├── README.md
├── .gitignore
├── .idea
├── CvmSeccomp.iml
├── misc.xml
├── .gitignore
├── vcs.xml
└── modules.xml
├── library.h
├── CMakeLists.txt
└── library.c
/README.md:
--------------------------------------------------------------------------------
1 | # CvmSeccomp
2 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | /cmake-build-debug
2 |
--------------------------------------------------------------------------------
/.idea/CvmSeccomp.iml:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/library.h:
--------------------------------------------------------------------------------
1 | #ifndef CVMSECCOMP_LIBRARY_H
2 | #define CVMSECCOMP_LIBRARY_H
3 |
4 | void hello(void);
5 |
6 | #endif //CVMSECCOMP_LIBRARY_H
7 |
--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # 默认忽略的文件
2 | /shelf/
3 | /workspace.xml
4 | # 基于编辑器的 HTTP 客户端请求
5 | /httpRequests/
6 | # Datasource local storage ignored files
7 | /dataSources/
8 | /dataSources.local.xml
9 |
--------------------------------------------------------------------------------
/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/.idea/modules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/CMakeLists.txt:
--------------------------------------------------------------------------------
1 | cmake_minimum_required(VERSION 3.26)
2 | # 设置交叉编译工具链
3 | set(ANDROID_NDK C:/Users/Ccccccccvm/AppData/Local/Android/Sdk/ndk/25.1.8937393)
4 | set(CMAKE_TOOLCHAIN_FILE ${ANDROID_NDK}/build/cmake/android.toolchain.cmake)
5 |
6 | set(ANDROID_ABI "arm64-v8a")
7 | set(ANDROID_PLATFORM 29)
8 |
9 | add_definitions(-DHAVE_SECCOMP_FILTER)
10 |
11 | project(CvmSeccomp C)
12 |
13 | set(CMAKE_C_STANDARD 11)
14 |
15 | add_library(CvmSeccomp SHARED library.c)
16 | find_library(log-lib log)
17 | target_link_libraries(CvmSeccomp ${log-lib})
--------------------------------------------------------------------------------
/library.c:
--------------------------------------------------------------------------------
1 | #include "library.h"
2 |
3 | #include
4 | #include
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 |
13 | #define SECMAGIC 0xE8D4A50FFF
14 | #define TAG "CvmSeccomp"
15 |
16 | void hello(void) {
17 | printf("Hello, World!\n");
18 | }
19 |
20 | uint64_t
21 | OriSyscall(uint64_t num, uint64_t SYSARG_1, uint64_t SYSARG_2, uint64_t SYSARG_3,
22 | uint64_t SYSARG_4, uint64_t SYSARG_5,
23 | uint64_t SYSARG_6) {
24 | uint64_t x0;
25 | __asm__ volatile (
26 | "mov x8, %1\n\t"
27 | "mov x0, %2\n\t"
28 | "mov x1, %3\n\t"
29 | "mov x2, %4\n\t"
30 | "mov x3, %5\n\t"
31 | "mov x4, %6\n\t"
32 | "mov x5, %7\n\t"
33 | "svc #0\n\t"
34 | "mov %0, x0\n\t"
35 | :"=r"(x0)
36 | :"r"(num), "r"(SYSARG_1), "r"(SYSARG_2), "r"(SYSARG_3), "r"(SYSARG_4), "r"(SYSARG_5), "r"(SYSARG_6)
37 | :"x8", "x0", "x1", "x2", "x3", "x4", "x4", "x5"
38 | );
39 | return x0;
40 |
41 | }
42 |
43 | void sig_handler(int signo, siginfo_t *info, void *data) {
44 | int my_signo = info->si_signo;
45 | unsigned long syscall_number = ((ucontext_t *) data)->uc_mcontext.regs[8];
46 | unsigned long SYSARG_1 = ((ucontext_t *) data)->uc_mcontext.regs[0];
47 | unsigned long SYSARG_2 = ((ucontext_t *) data)->uc_mcontext.regs[1];
48 | unsigned long SYSARG_3 = ((ucontext_t *) data)->uc_mcontext.regs[2];
49 | unsigned long SYSARG_4 = ((ucontext_t *) data)->uc_mcontext.regs[3];
50 | unsigned long SYSARG_5 = ((ucontext_t *) data)->uc_mcontext.regs[4];
51 | unsigned long SYSARG_6 = ((ucontext_t *) data)->uc_mcontext.regs[5];
52 | switch (syscall_number) {
53 | default:
54 | break;
55 |
56 | case __NR_openat: {
