是否可以编写一个 seccomp-BPF 程序来过滤系统调用指令指针?例如,要杀死不是从libc.
问问题
250 次
1 回答
1
根据@Qeole 的评论,我实现了这样的 BPF 程序:
/* https://github.com/redpig/seccomp/blob/master/tests/resumption.c */
unsigned long lib_start = 0x700000000000;
struct sock_filter filter[] = {
/* [0] Load higher 4 bytes of the instruction pointer. */
BPF_STMT(BPF_LD | BPF_W | BPF_ABS,
(offsetof(struct seccomp_data, instruction_pointer)) + sizeof(int)),
BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, ((__u32*)&lib_start)[1], 0, 1),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL),
};
于 2020-05-19T14:13:40.520 回答