Commit | Line | Data |
---|---|---|
e9d5f91f TM |
1 | /* |
2 | * seccomp.c (Harvie 2o14) | |
06d21dc9 TM |
3 | * |
4 | * This demonstrates how to use SECCOMP_MODE_STRICT to sandbox code on Linux. | |
e9d5f91f TM |
5 | * You need kernel compiled with CONFIG_SECCOMP=y. |
6 | * This prohibits everything except read(2), write(2), _exit(2), and sigreturn(2). | |
7 | * Trying to use other syscalls will result in SIGKILL. | |
8 | * If you need to enable more syscalls you can use SECCOMP_MODE_FILTER instead. | |
9 | * See man 2 prctl for more... | |
10 | * | |
06d21dc9 TM |
11 | */ |
12 | ||
7965c4bd | 13 | #include <stdlib.h> |
06d21dc9 TM |
14 | #include <string.h> |
15 | #include <sys/prctl.h> | |
16 | #include <linux/seccomp.h> | |
17 | #include <sys/syscall.h> | |
18 | ||
19 | #define DISPLAY(msg) (syscall( SYS_write, 2, msg, strlen(msg) )) | |
7965c4bd | 20 | #define exit(status) { syscall( SYS_exit, status ); abort(); } |
06d21dc9 TM |
21 | |
22 | int main() { | |
23 | system("echo before"); | |
24 | ||
25 | if(prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT) == 0) | |
26 | DISPLAY("SECCOMP Enabled!\n"); else DISPLAY("SECCOMP Fail!\n"); | |
27 | //fflush(NULL); | |
28 | ||
29 | system("echo after"); | |
7965c4bd | 30 | exit(0); |
06d21dc9 | 31 | } |