seccomp: add sigHandler for seccomp-init

Signed-off-by: hanen mizouni <[email protected]>
outscale · May 10, 2020 · b6c790f · b6c790f
1 parent c68feaa
commit b6c790f
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 2 deletions.
diff --git a/include/packetgraph/common.h b/include/packetgraph/common.h
@@ -65,5 +65,5 @@ static inline enum pg_side pg_flip_side(enum pg_side side)
  * @return 0 if the filter has been correctly build, -1 on the contrary.
  */
 int pg_init_seccomp(void);
-
+int pg_install_filter(void);
 #endif /* _PG_COMMON_H */
diff --git a/src/seccomp.c b/src/seccomp.c
@@ -17,8 +17,13 @@
 
 #include <packetgraph/common.h>
 #include <packetgraph/seccomp-bpf.h>
+#include <errno.h>
+#define _GNU_SOURCE
+#include <signal.h>
+#include <sys/types.h>
+#include <unistd.h>
 
-int pg_init_seccomp(void)
+int pg_install_filter(void)
 {
 	struct sock_filter filter[] = {
 		VALIDATE_ARCHITECTURE,
@@ -95,3 +100,31 @@ int pg_init_seccomp(void)
 		return -1;
 	return 0;
 }
+static void sigHandler(int sig)
+{
+	printf("SIGSYS!\n");
+}
+int pg_init_seccomp(void)
+{
+struct sigaction act;
+	int check = 0;
+	/* Set up seccomp filter */
+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)){
+		printf("prctl\n");
+		check = -1;
+	}
+	/*install filter*/
+	check = pg_install_filter();
+	/* Establish handler for SIGSYS */
+	act.sa_flags = 0;
+	act.sa_handler = sigHandler;
+	sigemptyset(&act.sa_mask);
+	if (sigaction(SIGSYS, &act, NULL) == -1){
+		printf("sigaction");
+		check = -1;
+	}
+	printf("About to call getppid()\n");
+	(void) getppid();   /* Results in SIGSYS; system call is not executed */
+	printf("Bye\n");
+	return check;
+}