diff options
author | Alice Frosi <afrosi@redhat.com> | 2023-03-30 11:02:47 +0200 |
---|---|---|
committer | Alice Frosi <afrosi@redhat.com> | 2023-03-30 11:07:12 +0200 |
commit | fa00aa6b11a9a773bdb0b11c306d2e6936ba5862 (patch) | |
tree | 8852eebf58339d9bbce563022a754d4204411c26 /common/common.c | |
parent | 6a850dfce709751292a136d76060c97b57435ef1 (diff) | |
download | seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar.gz seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar.bz2 seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar.lz seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar.xz seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.tar.zst seitan-fa00aa6b11a9a773bdb0b11c306d2e6936ba5862.zip |
Create common function to install the BPF filter
Diffstat (limited to 'common/common.c')
-rw-r--r-- | common/common.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/common/common.c b/common/common.c index a8f79a2..cd792de 100644 --- a/common/common.c +++ b/common/common.c @@ -5,6 +5,15 @@ #include <unistd.h> #include <stdlib.h> #include <sys/stat.h> +#include <sys/prctl.h> +#include <sys/syscall.h> +#include <sys/socket.h> + +#include <linux/audit.h> +#include <linux/seccomp.h> + +#include "util.h" +#include "common.h" int find_fd_seccomp_notifier(const char *path) { @@ -49,3 +58,24 @@ int find_fd_seccomp_notifier(const char *path) fprintf(stderr, "seccomp notifier not found in %s\n", path); return -1; } + +static int seccomp(unsigned int operation, unsigned int flags, void *args) +{ + return syscall(__NR_seccomp, operation, flags, args); +} + +int install_filter(struct sock_filter *filter, unsigned short len) +{ + struct sock_fprog prog; + int fd; + + prog.filter = filter; + prog.len = len; + if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) + die(" prctl"); + if ((fd = seccomp(SECCOMP_SET_MODE_FILTER, + SECCOMP_FILTER_FLAG_NEW_LISTENER, &prog)) < 0) + die(" seccomp"); + + return fd; +} |