Add syscall sandboxing (seccomp-bpf)

2026-03-20 12:39:47 +01:00 · 2021-10-01 13:53:59 +00:00
parent e69cbac628
commit 4747da3a5b
27 changed files with 1125 additions and 1 deletions
--- a/src/rpc/misc.cpp
+++ b/src/rpc/misc.cpp
@@ -22,6 +22,7 @@
 #include <util/check.h>
 #include <util/message.h> // For MessageSign(), MessageVerify()
 #include <util/strencodings.h>
+#include <util/syscall_sandbox.h>
 #include <util/system.h>

 #include <optional>
@@ -417,6 +418,27 @@ static RPCHelpMan setmocktime()
    };
 }

+#if defined(USE_SYSCALL_SANDBOX)
+static RPCHelpMan invokedisallowedsyscall()
+{
+    return RPCHelpMan{
+        "invokedisallowedsyscall",
+        "\nInvoke a disallowed syscall to trigger a syscall sandbox violation. Used for testing purposes.\n",
+        {},
+        RPCResult{RPCResult::Type::NONE, "", ""},
+        RPCExamples{
+            HelpExampleCli("invokedisallowedsyscall", "") + HelpExampleRpc("invokedisallowedsyscall", "")},
+        [&](const RPCHelpMan& self, const JSONRPCRequest& request) -> UniValue {
+            if (!Params().IsTestChain()) {
+                throw std::runtime_error("invokedisallowedsyscall is used for testing only.");
+            }
+            TestDisallowedSandboxCall();
+            return NullUniValue;
+        },
+    };
+}
+#endif // USE_SYSCALL_SANDBOX
+
 static RPCHelpMan mockscheduler()
 {
    return RPCHelpMan{"mockscheduler",
@@ -777,6 +799,9 @@ static const CRPCCommand commands[] =
    { "hidden",             &echo,                    },
    { "hidden",             &echojson,                },
    { "hidden",             &echoipc,                 },
+#if defined(USE_SYSCALL_SANDBOX)
+    { "hidden",             &invokedisallowedsyscall, },
+#endif // USE_SYSCALL_SANDBOX
 };
 // clang-format on
    for (const auto& c : commands) {