Commit | Line | Data |
---|---|---|
b2441318 | 1 | // SPDX-License-Identifier: GPL-2.0 |
8ac270d1 WD |
2 | /* |
3 | * Naive system call dropper built on seccomp_filter. | |
4 | * | |
5 | * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org> | |
6 | * Author: Will Drewry <wad@chromium.org> | |
7 | * | |
8 | * The code may be used by anyone for any purpose, | |
9 | * and can serve as a starting point for developing | |
10 | * applications using prctl(PR_SET_SECCOMP, 2, ...). | |
11 | * | |
12 | * When run, returns the specified errno for the specified | |
13 | * system call number against the given architecture. | |
14 | * | |
8ac270d1 WD |
15 | */ |
16 | ||
17 | #include <errno.h> | |
18 | #include <linux/audit.h> | |
19 | #include <linux/filter.h> | |
20 | #include <linux/seccomp.h> | |
21 | #include <linux/unistd.h> | |
22 | #include <stdio.h> | |
23 | #include <stddef.h> | |
24 | #include <stdlib.h> | |
25 | #include <sys/prctl.h> | |
26 | #include <unistd.h> | |
27 | ||
28 | static int install_filter(int nr, int arch, int error) | |
29 | { | |
30 | struct sock_filter filter[] = { | |
31 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, | |
32 | (offsetof(struct seccomp_data, arch))), | |
33 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, arch, 0, 3), | |
34 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, | |
35 | (offsetof(struct seccomp_data, nr))), | |
36 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, nr, 0, 1), | |
37 | BPF_STMT(BPF_RET+BPF_K, | |
38 | SECCOMP_RET_ERRNO|(error & SECCOMP_RET_DATA)), | |
39 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), | |
40 | }; | |
41 | struct sock_fprog prog = { | |
42 | .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])), | |
43 | .filter = filter, | |
44 | }; | |
1ff12050 RZ |
45 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { |
46 | perror("prctl(NO_NEW_PRIVS)"); | |
47 | return 1; | |
48 | } | |
8ac270d1 | 49 | if (prctl(PR_SET_SECCOMP, 2, &prog)) { |
1ff12050 | 50 | perror("prctl(PR_SET_SECCOMP)"); |
8ac270d1 WD |
51 | return 1; |
52 | } | |
53 | return 0; | |
54 | } | |
55 | ||
56 | int main(int argc, char **argv) | |
57 | { | |
58 | if (argc < 5) { | |
59 | fprintf(stderr, "Usage:\n" | |
60 | "dropper <syscall_nr> <arch> <errno> <prog> [<args>]\n" | |
61 | "Hint: AUDIT_ARCH_I386: 0x%X\n" | |
62 | " AUDIT_ARCH_X86_64: 0x%X\n" | |
63 | "\n", AUDIT_ARCH_I386, AUDIT_ARCH_X86_64); | |
64 | return 1; | |
65 | } | |
66 | if (install_filter(strtol(argv[1], NULL, 0), strtol(argv[2], NULL, 0), | |
67 | strtol(argv[3], NULL, 0))) | |
68 | return 1; | |
69 | execv(argv[4], &argv[4]); | |
70 | printf("Failed to execv\n"); | |
71 | return 255; | |
72 | } |