X-Git-Url: http://git.harvie.cz/?a=blobdiff_plain;f=c%2Fseccomp.c;h=c939c04052f193ccb7dee987d0dc61100fdf8cd2;hb=599af17a2a0cc574095f2ec50971928ef5ef3ead;hp=0b740f32f7225f91d7d8511364fe17d6cd9060f5;hpb=06d21dc9c252aa1c71cb65fa033857c380722e32;p=mirrors%2FPrograms.git

diff --git a/c/seccomp.c b/c/seccomp.c
index 0b740f3..c939c04 100644
--- a/c/seccomp.c
+++ b/c/seccomp.c
@@ -1,14 +1,23 @@
-/* seccomp.c
+/*
+ * seccomp.c (Harvie 2o14)
  *
  * This demonstrates how to use SECCOMP_MODE_STRICT to sandbox code on Linux.
+ * You need kernel compiled with CONFIG_SECCOMP=y.
+ * This prohibits everything except read(2), write(2), _exit(2), and sigreturn(2).
+ * Trying to use other syscalls will result in SIGKILL.
+ * If you need to enable more syscalls you can use SECCOMP_MODE_FILTER instead.
+ * See man 2 prctl for more...
+ *
  */
 
+#include <stdlib.h>
 #include <string.h>
 #include <sys/prctl.h>
 #include <linux/seccomp.h>
 #include <sys/syscall.h>
 
 #define DISPLAY(msg) (syscall( SYS_write, 2, msg, strlen(msg) ))
+#define exit(status) { syscall( SYS_exit, status ); abort(); }
 
 int main() {
 	system("echo before");
@@ -18,4 +27,5 @@ int main() {
 	//fflush(NULL);
 
 	system("echo after");
+	exit(0);
 }