Seccomp
Sandboxing with libseccomp
# gcc -o myos myos_libseccomp.c -lseccomp
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <sys/utsname.h>
#include <seccomp.h>
#include <err.h>
static void sandbox(void)
{
/* allow all syscalls by default */
scmp_filter_ctx seccomp_ctx = seccomp_init(SCMP_ACT_ALLOW);
if (!seccomp_ctx)
err(1, "seccomp_init failed");
/* kill the process, if it tries to use "uname" syscall */
if (seccomp_rule_add_exact(seccomp_ctx, SCMP_ACT_KILL, seccomp_syscall_resolve_name("uname"), 0)) {
perror("seccomp_rule_add_exact failed");
exit(1);
}
/* apply the composed filter */
if (seccomp_load(seccomp_ctx)) {
perror("seccomp_load failed");
exit(1);
}
/* release allocated context */
seccomp_release(seccomp_ctx);
}
int main(void)
{
struct utsname name;
sandbox();
if (uname(&name)) {
perror("uname failed: ");
return 1;
}
printf("My OS is %s!\n", name.sysname);
return 0;
}
Sandboxing without modifying source code (Systemd)
Kill the program if it calls uname syscall
# Just kill systemd-run --user --pty --same-dir --wait --collect --service-type=exec --property="SystemCallFilter=~uname" ./program # return an error code systemd-run --user --pty --same-dir --wait --collect --service-type=exec --property="SystemCallFilter=~uname" --property="SystemCallErrorNumber=ENETDOWN" ./program
Note that the execve, exit, exit_group, getrlimit, rt_sigreturn, sigreturn system calls and the system calls for querying time and sleeping are implicitly whitelisted and do not need to be listed explicitly.
Sandboxing without modifying source code (https://github.com/cloudflare/sandbox)
- dynamic link
LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libsandbox.so SECCOMP_SYSCALL_DENY=uname ./program # or LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libsandbox.so SECCOMP_SYSCALL_ALLOW=exit_group:fstat:uname:write ./myos # or even better because we can't forget to link the lib patchelf --add-needed /usr/lib/x86_64-linux-gnu/libsandbox.so ./program SECCOMP_SYSCALL_DENY=uname ./program
- static
SECCOMP_SYSCALL_DENY=uname sandboxify ./program