 syscall(__NR_write, STDOUT_FILENO,
169 payload("OHAI! WHAT IS YOUR NAME? "));
170 bytes = syscall(__NR_read, STDIN_FILENO, buf, sizeof(buf));
171 syscall(__NR_write, STDOUT_FILENO, payload("HELLO, "));
172 syscall(__NR_write, STDOUT_FILENO, buf, bytes);
173 syscall(__NR_write, STDERR_FILENO,
174 payload("Error message going to STDERR\n"));
175 return 0;
176}