| 1 | /* |
| 2 | * seccomp.c (Harvie 2o14) |
| 3 | * |
| 4 | * This demonstrates how to use SECCOMP_MODE_STRICT to sandbox code on Linux. |
| 5 | * You need kernel compiled with CONFIG_SECCOMP=y. |
| 6 | * This prohibits everything except read(2), write(2), _exit(2), and sigreturn(2). |
| 7 | * Trying to use other syscalls will result in SIGKILL. |
| 8 | * If you need to enable more syscalls you can use SECCOMP_MODE_FILTER instead. |
| 9 | * See man 2 prctl for more... |
| 10 | * |
| 11 | */ |
| 12 | |
| 13 | #include <stdlib.h> |
| 14 | #include <string.h> |
| 15 | #include <sys/prctl.h> |
| 16 | #include <linux/seccomp.h> |
| 17 | #include <sys/syscall.h> |
| 18 | |
| 19 | #define DISPLAY(msg) (syscall( SYS_write, 2, msg, strlen(msg) )) |
| 20 | #define exit(status) { syscall( SYS_exit, status ); abort(); } |
| 21 | |
| 22 | int main() { |
| 23 | system("echo before"); |
| 24 | |
| 25 | if(prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT) == 0) |
| 26 | DISPLAY("SECCOMP Enabled!\n"); else DISPLAY("SECCOMP Fail!\n"); |
| 27 | //fflush(NULL); |
| 28 | |
| 29 | system("echo after"); |
| 30 | exit(0); |
| 31 | } |