From 02e05e088433d16ecec4aaf45be52c75664cc71c Mon Sep 17 00:00:00 2001 From: yangshukui Date: Thu, 16 Apr 2015 08:39:12 +0800 Subject: [PATCH 1/4] Add seccomp feature add seccomp feature which is not use third-party add multi arch surport add test case all code use golang this pr is relate to #511 because I close it and find it can not be reopen Signed-off-by: Yang Shukui --- configs/config.go | 3 + init_linux.go | 15 ++ integration/exec_test.go | 65 ++++++ seccomp/seccomp.go | 133 ++++++++++++ seccomp/syscall_linux_386.go | 364 ++++++++++++++++++++++++++++++++ seccomp/syscall_linux_amd64.go | 329 +++++++++++++++++++++++++++++ seccomp/syscall_linux_arm.go | 373 +++++++++++++++++++++++++++++++++ seccomp/syscall_linux_arm64.go | 294 ++++++++++++++++++++++++++ seccomp/syscall_linux_ppc64.go | 370 ++++++++++++++++++++++++++++++++ standard_init_linux.go | 3 + 10 files changed, 1949 insertions(+) create mode 100755 seccomp/seccomp.go create mode 100644 seccomp/syscall_linux_386.go create mode 100755 seccomp/syscall_linux_amd64.go create mode 100644 seccomp/syscall_linux_arm.go create mode 100644 seccomp/syscall_linux_arm64.go create mode 100644 seccomp/syscall_linux_ppc64.go diff --git a/configs/config.go b/configs/config.go index 293af0a9b..f18afc81e 100644 --- a/configs/config.go +++ b/configs/config.go @@ -61,6 +61,9 @@ type Config struct { // All capbilities not specified will be dropped from the processes capability mask Capabilities []string `json:"capabilities"` + // SysCalls specify the system calls to keep when executing the process inside the container + SysCalls []string `json:"syscalls"` + // Networks specifies the container's network setup to be created Networks []*Network `json:"networks"` diff --git a/init_linux.go b/init_linux.go index 1771fd193..969d4c2a2 100644 --- a/init_linux.go +++ b/init_linux.go @@ -13,6 +13,7 @@ import ( "github.com/docker/libcontainer/cgroups" "github.com/docker/libcontainer/configs" "github.com/docker/libcontainer/netlink" + "github.com/docker/libcontainer/seccomp" "github.com/docker/libcontainer/system" "github.com/docker/libcontainer/user" "github.com/docker/libcontainer/utils" @@ -259,3 +260,17 @@ func killCgroupProcesses(m cgroups.Manager) error { } return nil } + +func finalizeSeccomp(config *initConfig) error { + scmpCtx, _ := seccomp.ScmpInit(seccomp.ScmpActAllow) + if 0 == len(config.Config.SysCalls) { + for key := range seccomp.SyscallMap { + seccomp.ScmpAdd(scmpCtx, key, seccomp.ScmpActAllow) + } + } else { + for _, call := range config.Config.SysCalls { + seccomp.ScmpAdd(scmpCtx, call, seccomp.ScmpActAllow) + } + } + return seccomp.ScmpLoad(scmpCtx) +} diff --git a/integration/exec_test.go b/integration/exec_test.go index 20d781ee5..df6569b0a 100644 --- a/integration/exec_test.go +++ b/integration/exec_test.go @@ -2,6 +2,7 @@ package integration import ( "bytes" + "fmt" "io/ioutil" "os" "path/filepath" @@ -13,6 +14,7 @@ import ( "github.com/docker/libcontainer" "github.com/docker/libcontainer/cgroups/systemd" "github.com/docker/libcontainer/configs" + "github.com/docker/libcontainer/seccomp" ) func TestExecPS(t *testing.T) { @@ -714,3 +716,66 @@ func TestSystemProperties(t *testing.T) { t.Fatalf("kernel.shmmni property expected to be 8192, but is %s", shmmniOutput) } } + +func allExcept(calls []string) []string { + num := len(seccomp.SyscallMap) - len(calls) + filter := make([]string, num) + i := 0 + for key := range seccomp.SyscallMap { + j := 0 + for _, key1 := range calls { + if strings.EqualFold(key, key1) { + break + } + j++ + } + if j == len(calls) { + filter[i] = key + i++ + } + } + return filter +} + +func TestSeccompNotStat(t *testing.T) { + if testing.Short() { + return + } + + rootfs, err := newRootfs() + if err != nil { + t.Fatal(err) + } + defer remove(rootfs) + + config := newTemplateConfig(rootfs) + exceptCall := []string{"STAT"} + config.SysCalls = allExcept(exceptCall) + out, _, err := runContainer(config, "", "/bin/sh", "-c", "ls / -l") + if err == nil { + t.Fatal("runContainer should be failed") + } else { + fmt.Println(out) + } +} + +func TestSeccompStat(t *testing.T) { + if testing.Short() { + return + } + + rootfs, err := newRootfs() + if err != nil { + t.Fatal(err) + } + defer remove(rootfs) + + config := newTemplateConfig(rootfs) + exceptCall := []string{} + config.SysCalls = allExcept(exceptCall) + out, _, err := runContainer(config, "", "/bin/sh", "-c", "ls / -l") + if err != nil { + t.Fatal(err) + } + fmt.Println(out) +} diff --git a/seccomp/seccomp.go b/seccomp/seccomp.go new file mode 100755 index 000000000..6e74ae75d --- /dev/null +++ b/seccomp/seccomp.go @@ -0,0 +1,133 @@ +package seccomp + +import ( + "errors" + "fmt" + "syscall" + "unsafe" +) + +type sockFilter struct { + code uint16 + jt uint8 + jf uint8 + k uint32 +} + +type sockFprog struct { + len uint16 + filt []sockFilter +} + +type Action struct { + syscall uint32 + action int + args []string +} + +type ScmpCtx struct { + CallMap map[string]Action + act int +} + +var ScmpActAllow = 0 + +func ScmpInit(action int) (*ScmpCtx, error) { + ctx := ScmpCtx{ + CallMap: make(map[string]Action), + act: action, + } + return &ctx, nil +} + +func ScmpAdd(ctx *ScmpCtx, call string, action int, args ...string) error { + _, exists := ctx.CallMap[call] + if exists { + return errors.New("syscall exist") + } + + //fmt.Printf("%s\n", call) + + sysCall, sysExists := SyscallMap[call] + if sysExists { + ctx.CallMap[call] = Action{sysCall, action, args} + return nil + } + return errors.New("syscall not surport") +} + +func ScmpDel(ctx *ScmpCtx, call string) error { + _, exists := ctx.CallMap[call] + if exists { + delete(ctx.CallMap, call) + return nil + } + + return errors.New("syscall not exist") +} + +func ScmpBpfStmt(code uint16, k uint32) sockFilter { + return sockFilter{code, 0, 0, k} +} + +func ScmpBpfJump(code uint16, k uint32, jt, jf uint8) sockFilter { + return sockFilter{code, jt, jf, k} +} + +func prctl(option int, arg2, arg3, arg4, arg5 uintptr) (err error) { + _, _, e1 := syscall.Syscall6(syscall.SYS_PRCTL, uintptr(option), arg2, arg3, arg4, arg5, 0) + if e1 != 0 { + err = e1 + } + return nil +} + +func scmpfilter(prog *sockFprog) (err error) { + _, _, e1 := syscall.Syscall(syscall.SYS_PRCTL, uintptr(syscall.PR_SET_SECCOMP), + uintptr(SECCOMP_MODE_FILTER), uintptr(unsafe.Pointer(prog))) + if e1 != 0 { + err = e1 + } + return