====== Seccomp ======
===== Sandboxing with libseccomp =====
# gcc -o myos myos_libseccomp.c -lseccomp
#define _GNU_SOURCE
#include
#include
#include
#include
#include
static void sandbox(void)
{
/* allow all syscalls by default */
scmp_filter_ctx seccomp_ctx = seccomp_init(SCMP_ACT_ALLOW);
if (!seccomp_ctx)
err(1, "seccomp_init failed");
/* kill the process, if it tries to use "uname" syscall */
if (seccomp_rule_add_exact(seccomp_ctx, SCMP_ACT_KILL, seccomp_syscall_resolve_name("uname"), 0)) {
perror("seccomp_rule_add_exact failed");
exit(1);
}
/* apply the composed filter */
if (seccomp_load(seccomp_ctx)) {
perror("seccomp_load failed");
exit(1);
}
/* release allocated context */
seccomp_release(seccomp_ctx);
}
int main(void)
{
struct utsname name;
sandbox();
if (uname(&name)) {
perror("uname failed: ");
return 1;
}
printf("My OS is %s!\n", name.sysname);
return 0;
}
===== Sandboxing without modifying source code (Systemd) =====
Kill the program if it calls uname syscall
# Just kill
systemd-run --user --pty --same-dir --wait --collect --service-type=exec --property="SystemCallFilter=~uname" ./program
# return an error code
systemd-run --user --pty --same-dir --wait --collect --service-type=exec --property="SystemCallFilter=~uname" --property="SystemCallErrorNumber=ENETDOWN" ./program
Note that the execve, exit, exit_group, getrlimit, rt_sigreturn, sigreturn system calls and the system calls for querying time and sleeping are implicitly whitelisted and do not need to be listed explicitly.
===== Sandboxing without modifying source code (https://github.com/cloudflare/sandbox) =====
* dynamic link
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libsandbox.so SECCOMP_SYSCALL_DENY=uname ./program
# or
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libsandbox.so SECCOMP_SYSCALL_ALLOW=exit_group:fstat:uname:write ./myos
# or even better because we can't forget to link the lib
patchelf --add-needed /usr/lib/x86_64-linux-gnu/libsandbox.so ./program
SECCOMP_SYSCALL_DENY=uname ./program
* static
SECCOMP_SYSCALL_DENY=uname sandboxify ./program