seccomp/seccomp_control_open.cThis is seccomp/seccomp_control_open.c, an example to accompany the book, The Linux Programming Interface. This file is not printed in the book; it demonstrates Linux features that are not described in the book (typically features that have appeared since the book was published). The source code file is copyright 2024, Michael Kerrisk, and is licensed under the GNU General Public License, version 3. In the listing below, the names of Linux system calls and C library functions are hyperlinked to manual pages from the Linux man-pages project, and the names of functions implemented in the book are hyperlinked to the implementations of those functions.
|
/* seccomp_control_open.c A simple seccomp filter example. Install a filter that triggers different failures in open()/openat(), depending on the flags argument given to the call. */ #define _GNU_SOURCE #include <stddef.h> #include <fcntl.h> #include <linux/audit.h> #include <sys/syscall.h> #include <linux/filter.h> #include <linux/seccomp.h> #include <sys/prctl.h> #include "tlpi_hdr.h" /* The following is a hack to allow for systems (pre-Linux 4.14) that don't provide SECCOMP_RET_KILL_PROCESS, which kills (all threads in) a process. On those systems, define SECCOMP_RET_KILL_PROCESS as SECCOMP_RET_KILL (which simply kills the calling thread). */ #ifndef SECCOMP_RET_KILL_PROCESS #define SECCOMP_RET_KILL_PROCESS SECCOMP_RET_KILL #endif
static int seccomp(unsigned int operation, unsigned int flags, void *args) { return syscall(__NR_seccomp, operation, flags, args); }
static void install_filter(void) { struct sock_filter filter[] = { /* Load architecture */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch)), /* Kill the process if the architecture is not what we expect. We use some #if logic to craft a check for either x86-64 or AArch64. */ #if defined __x86_64 BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_X86_64, 1, 0), #elif defined __aarch64__ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_AARCH64, 1, 0), #else /* Any other architecture just falls through to the KILL_PROCESS */ #endif BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS), /* Load system call number */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)), #if defined __x86_64 /* Kill the process if this is an x32 system call (bit 30 is set) */ #define X32_SYSCALL_BIT 0x40000000 BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, X32_SYSCALL_BIT, 0, 1), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS), #endif #ifdef __NR_open /* Some architectures (e.g., AArch64) don't have open() */ /* Is this an open() syscall? */ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 0, 2), /* Load second argument of open() (flags) into accumulator */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[1])), /* Jump to flags processing */ BPF_JUMP(BPF_JMP | BPF_JA, 3, 0, 0), #endif /* Is this an openat() syscall? */ BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_openat, 1, 0), /* Allow all other syscalls */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), /* Load third argument of openat() (flags) into accumulator */ BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])), /* Process flags argument */ /* Kill the process if O_CREAT was specified */ BPF_JUMP(BPF_JMP | BPF_JSET | BPF_K, O_CREAT, 0, 1), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS), /* Give ENOTSUP error on attempt to open for writing. Relies on the fact that O_RDWR and O_WRONLY are defined as single, nonoverlapping bits */ BPF_JUMP(BPF_JMP | BPF_JSET | BPF_K, O_WRONLY | O_RDWR, 0, 1), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | ENOTSUP), /* Otherwise allow the open()/openat() */ BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW) }; struct sock_fprog prog = { .len = sizeof(filter) / sizeof(filter[0]), .filter = filter, }; if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog) == -1) errExit("seccomp"); }
int main(int argc, char *argv[]) { if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) errExit("prctl"); install_filter(); if (open("/tmp/a", O_RDONLY) == -1) perror("open1"); if (open("/tmp/a", O_WRONLY) == -1) perror("open2"); if (open("/tmp/a", O_RDWR) == -1) perror("open3"); if (open("/tmp/a", O_CREAT | O_RDWR, 0600) == -1) perror("open4"); exit(EXIT_SUCCESS); }
Note that, in most cases, the programs rendered in these web pages are not free standing: you'll typically also need a few other source files (mostly in the lib/ subdirectory) as well. Generally, it's easier to just download the entire source tarball and build the programs with make(1). By hovering your mouse over the various hyperlinked include files and function calls above, you can see which other source files this file depends on.