Skip to content

Instantly share code, notes, and snippets.

@logikal
Created November 7, 2017 17:57
Show Gist options
  • Save logikal/d60ea9b4f801bf6f80c5823ee1f490d7 to your computer and use it in GitHub Desktop.
Save logikal/d60ea9b4f801bf6f80c5823ee1f490d7 to your computer and use it in GitHub Desktop.
seccomp & bpf support between cent6 and cent7
[vagrant@seccomp-centos-6-chef-12-kitchen ~]$ cat /etc/redhat-release
CentOS release 6.8 (Final)
[vagrant@seccomp-centos-6-chef-12-kitchen ~]$ uname -a
Linux seccomp-centos-6-chef-12-kitchen.vagrantup.com 2.6.32-642.4.2.el6.x86_64 #1 SMP Tue Aug 23 19:58:13 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[vagrant@seccomp-centos-6-chef-12-kitchen ~]$ gcc -H -fsyntax-only test.c
. /usr/lib/gcc/x86_64-redhat-linux/4.4.7/include/stdbool.h
. /usr/include/stdio.h
.. /usr/include/features.h
... /usr/include/sys/cdefs.h
.... /usr/include/bits/wordsize.h
... /usr/include/gnu/stubs.h
.... /usr/include/bits/wordsize.h
.... /usr/include/gnu/stubs-64.h
.. /usr/lib/gcc/x86_64-redhat-linux/4.4.7/include/stddef.h
.. /usr/include/bits/types.h
... /usr/include/bits/wordsize.h
... /usr/include/bits/typesizes.h
.. /usr/include/libio.h
... /usr/include/_G_config.h
.... /usr/lib/gcc/x86_64-redhat-linux/4.4.7/include/stddef.h
.... /usr/include/wchar.h
... /usr/lib/gcc/x86_64-redhat-linux/4.4.7/include/stdarg.h
.. /usr/include/bits/stdio_lim.h
.. /usr/include/bits/sys_errlist.h
test.c:3:27: error: linux/seccomp.h: No such file or directory
Multiple include guards may be useful for:
/usr/include/bits/stdio_lim.h
/usr/include/bits/sys_errlist.h
/usr/include/bits/typesizes.h
/usr/include/gnu/stubs-64.h
/usr/include/gnu/stubs.h
/usr/include/wchar.h
[vagrant@seccomp-centos-7-chef-12-kitchen ~]$ cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[vagrant@seccomp-centos-7-chef-12-kitchen ~]$ uname -a
Linux seccomp-centos-7-chef-12-kitchen.vagrantup.com 3.10.0-514.6.1.el7.x86_64 #1 SMP Wed Jan 18 13:06:36 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[vagrant@seccomp-centos-7-chef-12-kitchen ~]$ gcc -H -fsyntax-only test.c
. /usr/lib/gcc/x86_64-redhat-linux/4.8.5/include/stdbool.h
. /usr/include/stdio.h
.. /usr/include/features.h
... /usr/include/sys/cdefs.h
.... /usr/include/bits/wordsize.h
... /usr/include/gnu/stubs.h
.... /usr/include/gnu/stubs-64.h
.. /usr/lib/gcc/x86_64-redhat-linux/4.8.5/include/stddef.h
.. /usr/include/bits/types.h
... /usr/include/bits/wordsize.h
... /usr/include/bits/typesizes.h
.. /usr/include/libio.h
... /usr/include/_G_config.h
.... /usr/lib/gcc/x86_64-redhat-linux/4.8.5/include/stddef.h
.... /usr/include/wchar.h
... /usr/lib/gcc/x86_64-redhat-linux/4.8.5/include/stdarg.h
.. /usr/include/bits/stdio_lim.h
.. /usr/include/bits/sys_errlist.h
. /usr/include/linux/seccomp.h
.. /usr/include/linux/types.h
... /usr/include/asm/types.h
.... /usr/include/asm-generic/types.h
..... /usr/include/asm-generic/int-ll64.h
...... /usr/include/asm/bitsperlong.h
....... /usr/include/asm-generic/bitsperlong.h
... /usr/include/linux/posix_types.h
.... /usr/include/linux/stddef.h
.... /usr/include/asm/posix_types.h
..... /usr/include/asm/posix_types_64.h
...... /usr/include/asm-generic/posix_types.h
Multiple include guards may be useful for:
/usr/include/asm/posix_types.h
/usr/include/bits/stdio_lim.h
/usr/include/bits/sys_errlist.h
/usr/include/bits/typesizes.h
/usr/include/gnu/stubs-64.h
/usr/include/gnu/stubs.h
/usr/include/linux/stddef.h
/usr/include/wchar.h
[vagrant@seccomp-centos-7-chef-12-kitchen ~]$ gcc seccomp.c
[vagrant@seccomp-centos-7-chef-12-kitchen ~]$ ./a.out
seccomp available
seccomp filter available
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>
int main(void)
{
int ret;
ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
if (ret < 0) {
switch (errno) {
case ENOSYS:
printf("seccomp not available: pre-2.6.23\n");
return 0;
case EINVAL:
printf("seccomp not available: not built in\n");
return 0;
default:
fprintf(stderr, "unknown PR_GET_SECCOMP error: %s\n",
strerror(errno));
return 1;
}
}
printf("seccomp available\n");
ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
if (ret < 0) {
switch (errno) {
case EINVAL:
printf("seccomp filter not available\n");
return 0;
case EFAULT:
printf("seccomp filter available\n");
return 0;
default:
fprintf(stderr, "unknown PR_SET_SECCOMP error: %s\n",
strerror(errno));
return 1;
}
}
printf("PR_SET_SECCOMP unexpectedly succeeded?!\n");
return 1;
}
#include <stdbool.h>
#include <stdio.h>
#include <linux/seccomp.h>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment