本文整理汇总了C++中SCMP_SYS函数的典型用法代码示例。如果您正苦于以下问题:C++ SCMP_SYS函数的具体用法?C++ SCMP_SYS怎么用?C++ SCMP_SYS使用的例子?那么, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了SCMP_SYS函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: sb_rename
/**
* Function responsible for setting up the rename syscall for
* the seccomp filter sandbox.
*/
static int
sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc;
sandbox_cfg_t *elem = NULL;
// for each dynamic parameter filters
for (elem = filter; elem != NULL; elem = elem->next) {
smp_param_t *param = elem->param;
if (param != NULL && param->prot == 1 &&
param->syscall == SCMP_SYS(rename)) {
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rename),
SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value),
SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value2));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add rename syscall, received "
"libseccomp error %d", rc);
return rc;
}
}
}
return 0;
}示例2: sb_fcntl64
/**
* Function responsible for setting up the fcntl64 syscall for
* the seccomp filter sandbox.
*/
static int
sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc = 0;
(void) filter;
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL));
if (rc)
return rc;
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
SCMP_CMP(1, SCMP_CMP_EQ, F_SETFL),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDWR|O_NONBLOCK));
if (rc)
return rc;
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD));
if (rc)
return rc;
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64),
SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD),
SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC));
if (rc)
return rc;
return 0;
}示例3: sb_openat
/**
* Function responsible for setting up the openat syscall for
* the seccomp filter sandbox.
*/
static int
sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc;
sandbox_cfg_t *elem = NULL;
// for each dynamic parameter filters
for (elem = filter; elem != NULL; elem = elem->next) {
smp_param_t *param = elem->param;
if (param != NULL && param->prot == 1 && param->syscall
== SCMP_SYS(openat)) {
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat),
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP_STR(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|
O_CLOEXEC));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add openat syscall, received "
"libseccomp error %d", rc);
return rc;
}
}
}
return 0;
}示例4: seccomp_add_default_syscall_filter
static int seccomp_add_default_syscall_filter(scmp_filter_ctx ctx,
uint64_t cap_list_retain) {
unsigned i;
int r;
static const struct {
uint64_t capability;
int syscall_num;
} blacklist[] = {
{ CAP_SYS_RAWIO, SCMP_SYS(iopl) },
{ CAP_SYS_RAWIO, SCMP_SYS(ioperm) },
{ CAP_SYS_BOOT, SCMP_SYS(kexec_load) },
{ CAP_SYS_ADMIN, SCMP_SYS(swapon) },
{ CAP_SYS_ADMIN, SCMP_SYS(swapoff) },
{ CAP_SYS_ADMIN, SCMP_SYS(open_by_handle_at) },
{ CAP_SYS_MODULE, SCMP_SYS(init_module) },
{ CAP_SYS_MODULE, SCMP_SYS(finit_module) },
{ CAP_SYS_MODULE, SCMP_SYS(delete_module) },
{ CAP_SYSLOG, SCMP_SYS(syslog) },
};
for (i = 0; i < ELEMENTSOF(blacklist); i++) {
if (cap_list_retain & (1ULL << blacklist[i].capability))
continue;
r = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), blacklist[i].syscall_num, 0);
if (r == -EFAULT)
continue; /* unknown syscall */
if (r < 0) {
log_error_errno(r, "Failed to block syscall: %m");
return r;
}
}
return 0;
}示例5: sb_futex
/**
* Function responsible for setting up the futex syscall for
* the seccomp filter sandbox.
*/
static int
sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc = 0;
(void) filter;
// can remove
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
SCMP_CMP(1, SCMP_CMP_EQ,
FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME));
if (rc)
return rc;
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE));
if (rc)
return rc;
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex),
SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE));
if (rc)
return rc;
return 0;
}示例6: sb_setsockopt
/**
* Function responsible for setting up the setsockopt syscall for
* the seccomp filter sandbox.
*/
static int
sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc = 0;
(void) filter;
#ifdef __i386__
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0);
if (rc)
return rc;
#endif
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2,
SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET),
SCMP_CMP(2, SCMP_CMP_EQ, SO_REUSEADDR));
if (rc)
return rc;
#ifdef IP_TRANSPARENT
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2,
SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT));
if (rc)
return rc;
#endif
return 0;
}示例7: sb_open
/**
* Function responsible for setting up the open syscall for
* the seccomp filter sandbox.
*/
static int
sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc;
sandbox_cfg_t *elem = NULL;
// for each dynamic parameter filters
for (elem = filter; elem != NULL; elem = elem->next) {
smp_param_t *param = elem->param;
if (param != NULL && param->prot == 1 && param->syscall
== SCMP_SYS(open)) {
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open),
SCMP_CMP_STR(0, SCMP_CMP_EQ, param->value));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add open syscall, received "
"libseccomp error %d", rc);
return rc;
}
}
}
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open),
SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY|O_NOFOLLOW,
O_RDONLY));
if (rc != 0) {
log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp "
"error %d", rc);
return rc;
}
return 0;
}示例8: main
int main()
{
char *addr;
int fd,ret;
char buf[20]={0};
char sc[128]={0};
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_KILL);
if (!ctx) {
perror("seccomp_init");
return -1;
}
ret = seccomp_rule_add(ctx,SCMP_ACT_ALLOW,SCMP_SYS(write),0);
if(ret) {
perror("add rule");
return -1;
}
ret = seccomp_rule_add(ctx,SCMP_ACT_ALLOW,SCMP_SYS(access),0);
if(ret) {
perror("add rule");
return -1;
}
fd = open("./.passwd",O_RDONLY);
if(fd == -1) {
perror("open");
return -1;
}
read(fd,buf,20);
addr = mmap(0,4096,PROT_READ|PROT_WRITE,MAP_SHARED |MAP_ANONYMOUS,-1,0);
if (addr == (char*)-1) {
perror("mmap");
return -1;
}
memset(addr,0,4096);
memcpy(addr,"MCSC",4);
memcpy(addr+4,"2014",4);
memcpy(&addr[8],buf,20);
printf("put you shellcode here : ");
fflush(stdout);
ssize_t rc = read(0,sc,128);
sc[rc-1]=0;
seccomp_load(ctx);
((void (*)(void))sc)();
return 0;
}示例9: main
int main(int argc, char *argv[])
{
int rc;
struct util_options opts;
scmp_filter_ctx ctx = NULL;
rc = util_getopt(argc, argv, &opts);
if (rc < 0)
goto out;
ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL)
return ENOMEM;
rc = seccomp_arch_remove(ctx, SCMP_ARCH_NATIVE);
if (rc != 0)
goto out;
rc = seccomp_arch_add(ctx, SCMP_ARCH_X86);
if (rc != 0)
goto out;
rc = seccomp_arch_add(ctx, SCMP_ARCH_X86_64);
if (rc != 0)
goto out;
rc = seccomp_arch_add(ctx, SCMP_ARCH_X32);
if (rc != 0)
goto out;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0);
if (rc != 0)
goto out;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0);
if (rc != 0)
goto out;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept), 0);
if (rc != 0)
goto out;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 0);
if (rc != 0)
goto out;
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0);
if (rc != 0)
goto out;
rc = util_filter_output(&opts, ctx);
if (rc)
goto out;
out:
seccomp_release(ctx);
return (rc < 0 ? -rc : rc);
}示例10: setup
static int setup(struct spt *spt)
{
if (diskfile == NULL)
return 0; /* not present */
diskfd = open(diskfile, O_RDWR);
if (diskfd == -1)
err(1, "Could not open disk: %s", diskfile);
off_t capacity = lseek(diskfd, 0, SEEK_END);
if (capacity == -1)
err(1, "%s: Could not determine capacity", diskfile);
if (capacity < 512)
errx(1, "%s: Backing storage must be at least 1 block (512 bytes) "
"in size", diskfile);
spt->bi->blocki.present = 1;
spt->bi->blocki.block_size = 512;
spt->bi->blocki.capacity = capacity;
spt->bi->blocki.hostfd = diskfd;
int rc = -1;
/*
* When reading or writing to the file descriptor, enforce that the
* operation cannot be performed beyond the (detected) capacity, otherwise,
* when backed by a regular file, the guest could grow the file size
* arbitrarily.
