https://www.wikicshse.ru/index.php?action=history&feed=atom&title=%D0%91%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D1%81%D1%82%D1%8C_%D0%BA%D0%BE%D0%BC%D0%BF%D1%8C%D1%8E%D1%82%D0%B5%D1%80%D0%BD%D1%8B%D1%85_%D1%81%D0%B8%D1%81%D1%82%D0%B5%D0%BC_2018%2FSECCOMP Безопасность компьютерных систем 2018/SECCOMP - История изменений 2026-06-06T12:34:14Z История изменений этой страницы в вики MediaWiki 1.45.3 https://www.wikicshse.ru/index.php?title=%D0%91%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D1%81%D1%82%D1%8C_%D0%BA%D0%BE%D0%BC%D0%BF%D1%8C%D1%8E%D1%82%D0%B5%D1%80%D0%BD%D1%8B%D1%85_%D1%81%D0%B8%D1%81%D1%82%D0%B5%D0%BC_2018/SECCOMP&diff=2015&oldid=prev imported>Gamajun: Migrated current public revision from wiki.cs.hse.ru 2019-11-24T19:51:57Z <p>Migrated current public revision from wiki.cs.hse.ru</p> <p><b>Новая страница</b></p><div>== Linux seccomp ==<br /> Ссылки для изучения:<br /> <br /> # Рекомендуемая основная презентация (пригодится для выполнения бонусного задания к заданию 3): http://events.linuxfoundation.org/sites/events/files/slides/limiting_kernel_attack_surface_with_seccomp-ContainerCon.eu_2016-Kerrisk.pdf<br /> # https://eigenstate.org/notes/seccomp<br /> # Kafel - язык для конструирования политик seccomp (not an official Google product) https://github.com/google/kafel<br /> <br /> == Тестовый пример 1 ==<br /> <br /> #include &lt;stdio.h&gt;<br /> #include &lt;unistd.h&gt;<br /> #include &lt;linux/seccomp.h&gt;<br /> #include &lt;sys/prctl.h&gt;<br /> int main () {<br /> pid_t pid;<br /> printf(&quot;Step 1: no restrictions yet\n&quot;);<br /> prctl (PR_SET_SECCOMP, SECCOMP_MODE_STRICT);<br /> printf (&quot;Step 2: entering the strict mode. Only read(), write(), exit() and sigreturn() syscalls are allowed\n&quot;);<br /> pid = getpid ();<br /> printf (&quot;!!YOU SHOULD NOT SEE THIS!! My PID = %d&quot;, pid);<br /> return 0;<br /> }<br /> <br /> == Тестовый пример 2 ==<br /> <br /> <br /> #include &lt;stdio.h&gt;<br /> #include &lt;seccomp.h&gt;<br /> #include &lt;unistd.h&gt;<br /> #include &lt;sys/fcntl.h&gt;<br /> #include &lt;errno.h&gt;<br /> int main() {<br /> pid_t pid;<br /> scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);<br /> seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);<br /> seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);<br /> seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigreturn), 0);<br /> seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);<br /> printf (&quot;No restrictions yet\n&quot;);<br /> seccomp_load(ctx);<br /> pid = getpid();<br /> printf(&quot;!! YOU SHOULD NOT SEE THIS!! My PID is%d\n&quot;, pid);<br /> return 0;<br /> }<br /> <br /> == Тестовый пример 3 ==<br /> <br /> #include &lt;stdlib.h&gt;<br /> #include &lt;stdio.h&gt;<br /> #include &lt;stddef.h&gt;<br /> #include &lt;string.h&gt;<br /> #include &lt;unistd.h&gt;<br /> #include &lt;errno.h&gt;<br /> #include &lt;sys/types.h&gt;<br /> #include &lt;sys/prctl.h&gt;<br /> #include &lt;sys/syscall.h&gt;<br /> #include &lt;sys/socket.h&gt;<br /> #include &lt;sys/fcntl.h&gt;<br /> #include &lt;linux/filter.h&gt;<br /> #include &lt;linux/seccomp.h&gt;<br /> #include &lt;linux/audit.h&gt;<br /> #include &lt;asm/unistd_64.h&gt;<br /> static void install_filter ( void ) {<br /> struct sock_filter filter [] = {<br /> BPF_STMT ( BPF_LD | BPF_W | BPF_ABS ,<br /> ( offsetof ( struct seccomp_data , arch ))) ,<br /> BPF_JUMP ( BPF_JMP | BPF_JEQ | BPF_K ,<br /> AUDIT_ARCH_X86_64 , 1 , 0) ,<br /> BPF_STMT ( BPF_RET | BPF_K , SECCOMP_RET_KILL ) ,<br /> BPF_STMT ( BPF_LD | BPF_W | BPF_ABS ,<br /> ( offsetof ( struct seccomp_data , nr ))) ,<br /> BPF_JUMP ( BPF_JMP | BPF_JEQ | BPF_K , __NR_open ,<br /> 1 , 0) ,<br /> BPF_STMT ( BPF_RET | BPF_K , SECCOMP_RET_ALLOW ) ,<br /> BPF_STMT ( BPF_RET | BPF_K , SECCOMP_RET_KILL )<br /> };<br /> struct sock_fprog prog = {<br /> .len = ( unsigned short ) ( sizeof ( filter ) /<br /> sizeof ( filter [0])) ,<br /> . filter = filter ,<br /> };<br /> syscall( __NR_seccomp , SECCOMP_SET_MODE_FILTER , 0 , &amp; prog );<br /> }<br /> int main (int argc , char ** argv ) {<br /> prctl ( PR_SET_NO_NEW_PRIVS , 1 , 0 , 0 , 0);<br /> install_filter ();<br /> open ( &quot;/tmp/a&quot; , O_RDONLY );<br /> printf ( &quot;We shouldn ’t see this message \n&quot; );<br /> exit ( EXIT_SUCCESS );<br /> }<br /> <br /> == Тестовый пример 4 ==<br /> &lt;pre&gt;<br /> #include &lt;stdlib.h&gt;<br /> #include &lt;stdio.h&gt;<br /> #include &lt;stddef.h&gt;<br /> #include &lt;string.h&gt;<br /> #include &lt;unistd.h&gt;<br /> #include &lt;errno.h&gt;<br /> <br /> #include &lt;sys/types.h&gt;<br /> #include &lt;sys/prctl.h&gt;<br /> #include &lt;sys/syscall.h&gt;<br /> #include &lt;sys/socket.h&gt;<br /> <br /> #include &lt;linux/filter.h&gt;<br /> #include &lt;linux/seccomp.h&gt;<br /> #include &lt;linux/audit.h&gt;<br /> <br /> #define ArchField offsetof(struct seccomp_data, arch)<br /> <br /> #define Allow(syscall) \<br /> BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_##syscall, 0, 1), \<br /> BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)<br /> <br /> struct sock_filter filter[] = {<br /> /* validate arch */<br /> BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ArchField),<br /> BPF_JUMP( BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0),<br /> BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP),<br /> <br /> /* load syscall */<br /> BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),<br /> <br /> /* list of allowed syscalls */<br /> Allow(exit_group), /* exits a processs */<br /> Allow(brk), /* for malloc(), inside libc */<br /> Allow(mmap), /* also for malloc() */<br /> Allow(munmap), /* for free(), inside libc */<br /> Allow(write), /* called by printf */<br /> Allow(fstat), /* called by printf */<br /> <br /> /* and if we don&#039;t match above, die */<br /> BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),<br /> };<br /> struct sock_fprog filterprog = {<br /> .len = sizeof(filter)/sizeof(filter[0]),<br /> .filter = filter<br /> };<br /> <br /> int main(int argc, char **argv) {<br /> char buf[1024];<br /> <br /> /* set up the restricted environment */<br /> if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {<br /> perror(&quot;Could not start seccomp:&quot;);<br /> exit(1);<br /> }<br /> if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &amp;filterprog) == -1) {<br /> perror(&quot;Could not start seccomp:&quot;);<br /> exit(1);<br /> }<br /> <br /> /* printf only writes to stdout, but for some reason it stats it. */<br /> printf(&quot;hello there!\n&quot;);<br /> <br /> if (argc &gt; 1 &amp;&amp; strcmp(argv[1], &quot;haxor&quot;) == 0) {<br /> int fd = socket(AF_INET6, SOCK_STREAM, 0);<br /> /* ...and start sending spam */<br /> }<br /> }<br /> &lt;/pre&gt;</div> imported>Gamajun