from subprocess import Popen from seccomp import ( SyscallFilter, KILL as S_KILL, ALLOW as S_ALLOW, Arg, MASKED_EQ, ) S_ERRNO = 0x00050000 CLONE_PARENT_SETTID = 0x00100000 CLONE_CHILD_CLEARTID = 0x00200000 CLONE_CHILD_SETTID = 0x01000000 SIGCHLD = 17 f = SyscallFilter(defaction=S_KILL) f.add_rule(S_ALLOW, "exit") f.add_rule(S_ALLOW, "exit_group") f.add_rule(S_ALLOW, "chdir") f.add_rule(S_ALLOW, "getcwd") f.add_rule(S_ALLOW, "fchdir") f.add_rule(S_ALLOW, "mkdir") f.add_rule(S_ALLOW, "read") f.add_rule(S_ALLOW, "write") f.add_rule(S_ALLOW, "lseek") f.add_rule(S_ALLOW, "open") f.add_rule(S_ALLOW, "openat") f.add_rule(S_ALLOW, "close") f.add_rule(S_ALLOW, "readlink") f.add_rule(S_ALLOW, "getxattr") f.add_rule(S_ALLOW, "lgetxattr") f.add_rule(S_ALLOW, "lstat") f.add_rule(S_ALLOW, "fstat") f.add_rule(S_ALLOW, "stat") f.add_rule(S_ALLOW, "statfs") f.add_rule(S_ALLOW, "getdents") f.add_rule(S_ALLOW, "access") f.add_rule(S_ERRNO, "fadvise64") f.add_rule(S_ALLOW, "brk") f.add_rule(S_ALLOW, "mmap") f.add_rule(S_ALLOW, "munmap") f.add_rule(S_ALLOW, "mprotect") f.add_rule(S_ERRNO, "ioctl") f.add_rule(S_ERRNO, "prctl") f.add_rule(S_ERRNO, "fcntl") f.add_rule(S_ALLOW, "arch_prctl") f.add_rule(S_ERRNO, "getuid") f.add_rule(S_ERRNO, "getgid") f.add_rule(S_ERRNO, "geteuid") f.add_rule(S_ERRNO, "getegid") f.add_rule(S_ERRNO, "getpid") f.add_rule(S_ERRNO, "getppid") f.add_rule(S_ERRNO, "getpgrp") f.add_rule(S_ERRNO, "getsid") f.add_rule(S_ERRNO, "rt_sigprocmask") f.add_rule(S_ERRNO, "rt_sigaction") # f.add_rule(S_ERRNO, "set_tid_address") # f.add_rule(S_ERRNO, "set_robust_list") # f.add_rule(S_ERRNO, "futex") f.add_rule(S_ALLOW, "getrlimit") f.add_rule(S_ERRNO, "setrlimit") f.add_rule(S_ERRNO, "uname") f.add_rule(S_ERRNO, "socket") f.add_rule(S_ERRNO, "connect") f.add_rule(S_ERRNO, "sendto") f.add_rule(S_ALLOW, "nanosleep") f.add_rule(S_ALLOW, "gettimeofday") f.add_rule(S_ERRNO, "alarm") f.add_rule(S_ALLOW, "execve") # TODO subprocess miatt # bash TODO f.add_rule(S_ALLOW, "dup") f.add_rule(S_ALLOW, "dup2") f.add_rule(S_ALLOW, "wait4") f.add_rule(S_ALLOW, "pipe") f.add_rule(S_ALLOW, "select") f.add_rule(S_ALLOW, "futex") f.add_rule(S_ALLOW, "set_tid_address") f.add_rule(S_ALLOW, "set_robust_list") disabled_bits = (2**64 - 1) & ~( CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD) f.add_rule(S_ALLOW, "clone", Arg(0, MASKED_EQ, disabled_bits, 0)) cmd = ["bash", "-c", "wc -l /etc/passwd; cat /etc/asd"] cmd = ["./test.py"] def setup(): f.load() p = Popen(cmd, close_fds=False, shell=False, preexec_fn=setup) print p.wait()