2 * seccomp.c (Harvie 2o14)
4 * This demonstrates how to use SECCOMP_MODE_STRICT to sandbox code on Linux.
5 * You need kernel compiled with CONFIG_SECCOMP=y.
6 * This prohibits everything except read(2), write(2), _exit(2), and sigreturn(2).
7 * Trying to use other syscalls will result in SIGKILL.
8 * If you need to enable more syscalls you can use SECCOMP_MODE_FILTER instead.
9 * See man 2 prctl for more...
15 #include <sys/prctl.h>
16 #include <linux/seccomp.h>
17 #include <sys/syscall.h>
19 #define DISPLAY(msg) (syscall( SYS_write, 2, msg, strlen(msg) ))
20 #define exit(status) { syscall( SYS_exit, status ); abort(); }
23 system("echo before");
25 if(prctl(PR_SET_SECCOMP
, SECCOMP_MODE_STRICT
) == 0)
26 DISPLAY("SECCOMP Enabled!\n"); else DISPLAY("SECCOMP Fail!\n");
This page took 0.265534 seconds and 4 git commands to generate.