eqvinox/no_madv_guard.c

## no_madv_guard.c
// SPDX-License-Identifier: Unlicense
/* compile_command: gcc -Wall -Wextra -shared -O2 -ggdb3 -o no_madv_guard.so no_madv_guard.c */
/* deny madvise(MADV_GUARD_INSTALL) - rr (rr-project.org) does not support it yet */
#include <errno.h>
#include <stddef.h>
#include <stdlib.h>
#include <linux/audit.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <linux/unistd.h>
#include <sys/prctl.h>
#include <sys/mman.h>
#include <stdio.h>
#include <unistd.h>

__attribute__((constructor))
static void init(void)
{
	struct sock_filter filter[] = {
#if 0
		/* should actually work on all architectures */
		BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, arch))),
		BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, AUDIT_ARCH_X86_64, 0, 5),
#endif
		BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
		BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_madvise, 0, 3),
		BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, args[2]))),
		BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, MADV_GUARD_INSTALL, 0, 1),
		BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO | (EINVAL & SECCOMP_RET_DATA)),
		BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),
	};
	struct sock_fprog prog = {
		.len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
		.filter = filter,
	};

	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
		perror("PR_SET_NO_NEW_PRIVS");
		abort();
	}
	if (prctl(PR_SET_SECCOMP, 2, &prog)) {
		perror("PR_SET_SECCOMP");
		abort();
	}
}
	// SPDX-License-Identifier: Unlicense
	/* compile_command: gcc -Wall -Wextra -shared -O2 -ggdb3 -o no_madv_guard.so no_madv_guard.c */
	/* deny madvise(MADV_GUARD_INSTALL) - rr (rr-project.org) does not support it yet */
	#include <errno.h>
	#include <stddef.h>
	#include <stdlib.h>
	#include <linux/audit.h>
	#include <linux/bpf.h>
	#include <linux/filter.h>
	#include <linux/seccomp.h>
	#include <linux/unistd.h>
	#include <sys/prctl.h>
	#include <sys/mman.h>
	#include <stdio.h>
	#include <unistd.h>

	__attribute__((constructor))
	static void init(void)
	{
	struct sock_filter filter[] = {
	#if 0
	/* should actually work on all architectures */
	BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, arch))),
	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, AUDIT_ARCH_X86_64, 0, 5),
	#endif
	BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, nr))),
	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, __NR_madvise, 0, 3),
	BPF_STMT(BPF_LD + BPF_W + BPF_ABS, (offsetof(struct seccomp_data, args[2]))),
	BPF_JUMP(BPF_JMP + BPF_JEQ + BPF_K, MADV_GUARD_INSTALL, 0, 1),
	BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ERRNO \| (EINVAL & SECCOMP_RET_DATA)),
	BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW),
	};
	struct sock_fprog prog = {
	.len = (unsigned short)(sizeof(filter) / sizeof(filter[0])),
	.filter = filter,
	};

	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
	perror("PR_SET_NO_NEW_PRIVS");
	abort();
	}
	if (prctl(PR_SET_SECCOMP, 2, &prog)) {
	perror("PR_SET_SECCOMP");
	abort();
	}
	}
No results found