https://wikicshse.ru/index.php?action=history&feed=atom&title=%D0%91%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D1%81%D1%82%D1%8C_%D0%BA%D0%BE%D0%BC%D0%BF%D1%8C%D1%8E%D1%82%D0%B5%D1%80%D0%BD%D1%8B%D1%85_%D1%81%D0%B8%D1%81%D1%82%D0%B5%D0%BC_2019%2FSECCOMP
Безопасность компьютерных систем 2019/SECCOMP - История изменений
2026-06-06T18:17:15Z
История изменений этой страницы в вики
MediaWiki 1.45.3
https://wikicshse.ru/index.php?title=%D0%91%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D1%81%D1%82%D1%8C_%D0%BA%D0%BE%D0%BC%D0%BF%D1%8C%D1%8E%D1%82%D0%B5%D1%80%D0%BD%D1%8B%D1%85_%D1%81%D0%B8%D1%81%D1%82%D0%B5%D0%BC_2019/SECCOMP&diff=2030&oldid=prev
imported>Gamajun: Migrated current public revision from wiki.cs.hse.ru
2019-11-25T13:40:02Z
<p>Migrated current public revision from wiki.cs.hse.ru</p>
<p><b>Новая страница</b></p><div>== Linux seccomp ==<br />
Ссылки для изучения:<br />
<br />
# Рекомендуемая основная презентация (пригодится для выполнения бонусного задания к заданию 3): http://man7.org/conf/lceu2016/limiting_kernel_attack_surface_with_seccomp-ContainerCon.eu_2016-Kerrisk.pdf<br />
# https://eigenstate.org/notes/seccomp<br />
# Kafel - язык для конструирования политик seccomp (not an official Google product) https://github.com/google/kafel<br />
<br />
== Тестовый пример 1 ==<br />
<br />
#include <stdio.h><br />
#include <unistd.h><br />
#include <linux/seccomp.h><br />
#include <sys/prctl.h><br />
int main () {<br />
pid_t pid;<br />
printf("Step 1: no restrictions yet\n");<br />
prctl (PR_SET_SECCOMP, SECCOMP_MODE_STRICT);<br />
printf ("Step 2: entering the strict mode. Only read(), write(), exit() and sigreturn() syscalls are allowed\n");<br />
pid = getpid ();<br />
printf ("!!YOU SHOULD NOT SEE THIS!! My PID = %d", pid);<br />
return 0;<br />
}<br />
<br />
== Тестовый пример 2 ==<br />
<br />
<br />
#include <stdio.h><br />
#include <seccomp.h><br />
#include <unistd.h><br />
#include <sys/fcntl.h><br />
#include <errno.h><br />
int main() {<br />
pid_t pid;<br />
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);<br />
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);<br />
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);<br />
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sigreturn), 0);<br />
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);<br />
printf ("No restrictions yet\n");<br />
seccomp_load(ctx);<br />
pid = getpid();<br />
printf("!! YOU SHOULD NOT SEE THIS!! My PID is%d\n", pid);<br />
return 0;<br />
}<br />
<br />
== Тестовый пример 3 ==<br />
<br />
<pre><br />
/*************************************************************************\<br />
* Copyright (C) Michael Kerrisk, 2016. *<br />
* *<br />
* This program is free software. You may use, modify, and redistribute it *<br />
* under the terms of the GNU General Public License as published by the *<br />
* Free Software Foundation, either version 3 or (at your option) any *<br />
* later version. This program is distributed without any warranty. See *<br />
* the file COPYING.gpl-v3 for details. *<br />
\*************************************************************************/<br />
<br />
/* Supplementary program for Chapter Z */<br />
<br />
/* seccomp_deny.c<br />
A simple seccomp filter example. Install a filter that kills the process<br />
if open() is called.<br />
*/<br />
#define _GNU_SOURCE<br />
#include <stddef.h><br />
#include <fcntl.h><br />
#include <linux/audit.h><br />
#include <sys/syscall.h><br />
#include <linux/filter.h><br />
#include <linux/seccomp.h><br />
#include <sys/prctl.h><br />
#include <sys/types.h> /* Type definitions used by many programs */<br />
#include <stdio.h> /* Standard I/O functions */<br />
#include <stdlib.h> /* Prototypes of commonly used library functions, plus EXIT_SUCCESS and EXIT_FAILURE constants */<br />
#include <unistd.h> /* Prototypes for many system calls */<br />
#include <errno.h> /* Declares errno and defines error constants */<br />
#include <string.h> /* Commonly used string-handling functions */<br />
<br />
static int<br />
seccomp(unsigned int operation, unsigned int flags, void *args)<br />
{<br />
return syscall(__NR_seccomp, operation, flags, args);<br />
}<br />
<br />
static void<br />
install_filter(void)<br />
{<br />
struct sock_filter filter[] = {<br />
