Created
January 14, 2019 18:41
-
-
Save randombit/5d8c9d78bd58027a01f5f4574dca35f5 to your computer and use it in GitHub Desktop.
Apply seccomp filters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void apply_simple_seccomp_filter(const std::vector<std::string>& allowed_syscalls) | |
| { | |
| //scmp_filter_ctx seccomp_ctx = ::seccomp_init(SCMP_ACT_ERRNO(EPERM)); | |
| scmp_filter_ctx seccomp_ctx = ::seccomp_init(SCMP_ACT_TRAP); | |
| if(seccomp_ctx == NULL) | |
| throw std::runtime_error("seccomp_init failed"); | |
| for(std::string syscall : allowed_syscalls) | |
| { | |
| int syscall_num = ::seccomp_syscall_resolve_name(syscall.c_str()); | |
| /* | |
| ignore unknown syscalls since this is a whitelist, if the syscall is not | |
| available on this system presumably we will not be calling it | |
| */ | |
| if(syscall_num >= 0) | |
| { | |
| int rc = ::seccomp_rule_add(seccomp_ctx, SCMP_ACT_ALLOW, syscall_num, 0); | |
| if(rc < 0) | |
| throw std::runtime_error("seccomp_rule_add for " + syscall + " failed: " + strerror(-rc)); | |
| } | |
| } | |
| // apply the filter | |
| int rc = ::seccomp_load(seccomp_ctx); | |
| if(rc < 0) | |
| throw std::runtime_error(std::string("seccomp_load failed: ") + strerror(-rc)); | |
| ::seccomp_release(seccomp_ctx); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment