/* * Seccomp BPF example using a macro-based generator. * * Copyright (c) 2012 The Chromium OS Authors * Author: Will Drewry * * The code may be used by anyone for any purpose, * and can serve as a starting point for developing * applications using prctl(PR_ATTACH_SECCOMP_FILTER). */ #include #include #include #include #include #include #include #include "bpf-helper.h" #ifndef PR_SET_NO_NEW_PRIVS #define PR_SET_NO_NEW_PRIVS 38 #endif int main(int argc, char **argv) { struct bpf_labels l = { .count = 0, }; static const char msg1[] = "Please type something: "; static const char msg2[] = "You typed: "; char buf[256]; struct sock_filter filter[] = { /* TODO: LOAD_SYSCALL_NR(arch) and enforce an arch */ LOAD_SYSCALL_NR, SYSCALL(__NR_exit, ALLOW), SYSCALL(__NR_exit_group, ALLOW), SYSCALL(__NR_write, JUMP(&l, write_fd)), SYSCALL(__NR_read, JUMP(&l, read)), DENY, /* Don't passthrough into a label */ LABEL(&l, read), ARG(0), JNE(STDIN_FILENO, DENY), ARG(1), JNE((unsigned long)buf, DENY), ARG(2), JGE(sizeof(buf), DENY), ALLOW, LABEL(&l, write_fd), ARG(0), JEQ(STDOUT_FILENO, JUMP(&l, write_buf)), JEQ(STDERR_FILENO, JUMP(&l, write_buf)), DENY, LABEL(&l, write_buf), ARG(1), JEQ((unsigned long)msg1, JUMP(&l, msg1_len)), JEQ((unsigned long)msg2, JUMP(&l, msg2_len)), JEQ((unsigned long)buf, JUMP(&l, buf_len)), DENY, LABEL(&l, msg1_len), ARG(2), JLT(sizeof(msg1), ALLOW), DENY, LABEL(&l, msg2_len), ARG(2), JLT(sizeof(msg2), ALLOW), DENY, LABEL(&l, buf_len), ARG(2), JLT(sizeof(buf), ALLOW), DENY, }; struct sock_fprog prog = { .filter = filter, .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])), }; ssize_t bytes; bpf_resolve_jumps(&l, filter, sizeof(filter)/sizeof(*filter)); if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { perror("prctl(NO_NEW_PRIVS)"); return 1; } if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { perror("prctl(SECCOMP)"); return 1; } syscall(__NR_write, STDOUT_FILENO, msg1, strlen(msg1)); bytes = syscall(__NR_read, STDIN_FILENO, buf, sizeof(buf)-1); bytes = (bytes > 0 ? bytes : 0); syscall(__NR_write, STDERR_FILENO, msg2, strlen(msg2)); syscall(__NR_write, STDERR_FILENO, buf, bytes); /* Now get killed */ syscall(__NR_write, STDERR_FILENO, msg2, strlen(msg2)+2); return 0; } ption value='author'>author
path: root/net/dccp
diff options
context:
space:
mode:
authorMauro Carvalho Chehab <mchehab@s-opensource.com>2016-12-15 08:38:35 -0200
committerMauro Carvalho Chehab <mchehab@s-opensource.com>2016-12-15 08:38:35 -0200
commit65390ea01ce678379da32b01f39fcfac4903f256 (patch)
tree7f849d66121533c331cf61136b124218d87cbf86 /net/dccp
parente7aa8c2eb11ba69b1b69099c3c7bd6be3087b0ba (diff)
parentd183e4efcae8d88a2f252e546978658ca6d273cc (diff)
Merge branch 'patchwork' into v4l_for_linus
* patchwork: (496 commits) [media] v4l: tvp5150: Add missing break in set control handler [media] v4l: tvp5150: Don't inline the tvp5150_selmux() function [media] v4l: tvp5150: Compile tvp5150_link_setup out if !CONFIG_MEDIA_CONTROLLER [media] em28xx: don't store usb_device at struct em28xx [media] em28xx: use usb_interface for dev_foo() calls [media] em28xx: don't change the device's name [media] mn88472: fix chip id check on probe [media] mn88473: fix chip id check on probe [media] lirc: fix error paths in lirc_cdev_add() [media] s5p-mfc: Add support for MFC v8 available in Exynos 5433 SoCs [media] s5p-mfc: Rework clock handling [media] s5p-mfc: Don't keep clock prepared all the time [media] s5p-mfc: Kill all IS_ERR_OR_NULL in clocks management code [media] s5p-mfc: Remove dead conditional code [media] s5p-mfc: Ensure that clock is disabled before turning power off [media] s5p-mfc: Remove special clock rate management [media] s5p-mfc: Use printk_ratelimited for reporting ioctl errors [media] s5p-mfc: Set DMA_ATTR_ALLOC_SINGLE_PAGES [media] vivid: Set color_enc on HSV formats [media] v4l2-tpg: Init hv_enc field with a valid value ...
Diffstat (limited to 'net/dccp')