Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Seccomp ====== ===== Sandboxing with libseccomp ===== <code> # gcc -o myos myos_libseccomp.c -lseccomp #define _GNU_SOURCE #include <stdio.h> #include <stdlib.h> #include <sys/utsname.h> #include <seccomp.h> #include <err.h> static void sandbox(void) { /* allow all syscalls by default */ scmp_filter_ctx seccomp_ctx = seccomp_init(SCMP_ACT_ALLOW); if (!seccomp_ctx) err(1, "seccomp_init failed"); /* kill the process, if it tries to use "uname" syscall */ if (seccomp_rule_add_exact(seccomp_ctx, SCMP_ACT_KILL, seccomp_syscall_resolve_name("uname"), 0)) { perror("seccomp_rule_add_exact failed"); exit(1); } /* apply the composed filter */ if (seccomp_load(seccomp_ctx)) { perror("seccomp_load failed"); exit(1); } /* release allocated context */ seccomp_release(seccomp_ctx); } int main(void) { struct utsname name; sandbox(); if (uname(&name)) { perror("uname failed: "); return 1; } printf("My OS is %s!\n", name.sysname); return 0; } </code> ===== Sandboxing without modifying source code (Systemd) ===== Kill the program if it calls uname syscall <code> # Just kill systemd-run --user --pty --same-dir --wait --collect --service-type=exec --property="SystemCallFilter=~uname" ./program # return an error code systemd-run --user --pty --same-dir --wait --collect --service-type=exec --property="SystemCallFilter=~uname" --property="SystemCallErrorNumber=ENETDOWN" ./program </code> Note that the execve, exit, exit_group, getrlimit, rt_sigreturn, sigreturn system calls and the system calls for querying time and sleeping are implicitly whitelisted and do not need to be listed explicitly. ===== Sandboxing without modifying source code (https://github.com/cloudflare/sandbox) ===== * dynamic link <code> LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libsandbox.so SECCOMP_SYSCALL_DENY=uname ./program # or LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libsandbox.so SECCOMP_SYSCALL_ALLOW=exit_group:fstat:uname:write ./myos # or even better because we can't forget to link the lib patchelf --add-needed /usr/lib/x86_64-linux-gnu/libsandbox.so ./program SECCOMP_SYSCALL_DENY=uname ./program </code> * static <code> SECCOMP_SYSCALL_DENY=uname sandboxify ./program </code> cheatsheet/seccomp.txt Last modified: 2024/10/14 20:59by 127.0.0.1