runner.c

#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <seccomp.h>
#include <sys/types.h>
#include <wait.h>

int main(int argc, char *argv[])
{
	int rc;
	scmp_filter_ctx ctx = NULL;

	if (rc < 0)
		goto out;

	ctx = seccomp_init(SCMP_ACT_KILL);
	if (ctx == NULL)
		return ENOMEM;

	rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 1,
				    SCMP_A0(SCMP_CMP_EQ, STDIN_FILENO));
	if (rc != 0)
		goto out;

	rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 1,
				    SCMP_A0(SCMP_CMP_EQ, STDOUT_FILENO));
	if (rc != 0)
		goto out;

	rc = seccomp_rule_add_exact(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
	if (rc != 0)
		goto out;

	rc = seccomp_rule_add_exact(ctx,
				    SCMP_ACT_ALLOW, SCMP_SYS(rt_sigreturn), 0);
	if (rc != 0)
		goto out;

	pid_t pid = fork();
	if (!pid) {
		char *exec = "/home/ileonte/Work/projects/install/test_execd";
		char *args[] = { exec, NULL };

		rc = seccomp_load(ctx);
		if (rc) {
			printf("Failed to set filter\n");
			goto out;
		}

		execvp(exec, args);
		perror("exec()");
		exit(255);
	}
	int ret;
	waitpid(pid, &ret, 0);
	if (WIFEXITED(ret)) {
		printf("EXITOK: %d\n", WEXITSTATUS(ret));
	} else if (WIFSIGNALED(ret)) {
		printf("SIGNALED: %d\n", WTERMSIG(ret));
	} else {
		printf("DONE, UNKNOWN\n");
	}

out:
	seccomp_release(ctx);
	return (rc < 0 ? -rc : rc);
}