1 // seccomp example for x86 (32-bit and 64-bit) with BPF macros
2 //
3 // Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
4 // Authors:
5 // Will Drewry <wad@chromium.org>
6 // Kees Cook <keescook@chromium.org>
7 //
8 // The code may be used by anyone for any purpose, and can serve as a
9 // starting point for developing applications using mode 2 seccomp.
10
11 #include "seccomp-sandbox.h"
12
seccomp_sandbox_strict_init(void)13 int seccomp_sandbox_strict_init(void) {
14 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
15 return -1;
16 }
17 if (prctl(PR_SET_SECCOMP, 1, 0, 0, 0)) {
18 return -1;
19 }
20 return 0;
21 }
22
seccomp_sandbox_filter_init(void)23 int seccomp_sandbox_filter_init(void) {
24 struct sock_filter filter[] = {
25 /* Validate architecture. */
26 VALIDATE_ARCHITECTURE,
27 /* Grab the system call number. */
28 EXAMINE_SYSCALL,
29 /* List allowed syscalls. */
30 ALLOW_SYSCALL(rt_sigreturn),
31 #ifdef __NR_sigreturn
32 ALLOW_SYSCALL(sigreturn),
33 #endif
34 ALLOW_SYSCALL(futex),
35 #ifdef DEBUG
36 ALLOW_SYSCALL(write),
37 ALLOW_SYSCALL(read),
38 ALLOW_SYSCALL(fstat),
39 #endif
40 ALLOW_SYSCALL(exit_group),
41 ALLOW_SYSCALL(exit),
42 KILL_PROCESS,
43 };
44 struct sock_fprog prog = {
45 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
46 .filter = filter,
47 };
48
49 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
50 return -1;
51 }
52 if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
53 return -1;
54 }
55 return 0;
56 }
57