int python_seccomp_rules(struct config *_config)
{
// Syscalls blacklist array
int syscalls_blacklist[] = {
SCMP_SYS(fork), SCMP_SYS(vfork), SCMP_SYS(kill)
};
// Initializing seccomp context
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
if (!ctx)
{
return LOAD_SECCOMP_FAILED;
}
// Blacklist specified syscalls
int syscalls_blacklist_length = sizeof(syscalls_blacklist) / sizeof(int);
for (int i = 0; i < syscalls_blacklist_length; i++)
{
if (seccomp_rule_add(ctx, SCMP_ACT_KILL, syscalls_blacklist[i], 0) != 0)
{
seccomp_release(ctx);
return LOAD_SECCOMP_FAILED;
}
}
// load seccomp into the kernel
当我使用 strace 命令跟踪它时,我得到了以下输出:
6885 15:57:14 seccomp(SECCOMP_SET_MODE_STRICT, 0x1, NULL) = -1 EINVAL (Invalid argument)
6885 15:57:14 seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, NULL) = -1 EFAULT (Bad address)
6885 15:57:14 seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_LOG, NULL) = -1 EFAULT (Bad address)
6885 15:57:14 seccomp(SECCOMP_GET_ACTION_AVAIL, 0, [SECCOMP_RET_LOG]) = 0
6885 15:57:14 seccomp(SECCOMP_GET_ACTION_AVAIL, 0, [SECCOMP_RET_KILL_PROCESS]) = 0
6885 15:57:14 seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_SPEC_ALLOW, NULL) = -1 EFAULT (Bad address)
6885 15:57:14 seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_NEW_LISTENER, NULL) = -1 EFAULT (Bad address)
6885 15:57:14 seccomp(SECCOMP_GET_NOTIF_SIZES, 0, {seccomp_notif=80, seccomp_notif_resp=24, seccomp_data=64}) = 0
6885 15:57:14 seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC_ESRCH, NULL) = -1 EFAULT (Bad address)
6885 15:57:14 prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
6885 15:57:14 seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=30, filter=0x55a7aaa8b490}) = 0