Exemplos de install_syscall_filter em C++ (Cpp)

Exemplo n.º 1

Arquivo: preload.c Projeto: passimm/rr

init_process(void)
{
	assert(!process_inited);

	if (getenv("_RR_CHECK_PRELOAD")) {
		/* The tracer parent is just checking that we loaded.
		 * We did, so return a success code. */
		exit(0);
	}

	real_pthread_create = dlsym(RTLD_NEXT, "pthread_create");
	real_pthread_mutex_timedlock = dlsym(RTLD_NEXT, "pthread_mutex_timedlock");

	buffer_enabled = !!getenv(SYSCALLBUF_ENABLED_ENV_VAR);
	if (!buffer_enabled) {
		debug("Syscall buffering is disabled");
		process_inited = 1;
		return;
	}

	pthread_atfork(NULL, NULL, post_fork_child);

	install_syscall_filter();
	rrcall_monkeypatch_vdso(&_vsyscall_hook_trampoline);
	process_inited = 1;

	init_thread();
}

Exemplo n.º 2

Arquivo: sandbox.c Projeto: Arcoins/Arcoin_Source

/**
 * Initialises the syscall sandbox filter for any linux architecture, taking
 * into account various available features for different linux flavours.
 */
static int
initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
{
  if (install_sigsys_debugging())
    return -1;

  if (install_syscall_filter(cfg))
    return -2;

  if (register_cfg(cfg))
    return -3;

  return 0;
}

Exemplo n.º 3

Arquivo: sandbox.c Projeto: Archer-sys/tor

/**
 * Initialises the syscall sandbox filter for any linux architecture, taking
 * into account various available features for different linux flavours.
 */
static int
initialise_libseccomp_sandbox(sandbox_cfg_t* cfg)
{
  /* Prevent glibc from trying to open /dev/tty on fatal error */
  setenv("LIBC_FATAL_STDERR_", "1", 1);

  if (install_sigsys_debugging())
    return -1;

  if (install_syscall_filter(cfg))
    return -2;

  if (register_cfg(cfg))
    return -3;

  return 0;
}

Exemplo n.º 4

Arquivo: idontgiveashell.c Projeto: scumjr/idontgiveashell

static void child(int s, int c)
{
	struct rlimit rlimit;
        pid_t pid;

        pid = fork();
        if (pid == -1) {
                warn("fork");
                return;
        } else if (pid > 0) {
                close(c);
		return;
	}

        if (prctl(PR_SET_PDEATHSIG, SIGTERM) == -1)
                err(1, "prctl(PR_SET_PDEATHSIG)");

	close(s);

        if (dup2(c, STDIN_FILENO) == -1 ||
	    dup2(c, STDOUT_FILENO) == -1 ||
	    dup2(c, STDERR_FILENO) == -1)
                warn("dup2");

        if (signal(SIGBUS, signal_handler) == SIG_ERR ||
	    signal(SIGSEGV, signal_handler) == SIG_ERR ||
	    signal(SIGTRAP, signal_handler) == SIG_ERR)
                err(1, "signal");

        alarm(MAX_CPU_TIME);

	rlimit.rlim_cur = MAX_MEMORY;
	rlimit.rlim_max = RLIM_INFINITY;
	if (setrlimit(RLIMIT_AS, &rlimit) == -1)
		err(1, "setrlimit");

	install_syscall_filter();

	receive_and_exec_code(c);
}

Exemplo n.º 5

Arquivo: hello.c Projeto: sangorrin/linuxcon-japan-2015

int main(int argc, char *argv[])
{
	int i;
	struct timespec start, end, total;
	uint64_t diff;

	if (atoi(argv[1]) == 1)
		install_syscall_filter();

	clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &start);
	for (i=0; i<1000000; i++) {
		syscall(atol(argv[2]));
	}
	clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &end);

	total = timediff(start, end);
	diff  = total.tv_sec * BILLION + total.tv_nsec;
	//diff = BILLION * (end.tv_sec - start.tv_sec) + end.tv_nsec - start.tv_nsec;
	printf("%llu", (long long unsigned int) diff);

	return 0;
}

Exemplo n.º 6

Arquivo: main.cpp Projeto: exploreword/skia

int main(int argc, char** argv) {
    SkCommandLineFlags::Parse(argc, argv);
    SkAutoGraphics init;

    if (FLAGS_out.count() == 0) {
      perror("The --out flag must have an argument.");
      return 1;
    }

    if (FLAGS_source.count() == 1) {
       if (!SkImageDecoder::DecodeFile(FLAGS_source[0], &source)) {
           perror("Unable to read the source image.");
       }
    }

    SkFILEWStream stream(FLAGS_out[0]);

    SkImageInfo info = SkImageInfo::MakeN32(256, 256, kPremul_SkAlphaType);
    SkAutoTUnref<SkSurface> surface(SkSurface::NewRaster(info));
    SkCanvas* canvas = surface->getCanvas();

    setLimits();

    if (!install_syscall_filter()) {
        return 1;
    }

    draw(canvas);

    // Write out the image as a PNG.
    SkAutoTUnref<SkImage> image(surface->newImageSnapshot());
    SkAutoTUnref<SkData> data(image->encode(SkImageEncoder::kPNG_Type, 100));
    if (NULL == data.get()) {
        printf("Failed to encode\n");
        exit(1);
    }
    stream.write(data->data(), data->size());
}

Exemplo n.º 7

Arquivo: example.c Projeto: gebi/teach-seccomp

static int install_syscall_filter(void)
{
	struct sock_filter filter[] = {
		/* Validate architecture. */
		VALIDATE_ARCHITECTURE,
		/* Grab the system call number. */
		EXAMINE_SYSCALL,
		/* List allowed syscalls. */
		ALLOW_SYSCALL(rt_sigreturn),
#ifdef __NR_sigreturn
		ALLOW_SYSCALL(sigreturn),
#endif
		ALLOW_SYSCALL(exit_group),
		ALLOW_SYSCALL(exit),
		ALLOW_SYSCALL(read),
		ALLOW_SYSCALL(write),
		KILL_PROCESS,
	};
	struct sock_fprog prog = {
		.len = (unsigned short)(sizeof(filter)/sizeof(filter[0])),
		.filter = filter,
	};

	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
		perror("prctl(NO_NEW_PRIVS)");
		goto failed;
	}
	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
		perror("prctl(SECCOMP)");
		goto failed;
	}
	return 0;

failed:
	if (errno == EINVAL)
		fprintf(stderr, "SECCOMP_FILTER is not available. :(\n");
	return 1;
}

int main(int argc, char *argv[])
{
	char buf[1024];

	if (install_syscall_filter())
		return 1;

	printf("Type stuff here: ");
	fflush(NULL);
	buf[0] = '\0';
	fgets(buf, sizeof(buf), stdin);
	printf("You typed: %s", buf);

	printf("And now we fork, which should do quite the opposite ...\n");
	fflush(NULL);
	sleep(1);

	fork();
	printf("You should not see this because I'm dead.\n");

	return 0;
}