diff --git a/Makefile b/Makefile deleted file mode 100644 index 633deec..0000000 --- a/Makefile +++ /dev/null @@ -1,8 +0,0 @@ -CC ?= gcc -PREFIX ?= /usr/local - -sandbox.so: sandbox.c - $(CC) $^ $(CFLAGS) -fPIC -ldl -shared -lseccomp -o $@ - -clean: - rm -f sandbox.so diff --git a/readme b/readme index fa88ded..f4e9d26 100644 --- a/readme +++ b/readme @@ -1,4 +1,3 @@ -make sudo python setup.py install touch in out gcc test.c -o test diff --git a/sandbox.c b/sandbox.c deleted file mode 100644 index fe59291..0000000 --- a/sandbox.c +++ /dev/null @@ -1,90 +0,0 @@ -//////////////////////////////////////////////////////////////////////////////// -// Copyright (C) 2012-2015 Jun Wu -// -// Permission is hereby granted, free of charge, to any person obtaining a copy -// of this software and associated documentation files (the "Software"), to deal -// in the Software without restriction, including without limitation the rights -// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -// copies of the Software, and to permit persons to whom the Software is -// furnished to do so, subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in -// all copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -// THE SOFTWARE. -//////////////////////////////////////////////////////////////////////////////// - -#define _BSD_SOURCE // readlink -#include -#include // exit -#include // strstr, memset -#include // ElfW -#include // EPERM -#include // readlink -#include -#include -int syscalls_whitelist[] = {SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fstat), - SCMP_SYS(mmap), SCMP_SYS(mprotect), SCMP_SYS(munmap), - SCMP_SYS(brk), SCMP_SYS(access), SCMP_SYS(exit_group)}; -typedef int (*main_t)(int, char **, char **); - -#ifndef __unbounded -# define __unbounded -#endif - -int __libc_start_main(main_t main, int argc, - char *__unbounded *__unbounded ubp_av, - ElfW(auxv_t) *__unbounded auxvec, - __typeof (main) init, - void (*fini) (void), - void (*rtld_fini) (void), void *__unbounded - stack_end) -{ - - int i; - ssize_t len; - void *libc; - int whitelist_length = sizeof(syscalls_whitelist) / sizeof(int); - scmp_filter_ctx ctx = NULL; - int (*libc_start_main)(main_t main, - int, - char *__unbounded *__unbounded, - ElfW(auxv_t) *, - __typeof (main), - void (*fini) (void), - void (*rtld_fini) (void), - void *__unbounded stack_end); - - // Get __libc_start_main entry point - libc = dlopen("libc.so.6", RTLD_LOCAL | RTLD_LAZY); - if (!libc) { - exit(1); - } - - libc_start_main = dlsym(libc, "__libc_start_main"); - if (!libc_start_main) { - exit(2); - } - - ctx = seccomp_init(SCMP_ACT_KILL); - if (!ctx) { - exit(3); - } - for(i = 0; i < whitelist_length; i++) { - if (seccomp_rule_add(ctx, SCMP_ACT_ALLOW, syscalls_whitelist[i], 0)) { - exit(4); - } - } - if (seccomp_load(ctx)) { - exit(5); - } - seccomp_release(ctx); - return ((*libc_start_main)(main, argc, ubp_av, auxvec, - init, fini, rtld_fini, stack_end)); -}