57 | char *path = (char *) SYSARG_2;
58 | __android_log_print(ANDROID_LOG_DEBUG, TAG, "__NR_openat path = %s", path);
59 | ((ucontext_t *) data)->uc_mcontext.regs[0] = OriSyscall(__NR_openat, SYSARG_1, SYSARG_2, SYSARG_3, SYSARG_4,
60 | SECMAGIC, SECMAGIC);
61 | break;
62 | }
63 |
64 | case __NR_fstat: {
65 | char TmePath[PATH_MAX];
66 | snprintf(TmePath, sizeof(TmePath), "/proc/self/fd/%d", SYSARG_1);
67 | readlink(TmePath, TmePath, PATH_MAX);
68 | __android_log_print(ANDROID_LOG_DEBUG, TAG, "__NR_fstat path = %s", TmePath);
69 | ((ucontext_t *) data)->uc_mcontext.regs[0] = OriSyscall(__NR_fstat, SYSARG_1, SYSARG_2, SECMAGIC, SECMAGIC,
70 | SECMAGIC, SECMAGIC);
71 |
72 | break;
73 | }
74 |
75 |
76 | }
77 |
78 | }
79 |
80 | __attribute__((__constructor__)) void InitCvmSeccomp() {
81 | struct sock_filter filter[] = {
82 | // BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
83 | // BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_newfstatat, 0, 2),
84 | // BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[5])),
85 | // BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECMAGIC, 16, 17),
86 | //
87 | // BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
88 | // BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_statfs, 0, 2),
89 | // BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[4])),
90 | // BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECMAGIC, 12, 13),
91 | //
92 | // BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
93 | // BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_faccessat, 0, 2),
94 | // BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[4])),
95 | // BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECMAGIC, 8, 9),
96 |
97 | BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
98 | BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_fstat, 0, 2),
99 | BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[2])),
100 | BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECMAGIC, 4, 5), //判断args[2] 是否等于 SECMAGIC 等于则不拦截 跳到 SECCOMP_RET_ALLOW
101 |
102 | BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr)),
103 | BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_openat, 0, 2),
104 | BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, args[4])),
105 | BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SECMAGIC, 0, 1),//判断args[4] 是否等于 SECMAGIC 等于则不拦截 跳到 SECCOMP_RET_ALLOW
106 |
107 | BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
108 | BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP)// Results in the kernel sending a SIGSYS signal
109 | };
110 | struct sock_fprog prog;
111 | prog.filter = filter;
112 | prog.len = (unsigned short) (sizeof(filter) / sizeof(filter[0]));
113 | struct sigaction sa;
114 | sigset_t sigset;
115 | sigfillset(&sigset);
116 | sa.sa_sigaction = sig_handler;
117 | sa.sa_mask = sigset;
118 | sa.sa_flags = SA_SIGINFO;
119 |
120 | if (sigaction(SIGSYS, &sa, NULL) == -1) {
121 | __android_log_print(ANDROID_LOG_ERROR, TAG, "InitCvmSeccomp Fail");
122 | return;
123 | }
124 | if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
125 | __android_log_print(ANDROID_LOG_ERROR, TAG, "InitCvmSeccomp Fail");
126 | return;
127 | }
128 | if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog) == -1) {
129 | __android_log_print(ANDROID_LOG_ERROR, TAG, "InitCvmSeccomp Fail");
130 | return;
131 | }
132 | __android_log_print(ANDROID_LOG_DEBUG, TAG, "InitCvmSeccomp Successes");
133 | }
--------------------------------------------------------------------------------