*
* The Solo5 API mandates that reads/writes must be equal to block_size, so
* we implement the above by ensuring that (A2 == block_size) && (A3 <=
* (capacity - block_size) holds.
*/
rc = seccomp_rule_add(spt->sc_ctx, SCMP_ACT_ALLOW, SCMP_SYS(pread64), 3,
SCMP_A0(SCMP_CMP_EQ, diskfd),
SCMP_A2(SCMP_CMP_EQ, spt->bi->blocki.block_size),
SCMP_A3(SCMP_CMP_LE,
(spt->bi->blocki.capacity - spt->bi->blocki.block_size)));
if (rc != 0)
errx(1, "seccomp_rule_add(pread64, fd=%d) failed: %s", diskfd,
strerror(-rc));
rc = seccomp_rule_add(spt->sc_ctx, SCMP_ACT_ALLOW, SCMP_SYS(pwrite64), 3,
SCMP_A0(SCMP_CMP_EQ, diskfd),
SCMP_A2(SCMP_CMP_EQ, spt->bi->blocki.block_size),
SCMP_A3(SCMP_CMP_LE,
(spt->bi->blocki.capacity - spt->bi->blocki.block_size)));
if (rc != 0)
errx(1, "seccomp_rule_add(pwrite64, fd=%d) failed: %s", diskfd,
strerror(-rc));
return 0;
}示例11: sb_time
/**
* Function responsible for setting up the time syscall for
* the seccomp filter sandbox.
*/
static int
sb_time(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
(void) filter;
return seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time), 1,
SCMP_CMP(0, SCMP_CMP_EQ, 0));
}示例12: sb_socket
/**
* Function responsible for setting up the socket syscall for
* the seccomp filter sandbox.
*/
static int
sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc = 0;
int i;
(void) filter;
#ifdef __i386__
rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket));
if (rc)
return rc;
#endif
rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE),
SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM));
if (rc)
return rc;
for (i = 0; i < 2; ++i) {
const int pf = i ? PF_INET : PF_INET6;
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
SCMP_CMP(0, SCMP_CMP_EQ, pf),
SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP));
if (rc)
return rc;
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
SCMP_CMP(0, SCMP_CMP_EQ, pf),
SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP));
if (rc)
return rc;
}
rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),
SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW),
SCMP_CMP(2, SCMP_CMP_EQ, 0));
if (rc)
return rc;
return 0;
}示例13: sb_mprotect
/**
* Function responsible for setting up the fcntl64 syscall for
* the seccomp filter sandbox.
*
* NOTE: does not NEED to be here.. currently only occurs before filter; will
* keep just in case for the future.
*/
static int
sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc = 0;
(void) filter;
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ));
if (rc)
return rc;
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect),
SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE));
if (rc)
return rc;
return 0;
}示例14: sb_rt_sigprocmask
/**
* Function responsible for setting up the rt_sigprocmask syscall for
* the seccomp filter sandbox.
*/
static int
sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc = 0;
(void) filter;
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK));
if (rc)
return rc;
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask),
SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK));
if (rc)
return rc;
return 0;
}示例15: sb_flock
/**
* Function responsible for setting up the flock syscall for
* the seccomp filter sandbox.
*
* NOTE: does not need to be here, occurs before filter is applied.
*/
static int
sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
{
int rc = 0;
(void) filter;
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB));
if (rc)
return rc;
rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock),
SCMP_CMP(1, SCMP_CMP_EQ, LOCK_UN));
if (rc)
return rc;
return 0;
}