diff options
author | terminaldweller <thabogre@gmail.com> | 2022-12-02 17:52:42 +0000 |
---|---|---|
committer | terminaldweller <thabogre@gmail.com> | 2022-12-02 17:52:42 +0000 |
commit | 674f40d027ece13daa78ef2a7d69c79f4198368a (patch) | |
tree | 2bcc0e41e5064b62d18bb376a5ecf0d760b6f13d /seccomp/seccomp_filter.c | |
parent | update (diff) | |
download | scripts-674f40d027ece13daa78ef2a7d69c79f4198368a.tar.gz scripts-674f40d027ece13daa78ef2a7d69c79f4198368a.zip |
update
Diffstat (limited to 'seccomp/seccomp_filter.c')
-rw-r--r-- | seccomp/seccomp_filter.c | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/seccomp/seccomp_filter.c b/seccomp/seccomp_filter.c new file mode 100644 index 0000000..89ea917 --- /dev/null +++ b/seccomp/seccomp_filter.c @@ -0,0 +1,75 @@ +#include <errno.h> +#include <fcntl.h> +#include <inttypes.h> +#include <seccomp.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +void log_all_syscalls(void) { + scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_LOG); + seccomp_arch_add(ctx, SCMP_ARCH_X86_64); + seccomp_export_bpf(ctx, 1); + seccomp_export_pfc(ctx, 2); + seccomp_release(ctx); +} + +int log_current_seccomp(void) { + int rc = -1; + scmp_filter_ctx ctx; + int filter_fd; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + goto out; + + filter_fd = open("/tmp/seccomp_filter.bpf", + O_CREAT | O_WRONLY | O_NOFOLLOW | O_TRUNC, S_IRWXU); + if (filter_fd == -1) { + rc = -errno; + goto out; + } + + rc = seccomp_export_bpf(ctx, filter_fd); + if (rc < 0) { + close(filter_fd); + goto out; + } + close(filter_fd); + + filter_fd = open("/tmp/seccomp_filter.pfc", + O_CREAT | O_WRONLY | O_NOFOLLOW | O_TRUNC, S_IRWXU); + if (filter_fd == -1) { + rc = -errno; + goto out; + } + + rc = seccomp_export_pfc(ctx, filter_fd); + if (rc < 0) { + close(filter_fd); + goto out; + } + close(filter_fd); + +out: + seccomp_release(ctx); + return -rc; +} + +int main(int argc, char **argv) { + if (argc == 3) { + if (!strcmp("--filter", argv[1])) { + if (!strcmp("current", argv[2])) { + log_current_seccomp(); + } else if (!strcmp("logging", argv[2])) { + log_all_syscalls(); + } else { + } + } + } else { + printf("going with the default filter kind which is logging.\n"); + log_all_syscalls(); + } +} |