Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
bpf-fancy.c
Go to the documentation of this file.
1 /*
2  * Seccomp BPF example using a macro-based generator.
3  *
4  * Copyright (c) 2012 The Chromium OS Authors <[email protected]>
5  * Author: Will Drewry <[email protected]>
6  *
7  * The code may be used by anyone for any purpose,
8  * and can serve as a starting point for developing
9  * applications using prctl(PR_ATTACH_SECCOMP_FILTER).
10  */
11 
12 #include <linux/filter.h>
13 #include <linux/seccomp.h>
14 #include <linux/unistd.h>
15 #include <stdio.h>
16 #include <string.h>
17 #include <sys/prctl.h>
18 #include <unistd.h>
19 
20 #include "bpf-helper.h"
21 
22 #ifndef PR_SET_NO_NEW_PRIVS
23 #define PR_SET_NO_NEW_PRIVS 38
24 #endif
25 
26 int main(int argc, char **argv)
27 {
28  struct bpf_labels l;
29  static const char msg1[] = "Please type something: ";
30  static const char msg2[] = "You typed: ";
31  char buf[256];
32  struct sock_filter filter[] = {
33  /* TODO: LOAD_SYSCALL_NR(arch) and enforce an arch */
37  SYSCALL(__NR_write, JUMP(&l, write_fd)),
38  SYSCALL(__NR_read, JUMP(&l, read)),
39  DENY, /* Don't passthrough into a label */
40 
41  LABEL(&l, read),
42  ARG(0),
43  JNE(STDIN_FILENO, DENY),
44  ARG(1),
45  JNE((unsigned long)buf, DENY),
46  ARG(2),
47  JGE(sizeof(buf), DENY),
48  ALLOW,
49 
50  LABEL(&l, write_fd),
51  ARG(0),
52  JEQ(STDOUT_FILENO, JUMP(&l, write_buf)),
53  JEQ(STDERR_FILENO, JUMP(&l, write_buf)),
54  DENY,
55 
56  LABEL(&l, write_buf),
57  ARG(1),
58  JEQ((unsigned long)msg1, JUMP(&l, msg1_len)),
59  JEQ((unsigned long)msg2, JUMP(&l, msg2_len)),
60  JEQ((unsigned long)buf, JUMP(&l, buf_len)),
61  DENY,
62 
63  LABEL(&l, msg1_len),
64  ARG(2),
65  JLT(sizeof(msg1), ALLOW),
66  DENY,
67 
68  LABEL(&l, msg2_len),
69  ARG(2),
70  JLT(sizeof(msg2), ALLOW),
71  DENY,
72 
73  LABEL(&l, buf_len),
74  ARG(2),
75  JLT(sizeof(buf), ALLOW),
76  DENY,
77  };
78  struct sock_fprog prog = {
79  .filter = filter,
80  .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
81  };
82  ssize_t bytes;
83  bpf_resolve_jumps(&l, filter, sizeof(filter)/sizeof(*filter));
84 
85  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
86  perror("prctl(NO_NEW_PRIVS)");
87  return 1;
88  }
89 
90  if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
91  perror("prctl(SECCOMP)");
92  return 1;
93  }
94  syscall(__NR_write, STDOUT_FILENO, msg1, strlen(msg1));
95  bytes = syscall(__NR_read, STDIN_FILENO, buf, sizeof(buf)-1);
96  bytes = (bytes > 0 ? bytes : 0);
97  syscall(__NR_write, STDERR_FILENO, msg2, strlen(msg2));
98  syscall(__NR_write, STDERR_FILENO, buf, bytes);
99  /* Now get killed */
100  syscall(__NR_write, STDERR_FILENO, msg2, strlen(msg2)+2);
101  return 0;
102 }