Seccomp- und chdir-Verhalten [geschlossen] ⇐ C++

[Guest]

Ich habe mich mit der Verwendung von seccomp befasst und etwas geschrieben, um es zu testen. Ich habe Teile davon kombiniert, um ein kleines Beispiel bereitzustellen.

Code: Select all

#define SECCOMP_RET_KILL        0x00000000U
#define SECCOMP_RET_TRAP        0x00030000U
#define SECCOMP_RET_ERRNO       0x00050000U
#define SECCOMP_RET_LOG         0x00070000U
#define SECCOMP_RET_LOGALLOW    0x7ffc0000U
#define SECCOMP_RET_TRACE       0x7ff00000U
#define SECCOMP_RET_ALLOW       0x7fff0000U
#define SECCOMP_RET_KILLPROCESS 0x80000000U

int main(int argc, char **argv) {

std::vector filter;

// filter arch, arch.audit_arch() returns code for x86_64
filter.push_back({ .code = BPF_LD + BPF_W + BPF_ABS, .jt = 0, .jf = 0, .k = offsetof(seccomp_data, arch) });
filter.push_back({ .code = BPF_JMP + BPF_JEQ + BPF_K, .jt = 1, .jf = 0, .k = AUDIT_ARCH_X86_64 });
filter.push_back({ .code = BPF_RET + BPF_K, .jt = 0, .jf = 0, .k = SECCOMP_RET_KILL });

uint32_t call1 = __NR_rmdir;
uint32_t call2 = __NR_chdir;
uint32_t call3 = __NR_mkdir;

filter.push_back({ .code = BPF_LD | BPF_W | BPF_ABS, .jt = 0, .jf = 0, .k = offsetof(seccomp_data, nr) });
filter.push_back({
.code = BPF_JMP | BPF_JEQ | BPF_K,
.jt = 3, .jf = 0,
.k = call1
});

filter.push_back({
.code = BPF_JMP | BPF_JEQ | BPF_K,
.jt = 2, .jf = 0,
.k = call2
});

filter.push_back({
.code = BPF_JMP | BPF_JEQ | BPF_K,
.jt = 1, .jf = 0,
.k = call3
});

uint32_t deny = SECCOMP_RET_LOG;
uint32_t allow = SECCOMP_RET_ALLOW;

filter.push_back({ .code = BPF_RET | BPF_K, .jt = 0, .jf = 0, .k = allow });
filter.push_back({ .code = BPF_RET | BPF_K, .jt = 0, .jf = 0, .k = deny  });

sock_fprog prog = { .len = (short unsigned int)filter.size(), .filter = filter.data() };

if ( ::prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
std::cerr