TechQA.

Run a process from C with a seccomp profile

674 views Asked by At

I want to run a process with a seccomp profile applied to it (can be from C, terminal, etc.). In particular, I would like the target command to not be allowed to read and write any files, and it can just print to the console. The temporary C outline I have is this:

int main() {
    scmp_filter_ctx filter = load_filter();
    seccomp_load(filter);
    // execl([sample command with arguments], 0);
    execl("ls", 0)
}

The problem I am having is that the execl uses some sys calls that are blocked in my profile. How can I ensure that the only gets applied only to the [sample command with arguments]. Again, this does not have to be in C. Basically, I want to run some executables, and apply seccomp to those processes. I am using Ubuntu 18.04.

linux system-calls seccomp
Original Q&A
3

There are 3 answers

0
Grzegorz Wierzowiecki On

exec* calls are frontend to execve, which implementation in user space looks like this:

int execve(const char *filename, char * const argv[], char * const envp[]) {
    return syscall(SYS_execve, filename, argv, envp);
}

ref: https://stackoverflow.com/a/7381910/544721

Therefore, you may want to instrument your desired binary to execute seccomp filters code after being loaded. e.g. via binary instrumentation (to add extra code) of actual binary.

0
mtk On

This is not a simple problem. As already pointed out, execl() is a library function that calls execve(2). However, presuming that the program you are launching is dynamically linked (e.g., ls as above), your seccomp filter would also need to allow all of the system calls that the dynamic linker (ld.so(8)) employs to load shared libraries needed by the program. Examples of such system calls (which may vary according to the version of the dynamic linker on your system) are access(), openat(), close(), read(), mmap(), mprotect(), and more. (You can see examples of those systems calls by doing an strace(1) of a simple "hello world" C program.

As Grzegorz Wierzowiecki points out, your only really alternative is to instrument (modify) the target program so that it loads a filter after it has been launched. (There are tricks involving the use of LD_PRELOAD, but these are not foolproof.)

2
Petter On

You could write your seccomp filter so that it only allows that exact call to execve. It is possible to check arguments for equality.

Related Questions in LINUX

Related Questions in SYSTEM-CALLS

Related Questions in SECCOMP

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions