[mirrors/Programs.git] / c / seccomp.c

/*
 * seccomp.c (Harvie 2o14)
 *
 * This demonstrates how to use SECCOMP_MODE_STRICT to sandbox code on Linux.
 * You need kernel compiled with CONFIG_SECCOMP=y.
 * This prohibits everything except read(2), write(2), _exit(2), and sigreturn(2).
 * Trying to use other syscalls will result in SIGKILL.
 * If you need to enable more syscalls you can use SECCOMP_MODE_FILTER instead.
 * See man 2 prctl for more...
 *
 */

#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
#include <sys/syscall.h>

#define DISPLAY(msg) (syscall( SYS_write, 2, msg, strlen(msg) ))
#define exit(status) { syscall( SYS_exit, status ); abort(); }

int main() {
	system("echo before");

	if(prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT) == 0)
		DISPLAY("SECCOMP Enabled!\n"); else DISPLAY("SECCOMP Fail!\n");
	//fflush(NULL);

	system("echo after");
	exit(0);
}
Commit	Line	Data
e9d5f91f TM	1	/*
e9d5f91f TM	2	* seccomp.c (Harvie 2o14)
06d21dc9 TM	3	*
06d21dc9 TM	4	* This demonstrates how to use SECCOMP_MODE_STRICT to sandbox code on Linux.
e9d5f91f TM	5	* You need kernel compiled with CONFIG_SECCOMP=y.
	6	* This prohibits everything except read(2), write(2), _exit(2), and sigreturn(2).
	7	* Trying to use other syscalls will result in SIGKILL.
	8	* If you need to enable more syscalls you can use SECCOMP_MODE_FILTER instead.
	9	* See man 2 prctl for more...
	10	*
06d21dc9 TM	11	*/
06d21dc9 TM	12
7965c4bd	13	#include <stdlib.h>
06d21dc9 TM	14	#include <string.h>
	15	#include <sys/prctl.h>
	16	#include <linux/seccomp.h>
	17	#include <sys/syscall.h>
	18
	19	#define DISPLAY(msg) (syscall( SYS_write, 2, msg, strlen(msg) ))
7965c4bd	20	#define exit(status) { syscall( SYS_exit, status ); abort(); }
06d21dc9 TM	21
	22	int main() {
	23	system("echo before");
	24
	25	if(prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT) == 0)
	26	DISPLAY("SECCOMP Enabled!\n"); else DISPLAY("SECCOMP Fail!\n");
	27	//fflush(NULL);
	28
	29	system("echo after");
7965c4bd	30	exit(0);
06d21dc9	31	}