#coding:ascii-8bit require "fiddle/import" SYS_execve = 59 SYS_fork = 57 module Seccomp extend Fiddle::Importer dlload "libseccomp.so.2" extern "void *seccomp_init(int)" extern "int seccomp_rule_add(void *, unsigned int, int, unsigned int)" extern "int seccomp_load(void *)" SCMP_ACT_KILL = 0 SCMP_ACT_ALLOW = 0x7fff0000 end def apply_seccomp result = 0 ctx = Seccomp.seccomp_init(Seccomp::SCMP_ACT_ALLOW) result |= Seccomp.seccomp_rule_add(ctx, Seccomp::SCMP_ACT_KILL, SYS_execve, 0) result |= Seccomp.seccomp_rule_add(ctx, Seccomp::SCMP_ACT_KILL, SYS_fork, 0) result |= Seccomp.seccomp_load(ctx) raise "seccomp failed" unless result == 0 end STDOUT.sync = true puts < " s = STDIN.gets if s.chomp == "__END__" break end script << s end STDIN.close ARGV.freeze ObjectSpace.each_object(Module, &:freeze) apply_seccomp STDOUT.puts Thread.new(script){|s| eval "$SAFE=1;#{s}"}.value