#include #include #include #include #include int main(int argc, char* argv[]) { if (argc < 2) { fprintf(stderr, "Usage: %s [args...]\n", argv[0]); return EXIT_FAILURE; } scmp_filter_ctx ctx; // Initialize the seccomp filter in blocklist mode ctx = seccomp_init(SCMP_ACT_ALLOW); if (ctx == NULL) { perror("seccomp_init"); return EXIT_FAILURE; } // Block relevant network-related syscalls, so as to block egress internet access // We cannot deny these calls as they are needed by cuda // This should not be a big deal for our use case if what we want is to block egress network access // (just blocking connect should actually be enough) // seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(socket), 0); // seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(bind), 0); // seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(listen), 0); seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(connect), 0); seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(accept), 0); seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(send), 0); seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(sendto), 0); seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(sendmsg), 0); seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(recv), 0); seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(recvfrom), 0); seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(recvmsg), 0); seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(setsockopt), 0); seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(getsockopt), 0); // Load the filter into the kernel if (seccomp_load(ctx) < 0) { perror("seccomp_load"); seccomp_release(ctx); return EXIT_FAILURE; } #ifdef DEBUG printf("seccomp filter installed. Network access is blocked.\n"); #endif // Execute the target program execvp(argv[1], argv + 1); seccomp_release(ctx); return EXIT_SUCCESS; }