/* * Naive system call dropper built on seccomp_filter. * * Copyright (c) 2012 The Chromium OS Authors * Author: Will Drewry * * The code may be used by anyone for any purpose, * and can serve as a starting point for developing * applications using prctl(PR_SET_SECCOMP, 2, ...). * * When run, returns the specified errno for the specified * system call number against the given architecture. * */ #include #include #include #include #include #include #include #include #include #include static int install_filter(int nr, int arch, int error) { struct sock_filter filter[] = { BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, arch, 0, 3), BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, nr))), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, nr, 0, 1), BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(error & SECCOMP_RET_DATA)), BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), }; struct sock_fprog prog = { .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])), .filter = filter, }; if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { perror("prctl(NO_NEW_PRIVS)"); return 1; } if (prctl(PR_SET_SECCOMP, 2, &prog)) { perror("prctl(PR_SET_SECCOMP)"); return 1; } return 0; } int main(int argc, char **argv) { if (argc < 5) { fprintf(stderr, "Usage:\n" "dropper []\n" "Hint: AUDIT_ARCH_I386: 0x%X\n" " AUDIT_ARCH_X86_64: 0x%X\n" "\n", AUDIT_ARCH_I386, AUDIT_ARCH_X86_64); return 1; } if (install_filter(strtol(argv[1], NULL, 0), strtol(argv[2], NULL, 0), strtol(argv[3], NULL, 0))) return 1; execv(argv[4], &argv[4]); printf("Failed to execv\n"); return 255; } xt.git/commit/include?h=nds-private-remove&id=11cd119d31a71b37c2362fc621f225e2aa12aea1'>commitdiff
path: root/include
AgeCommit message (Expand)AuthorFilesLines
2017-02-07net: pending_confirm is not used anymoreJulian Anastasov1-12/+2
2017-02-07net: add confirm_neigh method to dst_opsJulian Anastasov4-0/+42
2017-02-07sctp: add dst_pending_confirm flagJulian Anastasov2-4/+6
2017-02-07net: add dst_pending_confirm flag to skbuffJulian Anastasov2-0/+26
2017-02-07sock: add sk_dst_pending_confirm flagJulian Anastasov1-0/+12
2017-02-07net: phy: bcm7xxx: Add BCM74371 PHY IDFlorian Fainelli1-0/+1
2017-02-07net: phy: Allow pre-declaration of MDIO devicesFlorian Fainelli3-0/+23
2017-02-07net: dsa: Add support for platform dataFlorian Fainelli1-0/+6
2017-02-07net: dsa: Rename and export dev_to_net_device()Florian Fainelli1-0/+1
2017-02-07net: phy: Add 2000base-x, 2500base-x and rxaui modesAndrew Lunn1-0/+9
2017-02-07virtio_net: refactor freeze/restore logic into virtnet reset logicJohn Fastabend1-0/+4
2017-02-06net: dsa: introduce bridge notifierVivien Didelot1-0/+10
2017-02-06net: dsa: add switch notifierVivien Didelot1-0/+7
2017-02-06net-next: treewide use is_vlan_dev() helper function.Parav Pandit1-4/+2
2017-02-06net: remove ndo_neigh_{construct, destroy} from stacked devicesIdo Schimmel1-4/+0
2017-02-06can: rx-offload: Add support for timestamp based irq offloadingMarc Kleine-Budde1-1/+9
2017-02-06can: rx-offload: Add support for HW fifo based irq offloadingDavid Jander1-0/+51
2017-02-05net: remove __napi_complete()Eric Dumazet1-1/+0
2017-02-04net: ipv6: Change notifications for multipath add to RTA_MULTIPATHDavid Ahern1-0/+1
2017-02-04net: ipv6: Allow shorthand delete of all nexthops in multipath routeDavid Ahern1-1/+3
2017-02-03net: remove support for per driver ndo_busy_poll()Eric Dumazet2-5/+0
2017-02-03Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-nextDavid S. Miller11-40/+60
2017-02-03sched: cls_flower: expose priority to offloading netdeviceJiri Pirko1-0/+1
2017-02-03lib: Introduce priority array area managerJiri Pirko1-0/+76
2017-02-03list: introduce list_for_each_entry_from_reverse helperJiri Pirko1-0/+13
2017-02-03trace: rename trace_print_hex_seq arg and add kdocDaniel Borkmann2-3/+3
2017-02-03bridge: uapi: add per vlan tunnel infoRoopa Prabhu3-0/+13
2017-02-03vxlan: support fdb and learning in COLLECT_METADATA modeRoopa Prabhu1-0/+1
2017-02-03ip_tunnels: new IP_TUNNEL_INFO_BRIDGE flag for ip_tunnel_info modeRoopa Prabhu1-0/+1
2017-02-03net/sched: act_ife: Change to use ife moduleYotam Gigi2-10/+1
2017-02-03net: Introduce ife encapsulation moduleYotam Gigi3-0/+70
2017-02-03net/sched: act_ife: Unexport ife_tlv_meta_encodeYotam Gigi1-2/+0
2017-02-03tcp: add tcp_mss_clamp() helperEric Dumazet1-0/+9
2017-02-02net: add LINUX_MIB_PFMEMALLOCDROP counterEric Dumazet1-0/+1
2017-02-02net: phy: marvell: Add support for 88e1545 PHYAndrew Lunn1-0/+1
2017-02-02unix: add ioctl to open a unix socket file with O_PATHAndrey Vagin1-0/+2
2017-02-02net: phy: Marvell: Add mv88e6390 internal PHYAndrew Lunn1-0/+6
2017-02-02Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netDavid S. Miller9-30/+40
2017-02-02netfilter: allow logging from non-init namespacesMichal Kubeček1-0/+3
2017-02-02ipvs: free ip_vs_dest structs when refcnt=0David Windsor1-1/+1
2017-02-02netfilter: merge ctinfo into nfct pointer storage areaFlorian Westphal2-17/+15
2017-02-02netfilter: guarantee 8 byte minalign for template addressesFlorian Westphal1-0/+2
2017-02-02netfilter: add and use nf_ct_set helperFlorian Westphal2-2/+9
2017-02-02skbuff: add and use skb_nfct helperFlorian Westphal2-4/+11
2017-02-02netfilter: reduce direct skb->nfct usageFlorian Westphal1-3/+6
2017-02-02netfilter: conntrack: no need to pass ctinfo to error handlerFlorian Westphal1-1/+1