ekzhang/seccomp.rs

## seccomp.rs
use seccompiler::{
    BpfProgram, SeccompAction, SeccompCmpArgLen, SeccompCmpOp, SeccompCondition, SeccompFilter,
    SeccompRule, TargetArch,
};

fn main() -> anyhow::Result<()> {
    println!("Hello, world!");

    let filter = SeccompFilter::new(
        vec![
            // Needed for rust program execution.
            (libc::SYS_write, vec![]),
            (libc::SYS_sigaltstack, vec![]),
            (libc::SYS_munmap, vec![]),
            (libc::SYS_mmap, vec![]),
            (libc::SYS_exit, vec![]),
            (libc::SYS_exit_group, vec![]),
            // Actual remaining system calls in example filter.
            (libc::SYS_accept4, vec![]),
            (
                libc::SYS_fcntl,
                vec![
                    SeccompRule::new(vec![
                        SeccompCondition::new(
                            1,
                            SeccompCmpArgLen::Dword,
                            SeccompCmpOp::Eq,
                            libc::F_SETFD as u64,
                        )?,
                        SeccompCondition::new(
                            2,
                            SeccompCmpArgLen::Dword,
                            SeccompCmpOp::Eq,
                            libc::FD_CLOEXEC as u64,
                        )?,
                    ])?,
                    SeccompRule::new(vec![SeccompCondition::new(
                        1,
                        SeccompCmpArgLen::Dword,
                        SeccompCmpOp::Eq,
                        libc::F_GETFD as u64,
                    )?])?,
                ],
            ),
        ]
        .into_iter()
        .collect(),
        // mismatch_action
        SeccompAction::KillThread,
        // match_action
        SeccompAction::Allow,
        // target architecture of filter
        TargetArch::x86_64,
    )?;

    let bpf_prog: BpfProgram = filter.try_into()?;

    println!("{bpf_prog:?}");

    println!(
        "Generated seccomp BPF program with {} instructions",
        bpf_prog.len()
    );
    seccompiler::apply_filter_all_threads(&bpf_prog)?;

    println!("Installed seccomp filter!");

    // This fails with "Bad system call (core dumped)"
    // std::fs::write("hello.txt", "Hello, world!")?;

    Ok(())
}
	use seccompiler::{
	BpfProgram, SeccompAction, SeccompCmpArgLen, SeccompCmpOp, SeccompCondition, SeccompFilter,
	SeccompRule, TargetArch,
	};

	fn main() -> anyhow::Result<()> {
	println!("Hello, world!");

	let filter = SeccompFilter::new(
	vec![
	// Needed for rust program execution.
	(libc::SYS_write, vec![]),
	(libc::SYS_sigaltstack, vec![]),
	(libc::SYS_munmap, vec![]),
	(libc::SYS_mmap, vec![]),
	(libc::SYS_exit, vec![]),
	(libc::SYS_exit_group, vec![]),
	// Actual remaining system calls in example filter.
	(libc::SYS_accept4, vec![]),
	(
	libc::SYS_fcntl,
	vec![
	SeccompRule::new(vec![
	SeccompCondition::new(
	1,
	SeccompCmpArgLen::Dword,
	SeccompCmpOp::Eq,
	libc::F_SETFD as u64,
	)?,
	SeccompCondition::new(
	2,
	SeccompCmpArgLen::Dword,
	SeccompCmpOp::Eq,
	libc::FD_CLOEXEC as u64,
	)?,
	])?,
	SeccompRule::new(vec![SeccompCondition::new(
	1,
	SeccompCmpArgLen::Dword,
	SeccompCmpOp::Eq,
	libc::F_GETFD as u64,
	)?])?,
	],
	),
	]
	.into_iter()
	.collect(),
	// mismatch_action
	SeccompAction::KillThread,
	// match_action
	SeccompAction::Allow,
	// target architecture of filter
	TargetArch::x86_64,
	)?;

	let bpf_prog: BpfProgram = filter.try_into()?;

	println!("{bpf_prog:?}");

	println!(
	"Generated seccomp BPF program with {} instructions",
	bpf_prog.len()
	);
	seccompiler::apply_filter_all_threads(&bpf_prog)?;

	println!("Installed seccomp filter!");

	// This fails with "Bad system call (core dumped)"
	// std::fs::write("hello.txt", "Hello, world!")?;

	Ok(())
	}
No results found