1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
#include <errno.h>
#include <fcntl.h>
#include <inttypes.h>
#include <seccomp.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
// https://blog.mnus.de/2020/05/sandboxing-soldatserver-with-bubblewrap-and-seccomp/
void log_all_syscalls(void) {
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_LOG);
seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
seccomp_export_bpf(ctx, 1);
seccomp_export_pfc(ctx, 2);
seccomp_release(ctx);
}
int log_current_seccomp(void) {
int rc = -1;
scmp_filter_ctx ctx;
int filter_fd;
ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL)
goto out;
filter_fd = open("/tmp/seccomp_filter.bpf",
O_CREAT | O_WRONLY | O_NOFOLLOW | O_TRUNC, S_IRWXU);
if (filter_fd == -1) {
rc = -errno;
goto out;
}
rc = seccomp_export_bpf(ctx, filter_fd);
if (rc < 0) {
close(filter_fd);
goto out;
}
close(filter_fd);
filter_fd = open("/tmp/seccomp_filter.pfc",
O_CREAT | O_WRONLY | O_NOFOLLOW | O_TRUNC, S_IRWXU);
if (filter_fd == -1) {
rc = -errno;
goto out;
}
rc = seccomp_export_pfc(ctx, filter_fd);
if (rc < 0) {
close(filter_fd);
goto out;
}
close(filter_fd);
out:
seccomp_release(ctx);
return -rc;
}
int main(int argc, char **argv) {
if (argc == 3) {
if (!strcmp("--filter", argv[1])) {
if (!strcmp("current", argv[2])) {
log_current_seccomp();
} else if (!strcmp("logging", argv[2])) {
log_all_syscalls();
} else {
}
}
} else {
printf("going with the default filter kind which is logging.\n");
log_all_syscalls();
}
}
|
