diff options
author | Andy Lutomirski <luto@amacapital.net> | 2014-07-03 12:11:26 -0700 |
---|---|---|
committer | Andy Lutomirski <luto@amacapital.net> | 2014-07-03 12:11:26 -0700 |
commit | aff7a91f46cfb8d30e70f2cfc52bb9f951ea4db1 (patch) | |
tree | 79785e85cc64aaddb864eff4937481f6bba0c6a4 | |
parent | a61316774888573d5f3127966c26063512462d72 (diff) | |
download | misc-tests-aff7a91f46cfb8d30e70f2cfc52bb9f951ea4db1.tar.gz |
Add null_seccomp
-rw-r--r-- | Makefile | 2 | ||||
-rw-r--r-- | null_seccomp.c | 33 |
2 files changed, 34 insertions, 1 deletions
@@ -1,6 +1,6 @@ .PHONY: all clean -SIMPLE_C_TARGETS := dump-vdso dump-vvar dump-vsyscall context_switch_latency kernel_pf user_visible_state +SIMPLE_C_TARGETS := dump-vdso dump-vvar dump-vsyscall context_switch_latency kernel_pf user_visible_state null_seccomp SIMPLE_CC_TARGETS := evil-clock-test diff --git a/null_seccomp.c b/null_seccomp.c new file mode 100644 index 0000000..752c73d --- /dev/null +++ b/null_seccomp.c @@ -0,0 +1,33 @@ +#include <unistd.h> +#include <linux/filter.h> +#include <linux/seccomp.h> +#include <sys/syscall.h> +#include <err.h> +#include <sys/prctl.h> +#include <stddef.h> +#include <stdio.h> + +int main(int argc, char **argv) +{ + struct sock_filter filter[] = { + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), + }; + + struct sock_fprog prog = { + .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])), + .filter = filter, + }; + + if (argc < 2) { + printf("Usage: null_seccomp PATH ARGS...\n"); + return 1; + } + + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) + err(1, "PR_SET_NO_NEW_PRIVS"); + if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) + err(1, "PR_SET_SECCOMP"); + + execv(argv[1], argv + 1); + err(1, argv[1]); +} |