1 /* 2 * Naive system call dropper built on seccomp_filter. 3 * 4 * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org> 5 * Author: Will Drewry <wad@chromium.org> 6 * 7 * The code may be used by anyone for any purpose, 8 * and can serve as a starting point for developing 9 * applications using prctl(PR_SET_SECCOMP, 2, ...). 10 * 11 * When run, returns the specified errno for the specified 12 * system call number against the given architecture. 13 * 14 */ 15 16 #include <errno.h> 17 #include <linux/audit.h> 18 #include <linux/filter.h> 19 #include <linux/seccomp.h> 20 #include <linux/unistd.h> 21 #include <stdio.h> 22 #include <stddef.h> 23 #include <stdlib.h> 24 #include <sys/prctl.h> 25 #include <unistd.h> 26 27 static int install_filter(int nr, int arch, int error) 28 { 29 struct sock_filter filter[] = { 30 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 31 (offsetof(struct seccomp_data, arch))), 32 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, arch, 0, 3), 33 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, 34 (offsetof(struct seccomp_data, nr))), 35 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, nr, 0, 1), 36 BPF_STMT(BPF_RET+BPF_K, 37 SECCOMP_RET_ERRNO|(error & SECCOMP_RET_DATA)), 38 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), 39 }; 40 struct sock_fprog prog = { 41 .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])), 42 .filter = filter, 43 }; 44 if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { 45 perror("prctl(NO_NEW_PRIVS)"); 46 return 1; 47 } 48 if (prctl(PR_SET_SECCOMP, 2, &prog)) { 49 perror("prctl(PR_SET_SECCOMP)"); 50 return 1; 51 } 52 return 0; 53 } 54 55 int main(int argc, char **argv) 56 { 57 if (argc < 5) { 58 fprintf(stderr, "Usage:\n" 59 "dropper <syscall_nr> <arch> <errno> <prog> [<args>]\n" 60 "Hint: AUDIT_ARCH_I386: 0x%X\n" 61 " AUDIT_ARCH_X86_64: 0x%X\n" 62 "\n", AUDIT_ARCH_I386, AUDIT_ARCH_X86_64); 63 return 1; 64 } 65 if (install_filter(strtol(argv[1], NULL, 0), strtol(argv[2], NULL, 0), 66 strtol(argv[3], NULL, 0))) 67 return 1; 68 execv(argv[4], &argv[4]); 69 printf("Failed to execv\n"); 70 return 255; 71 } 72