Add null_seccomp

2 files changed, 34 insertions, 1 deletions

diff --git a/Makefile b/Makefile
index 868e089..70cd876 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 .PHONY: all clean
 
-SIMPLE_C_TARGETS := dump-vdso dump-vvar dump-vsyscall context_switch_latency kernel_pf user_visible_state
+SIMPLE_C_TARGETS := dump-vdso dump-vvar dump-vsyscall context_switch_latency kernel_pf user_visible_state null_seccomp
 
 SIMPLE_CC_TARGETS := evil-clock-test
 
diff --git a/null_seccomp.c b/null_seccomp.c
new file mode 100644
index 0000000..752c73d
--- /dev/null
+++ b/null_seccomp.c
@@ -0,0 +1,33 @@
+#include <unistd.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include <sys/syscall.h>
+#include <err.h>
+#include <sys/prctl.h>
+#include <stddef.h>
+#include <stdio.h>
+
+int main(int argc, char **argv)
+{
+	struct sock_filter filter[] = {
+		BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
+	};
+
+	struct sock_fprog prog = {
+		.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
+		.filter = filter,
+	};
+
+	if (argc < 2) {
+		printf("Usage: null_seccomp PATH ARGS...\n");
+		return 1;
+	}
+
+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
+		err(1, "PR_SET_NO_NEW_PRIVS");
+	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
+		err(1, "PR_SET_SECCOMP");
+
+	execv(argv[1], argv + 1);
+	err(1, argv[1]);
+}