对 seccomp 的隐式引用
implicit reference to seccomp
问题:
我正在尝试使用 seccomp,但我不明白为什么 gcc 告诉我 seccomp() 函数调用具有隐式声明。
#define _GNU_SOURCE
#include <stddef.h> // offsetof
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <linux/audit.h> // arch
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <sys/prctl.h>
#include <sys/syscall.h> // syscall numbers
struct sock_filter bpfcode[] = {
/* validate the architecture */
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 0, 7),
/* load syscall number in the accumulator */
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof (struct seccomp_data, nr))),
/* check if the syscall number is allowed */
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_nanosleep, 5, 0), // for sleep
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_exit, 4, 0),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_exit_group, 3, 0),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_write, 2, 0),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_read, 1, 0),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_rt_sigreturn, 0, 1),
/* allow the sys call */
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
};
struct sock_fprog bpf = {
.len = (unsigned short)( sizeof bpfcode / sizeof bpfcode[0] ),
.filter = bpfcode
};
int main(int argc, char **argv)
{
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
printf("prctl no_new_privs\n");
_exit(EXIT_FAILURE);
}
if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &bpf)) {
printf("seccomp");
exit(EXIT_FAILURE);
}
sleep(2);
return 0;
}
WARNING/ERROR: 这是我尝试编译程序时的 gcc 输出。
s.c: In function ‘main’:
s.c:45:6: warning: implicit declaration of function ‘seccomp’ [-Wimplicit-function-declaration]
if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &bpf)) {
^~~~~~~
/tmp/ccYo4APk.o: In function `main':
s.c:(.text+0x65): undefined reference to `seccomp'
collect2: error: ld returned 1 exit status
问题:我还应该包括什么才能让它发挥作用?
编辑: 为什么这个有效而第一个无效?
syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, 0, &bpf)
它是 a known issue:没有用于 seccomp 系统调用的 glibc 包装器。
您可能希望使用 prctl(2) 代替 加载 BPF 程序,原因有二:
- glibc 包装器可用于 prctl(2)
- seccomp(2) 系统调用是 only available on Linux v3.5+。
方法如下:
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf);
问题: 我正在尝试使用 seccomp,但我不明白为什么 gcc 告诉我 seccomp() 函数调用具有隐式声明。
#define _GNU_SOURCE
#include <stddef.h> // offsetof
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <linux/audit.h> // arch
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <sys/prctl.h>
#include <sys/syscall.h> // syscall numbers
struct sock_filter bpfcode[] = {
/* validate the architecture */
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, arch))),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, AUDIT_ARCH_X86_64, 0, 7),
/* load syscall number in the accumulator */
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof (struct seccomp_data, nr))),
/* check if the syscall number is allowed */
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_nanosleep, 5, 0), // for sleep
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_exit, 4, 0),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_exit_group, 3, 0),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_write, 2, 0),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_read, 1, 0),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, SYS_rt_sigreturn, 0, 1),
/* allow the sys call */
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
};
struct sock_fprog bpf = {
.len = (unsigned short)( sizeof bpfcode / sizeof bpfcode[0] ),
.filter = bpfcode
};
int main(int argc, char **argv)
{
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == -1) {
printf("prctl no_new_privs\n");
_exit(EXIT_FAILURE);
}
if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &bpf)) {
printf("seccomp");
exit(EXIT_FAILURE);
}
sleep(2);
return 0;
}
WARNING/ERROR: 这是我尝试编译程序时的 gcc 输出。
s.c: In function ‘main’:
s.c:45:6: warning: implicit declaration of function ‘seccomp’ [-Wimplicit-function-declaration]
if (seccomp(SECCOMP_SET_MODE_FILTER, 0, &bpf)) {
^~~~~~~
/tmp/ccYo4APk.o: In function `main':
s.c:(.text+0x65): undefined reference to `seccomp'
collect2: error: ld returned 1 exit status
问题:我还应该包括什么才能让它发挥作用?
编辑: 为什么这个有效而第一个无效?
syscall(SYS_seccomp, SECCOMP_SET_MODE_FILTER, 0, &bpf)
它是 a known issue:没有用于 seccomp 系统调用的 glibc 包装器。
您可能希望使用 prctl(2) 代替 加载 BPF 程序,原因有二:
- glibc 包装器可用于 prctl(2)
- seccomp(2) 系统调用是 only available on Linux v3.5+。
方法如下:
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf);