seccomp/seccomp_launch.c

This is seccomp/seccomp_launch.c, an example to accompany the book, The Linux Programming Interface.

This file is not printed in the book; it demonstrates Linux features that are not described in the book (typically features that have appeared since the book was published).

In the listing below, the names of Linux system calls and C library functions are hyperlinked to manual pages from the Linux man-pages project, and the names of functions implemented in the book are hyperlinked to the implementations of those functions.

Download seccomp/seccomp_launch.c

Cover of The Linux Programming Interface

Distribution version

Function list (Bold in this list means a function is not static)

seccomp()
loadFilter()
usageError()
main()

/* seccomp_launch.c

   Usage: seccomp_launch [-f bpf-filter-blob]... prog arg...

   Launch a program with arguments, after first (optionally) loading
   previously generated BPF filter(s) from specified file(s).

   Note that as well as allowing execve(), the filter(s) may need to allow the
   system calls that the dynamic linker uses to load shared libraries. More
   generally add-filter-after-exec functionality is a difficult problem that
   currently has no good solution. See this mail thread for a discussion of
   the issues and the shortfalls of using LD_PRELOAD to solve the problem:
   "Request for a "enable on execve" mode for Seccomp filters" (Oct 2020)
   https://lore.kernel.org/all/202010281500.855B950FE@keescook/T/#mf1d6a1c1e2ed67fdf54770785197812aa3d96a67
*/
#define _GNU_SOURCE
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <sys/prctl.h>
#include <stdio.h>
#include <string.h>
#include <stdbool.h>
#include <stdlib.h>
#include <unistd.h>

#define errExit(msg)    do { perror(msg); exit(EXIT_FAILURE); } while (0)

static int
seccomp(unsigned int operation, unsigned int flags, void *args)
{
    return syscall(__NR_seccomp, operation, flags, args);
}

static void
loadFilter(char *filterPathname)
{
    static bool noNewPrivsAlreadySet = false;

    if (!noNewPrivsAlreadySet) {        /* Only need to do this once */
        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
            errExit("prctl");
        noNewPrivsAlreadySet = true;
    }

    /* Open the file, determine its size, allocate a buffer of that size,
       and read the file into the buffer */

    int fd = open(filterPathname, O_RDONLY);
    if (fd == -1)
        errExit("open");

    struct stat sb;
    if (fstat(fd, &sb) == -1)
        errExit("fstat");

    int filterSize = sb.st_size;
    if (filterSize % sizeof(struct sock_filter) != 0) {
        fprintf(stderr, "Filter has odd size\n");
        exit(EXIT_FAILURE);
    }

    struct sock_filter *filter = malloc(filterSize);
    if (filter == NULL)
        errExit("malloc");

    if (read(fd, filter, filterSize) != filterSize) {
        fprintf(stderr, "Failure reading filter\n");
        exit(EXIT_FAILURE);
    }

    if (close(fd) == -1)
        errExit("close");

    /* Install the BPF filter blob */

    struct sock_fprog fprog;
    fprog.len = filterSize / sizeof(struct sock_filter);
    fprog.filter = filter;

    if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &fprog) == -1)
        errExit("seccomp");
}

static void
usageError(char *pname, char *msg)
{
    fprintf(stderr, "%s", msg);
    fprintf(stderr, "Usage: %s [-f filter] prog arg...\n", pname);
    exit(EXIT_FAILURE);
}

int
main(int argc, char *argv[])
{
    /* Command-line parsing */

    int opt;
    while ((opt = getopt(argc, argv, "f:")) != -1) {
        switch (opt) {

        case 'f':               /* Install a filter */
            loadFilter(optarg);
            break;

        default:
            usageError(argv[0], "Bad option\n");
        }
    }

    if (optind >= argc || strcmp(argv[1], "--help") == 0)
        usageError(argv[0], "No program specified\n");

    /* Execute program named on command line */

    execvp(argv[optind], &argv[optind]);
    errExit("execve");
}

Download seccomp/seccomp_launch.c

Note that, in most cases, the programs rendered in these web pages are not free standing: you'll typically also need a few other source files (mostly in the lib/ subdirectory) as well. Generally, it's easier to just download the entire source tarball and build the programs with make(1). By hovering your mouse over the various hyperlinked include files and function calls above, you can see which other source files this file depends on.