/* Load architecture */<br />
<br />
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,<br />
(offsetof(struct seccomp_data, arch))),<br />
<br />
/* Kill process if the architecture is not what we expect */<br />
<br />
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_X86_64, 1, 0),<br />
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),<br />
<br />
/* Load system call number */<br />
<br />
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,<br />
(offsetof(struct seccomp_data, nr))),<br />
<br />
/* Allow system calls other than open() */<br />
<br />
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 1, 0),<br />
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),<br />
<br />
/* Kill process on open() */<br />
<br />
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL)<br />
};<br />
<br />
struct sock_fprog prog = {<br />
.len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),<br />
.filter = filter,<br />
};<br />
<br />
if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog) == -1)<br />
perror("seccomp");<br />
/* On Linux 3.16 and earlier, we must instead use:<br />
<br />
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))<br />
errExit("prctl-PR_SET_SECCOMP");<br />
*/<br />
}<br />
<br />
int<br />
main(int argc, char **argv)<br />
{<br />
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))<br />
perror("prctl");<br />
<br />
install_filter();<br />
<br />
if (open("/tmp/a", O_RDONLY) == -1)<br />
perror("open");<br />
<br />
printf("We shouldn't see this message\n");<br />
<br />
exit(EXIT_SUCCESS);<br />
}<br />
</pre><br />
<br />
== Тестовый пример 4 ==<br />
<pre><br />
#include <stdlib.h><br />
#include <stdio.h><br />
#include <stddef.h><br />
#include <string.h><br />
#include <unistd.h><br />
#include <errno.h><br />
<br />
#include <sys/types.h><br />
#include <sys/prctl.h><br />
#include <sys/syscall.h><br />
#include <sys/socket.h><br />
<br />
#include <linux/filter.h><br />
#include <linux/seccomp.h><br />
#include <linux/audit.h><br />
<br />
#define ArchField offsetof(struct seccomp_data, arch)<br />
<br />
#define Allow(syscall) \<br />
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_##syscall, 0, 1), \<br />
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)<br />
<br />
struct sock_filter filter[] = {<br />
/* validate arch */<br />
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ArchField),<br />
BPF_JUMP( BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 1, 0),<br />
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP),<br />
<br />
/* load syscall */<br />
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, offsetof(struct seccomp_data, nr)),<br />
<br />
/* list of allowed syscalls */<br />
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_brk, 0, 1),<br />
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),<br />
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_mmap, 0, 1),<br />
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),<br />
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_munmap, 0, 1),<br />
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),<br />
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_write, 0, 1),<br />
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),<br />
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_exit, 0, 1),<br />
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),<br />
<br />
/* and if we don't match above, die */<br />
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),<br />
};<br />
struct sock_fprog filterprog = {<br />
.len = sizeof(filter)/sizeof(filter[0]),<br />
.filter = filter<br />
};<br />
<br />
int main(int argc, char **argv) {<br />
char buf[1024];<br />
<br />
/* set up the restricted environment */<br />
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {<br />
perror("Could not start seccomp:");<br />
exit(1);<br />
}<br />
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &filterprog) == -1) {<br />
perror("Could not start seccomp:");<br />
exit(1);<br />
}<br />
<br />
/* printf only writes to stdout, but for some reason it stats it. */<br />
printf("hello there!\n");<br />
<br />
if (argc > 1 && strcmp(argv[1], "haxor") == 0) {<br />
int fd = socket(AF_INET6, SOCK_STREAM, 0);<br />
/* ...and start sending spam */<br />
}<br />
}<br />
</pre></div>
imported>Gamajun