Commit | Line | Data |
---|---|---|
8befd5cc MG |
1 | /** |
2 | * Seccomp Library test program | |
3 | * | |
4 | * Copyright (c) 2012 Red Hat <pmoore@redhat.com> | |
5 | * Author: Paul Moore <paul@paul-moore.com> | |
6 | */ | |
7 | ||
8 | /* | |
9 | * This library is free software; you can redistribute it and/or modify it | |
10 | * under the terms of version 2.1 of the GNU Lesser General Public License as | |
11 | * published by the Free Software Foundation. | |
12 | * | |
13 | * This library is distributed in the hope that it will be useful, but WITHOUT | |
14 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or | |
15 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License | |
16 | * for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU Lesser General Public License | |
19 | * along with this library; if not, see <http://www.gnu.org/licenses>. | |
20 | */ | |
21 | ||
22 | #include <errno.h> | |
23 | #include <unistd.h> | |
24 | ||
25 | #include <seccomp.h> | |
26 | ||
27 | #include "util.h" | |
28 | ||
29 | int main(int argc, char *argv[]) | |
30 | { | |
31 | int rc; | |
32 | struct util_options opts; | |
33 | scmp_filter_ctx ctx_64 = NULL, ctx_32 = NULL; | |
34 | ||
35 | rc = util_getopt(argc, argv, &opts); | |
36 | if (rc < 0) | |
37 | goto out_all; | |
38 | ||
39 | ctx_32 = seccomp_init(SCMP_ACT_KILL); | |
40 | if (ctx_32 == NULL) { | |
41 | rc = -ENOMEM; | |
42 | goto out_all; | |
43 | } | |
44 | ctx_64 = seccomp_init(SCMP_ACT_KILL); | |
45 | if (ctx_64 == NULL) { | |
46 | rc = -ENOMEM; | |
47 | goto out_all; | |
48 | } | |
49 | ||
50 | rc = seccomp_arch_remove(ctx_32, SCMP_ARCH_NATIVE); | |
51 | if (rc != 0) | |
52 | goto out; | |
53 | rc = seccomp_arch_remove(ctx_64, SCMP_ARCH_NATIVE); | |
54 | if (rc != 0) | |
55 | goto out; | |
56 | ||
57 | rc = seccomp_arch_add(ctx_32, SCMP_ARCH_X86); | |
58 | if (rc != 0) | |
59 | goto out_all; | |
60 | rc = seccomp_arch_add(ctx_64, SCMP_ARCH_X86_64); | |
61 | if (rc != 0) | |
62 | goto out_all; | |
63 | ||
64 | rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(read), 1, | |
65 | SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO)); | |
66 | if (rc != 0) | |
67 | goto out_all; | |
68 | ||
69 | rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, | |
70 | SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO)); | |
71 | if (rc != 0) | |
72 | goto out_all; | |
73 | ||
74 | rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(write), 1, | |
75 | SCMP_A0(SCMP_CMP_EQ, STDERR_FILENO)); | |
76 | if (rc != 0) | |
77 | goto out_all; | |
78 | ||
79 | rc = seccomp_rule_add(ctx_32, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); | |
80 | if (rc != 0) | |
81 | goto out_all; | |
82 | ||
83 | rc = seccomp_rule_add(ctx_64, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0); | |
84 | if (rc != 0) | |
85 | goto out_all; | |
86 | ||
87 | rc = seccomp_rule_add(ctx_64, SCMP_ACT_ALLOW, SCMP_SYS(connect), 0); | |
88 | if (rc != 0) | |
89 | goto out_all; | |
90 | ||
91 | rc = seccomp_rule_add(ctx_64, SCMP_ACT_ALLOW, SCMP_SYS(shutdown), 0); | |
92 | if (rc != 0) | |
93 | goto out_all; | |
94 | ||
95 | rc = seccomp_merge(ctx_64, ctx_32); | |
96 | if (rc != 0) | |
97 | goto out_all; | |
98 | ||
99 | /* NOTE: ctx_32 is no longer valid at this point */ | |
100 | ||
101 | rc = util_filter_output(&opts, ctx_64); | |
102 | if (rc) | |
103 | goto out; | |
104 | ||
105 | out: | |
106 | seccomp_release(ctx_64); | |
107 | return (rc < 0 ? -rc : rc); | |
108 | out_all: | |
109 | seccomp_release(ctx_32); | |
110 | goto out; | |
111 | } |