nil +} + +func ScmpLoad(ctx *ScmpCtx) error { + for key := range SyscallMapMin { + ScmpAdd(ctx, key, ScmpActAllow) + } + + num := len(ctx.CallMap) + filter := make([]sockFilter, num*2+3) + + i := 0 + filter[i] = ScmpBpfStmt(syscall.BPF_LD+syscall.BPF_W+syscall.BPF_ABS, 0) + i++ + + for _, value := range ctx.CallMap { + filter[i] = ScmpBpfJump(syscall.BPF_JMP+syscall.BPF_JEQ+syscall.BPF_K, value.syscall, 0, 1) + i++ + filter[i] = ScmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, SECCOMP_RET_ALLOW) + i++ + } + + filter[i] = ScmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, SECCOMP_RET_TRAP) + i++ + filter[i] = ScmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, SECCOMP_RET_KILL) + i++ + + prog := sockFprog{ + len: uint16(i), + filt: filter, + } + + if nil != prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) { + fmt.Println("prctl PR_SET_NO_NEW_PRIVS error") + return errors.New("prctl PR_SET_NO_NEW_PRIVS error") + } + + if nil != scmpfilter(&prog) { + fmt.Println("scmpfilter error") + return errors.New("scmpfilter error") + } + return nil +} diff --git a/seccomp/syscall_linux_386.go b/seccomp/syscall_linux_386.go new file mode 100644 index 000000000..ad98e1626 --- /dev/null +++ b/seccomp/syscall_linux_386.go @@ -0,0 +1,364 @@ +// +build linux +// +build 386 + +package seccomp + +import ( + "syscall" +) + +const ( + SECCOMP_RET_KILL = 0x00000000 + SECCOMP_RET_TRAP = 0x00030000 + SECCOMP_RET_ALLOW = 0x7fff0000 + SECCOMP_MODE_FILTER = 0x2 + PR_SET_NO_NEW_PRIVS = 0x26 +) + +var SyscallMap = map[string]uint32{ + "RESTART_SYSCALL": syscall.SYS_RESTART_SYSCALL, + "EXIT": syscall.SYS_EXIT, + "FORK": syscall.SYS_FORK, + "READ": syscall.SYS_READ, + "WRITE": syscall.SYS_WRITE, + "OPEN": syscall.SYS_OPEN, + "CLOSE": syscall.SYS_CLOSE, + "WAITPID": syscall.SYS_WAITPID, + "CREAT": syscall.SYS_CREAT, + "LINK": syscall.SYS_LINK, + "UNLINK": syscall.SYS_UNLINK, + "EXECVE": syscall.SYS_EXECVE, + "CHDIR": syscall.SYS_CHDIR, + "TIME": syscall.SYS_TIME, + "MKNOD": syscall.SYS_MKNOD, + "CHMOD": syscall.SYS_CHMOD, + "LCHOWN": syscall.SYS_LCHOWN, + "BREAK": syscall.SYS_BREAK, + "OLDSTAT": syscall.SYS_OLDSTAT, + "LSEEK": syscall.SYS_LSEEK, + "GETPID": syscall.SYS_GETPID, + "MOUNT": syscall.SYS_MOUNT, + "UMOUNT": syscall.SYS_UMOUNT, + "SETUID": syscall.SYS_SETUID, + "GETUID": syscall.SYS_GETUID, + "STIME": syscall.SYS_STIME, + "PTRACE": syscall.SYS_PTRACE, + "ALARM": syscall.SYS_ALARM, + "OLDFSTAT": syscall.SYS_OLDFSTAT, + "PAUSE": syscall.SYS_PAUSE, + "UTIME": syscall.SYS_UTIME, + "STTY": syscall.SYS_STTY, + "GTTY": syscall.SYS_GTTY, + "ACCESS": syscall.SYS_ACCESS, + "NICE": syscall.SYS_NICE, + "FTIME": syscall.SYS_FTIME, + "SYNC": syscall.SYS_SYNC, + "KILL": syscall.SYS_KILL, + "RENAME": syscall.SYS_RENAME, + "MKDIR": syscall.SYS_MKDIR, + "RMDIR": syscall.SYS_RMDIR, + "DUP": syscall.SYS_DUP, + "PIPE": syscall.SYS_PIPE, + "TIMES": syscall.SYS_TIMES, + "PROF": syscall.SYS_PROF, + "BRK": syscall.SYS_BRK, + "SETGID": syscall.SYS_SETGID, + "GETGID": syscall.SYS_GETGID, + "SIGNAL": syscall.SYS_SIGNAL, + "GETEUID": syscall.SYS_GETEUID, + "GETEGID": syscall.SYS_GETEGID, + "ACCT": syscall.SYS_ACCT, + "UMOUNT2": syscall.SYS_UMOUNT2, + "LOCK": syscall.SYS_LOCK, + "IOCTL": syscall.SYS_IOCTL, + "FCNTL": syscall.SYS_FCNTL, + "MPX": syscall.SYS_MPX, + "SETPGID": syscall.SYS_SETPGID, + "ULIMIT": syscall.SYS_ULIMIT, + "OLDOLDUNAME": syscall.SYS_OLDOLDUNAME, + "UMASK": syscall.SYS_UMASK, + "CHROOT": syscall.SYS_CHROOT, + "USTAT": syscall.SYS_USTAT, + "DUP2": syscall.SYS_DUP2, + "GETPPID": syscall.SYS_GETPPID, + "GETPGRP": syscall.SYS_GETPGRP, + "SETSID": syscall.SYS_SETSID, + "SIGACTION": syscall.SYS_SIGACTION, + "SGETMASK": syscall.SYS_SGETMASK, + "SSETMASK": syscall.SYS_SSETMASK, + "SETREUID": syscall.SYS_SETREUID, + "SETREGID": syscall.SYS_SETREGID, + "SIGSUSPEND": syscall.SYS_SIGSUSPEND, + "SIGPENDING": syscall.SYS_SIGPENDING, + "SETHOSTNAME": syscall.SYS_SETHOSTNAME, + "SETRLIMIT": syscall.SYS_SETRLIMIT, + "GETRLIMIT": syscall.SYS_GETRLIMIT, + "GETRUSAGE": syscall.SYS_GETRUSAGE, + "GETTIMEOFDAY": syscall.SYS_GETTIMEOFDAY, + "SETTIMEOFDAY": syscall.SYS_SETTIMEOFDAY, + "GETGROUPS": syscall.SYS_GETGROUPS, + "SETGROUPS": syscall.SYS_SETGROUPS, + "SELECT": syscall.SYS_SELECT, + "SYMLINK": syscall.SYS_SYMLINK, + "OLDLSTAT": syscall.SYS_OLDLSTAT, + "READLINK": syscall.SYS_READLINK, + "USELIB": syscall.SYS_USELIB, + "SWAPON": syscall.SYS_SWAPON, + "REBOOT": syscall.SYS_REBOOT, + "READDIR": syscall.SYS_READDIR, + "MMAP": syscall.SYS_MMAP, + "MUNMAP": syscall.SYS_MUNMAP, + "TRUNCATE": syscall.SYS_TRUNCATE, + "FTRUNCATE": syscall.SYS_FTRUNCATE, + "FCHMOD": syscall.SYS_FCHMOD, + "FCHOWN": syscall.SYS_FCHOWN, + "GETPRIORITY": syscall.SYS_GETPRIORITY, + "SETPRIORITY": syscall.SYS_SETPRIORITY, + "PROFIL": syscall.SYS_PROFIL, + "STATFS": syscall.SYS_STATFS, + "FSTATFS": syscall.SYS_FSTATFS, + "IOPERM": syscall.SYS_IOPERM, + "SOCKETCALL": syscall.SYS_SOCKETCALL, + "SYSLOG": syscall.SYS_SYSLOG, + "SETITIMER": syscall.SYS_SETITIMER, + "GETITIMER": syscall.SYS_GETITIMER, + "STAT": syscall.SYS_STAT, + "LSTAT": syscall.SYS_LSTAT, + "FSTAT": syscall.SYS_FSTAT, + "OLDUNAME": syscall.SYS_OLDUNAME, + "IOPL": syscall.SYS_IOPL, + "VHANGUP": syscall.SYS_VHANGUP, + "IDLE": syscall.SYS_IDLE, + "VM86OLD": syscall.SYS_VM86OLD, + "WAIT4": syscall.SYS_WAIT4, + "SWAPOFF": syscall.SYS_SWAPOFF, + "SYSINFO": syscall.SYS_SYSINFO, + "IPC": syscall.SYS_IPC, + "FSYNC": syscall.SYS_FSYNC, + "SIGRETURN": syscall.SYS_SIGRETURN, + "CLONE": syscall.SYS_CLONE, + "SETDOMAINNAME": syscall.SYS_SETDOMAINNAME, + "UNAME": syscall.SYS_UNAME, + "MODIFY_LDT": syscall.SYS_MODIFY_LDT, + "ADJTIMEX": syscall.SYS_ADJTIMEX, + "MPROTECT": syscall.SYS_MPROTECT, + "SIGPROCMASK": syscall.SYS_SIGPROCMASK, + "CREATE_MODULE": syscall.SYS_CREATE_MODULE, + "INIT_MODULE": syscall.SYS_INIT_MODULE, + "DELETE_MODULE": syscall.SYS_DELETE_MODULE, + "GET_KERNEL_SYMS": syscall.SYS_GET_KERNEL_SYMS, + "QUOTACTL": syscall.SYS_QUOTACTL, + "GETPGID": syscall.SYS_GETPGID, + "FCHDIR": syscall.SYS_FCHDIR, + "BDFLUSH": syscall.SYS_BDFLUSH, + "SYSFS": syscall.SYS_SYSFS, + "PERSONALITY": syscall.SYS_PERSONALITY, + "AFS_SYSCALL": syscall.SYS_AFS_SYSCALL, + "SETFSUID": syscall.SYS_SETFSUID, + "SETFSGID": syscall.SYS_SETFSGID, + "_LLSEEK": syscall.SYS__LLSEEK, + "GETDENTS": syscall.SYS_GETDENTS, + "_NEWSELECT": syscall.SYS__NEWSELECT, + "FLOCK": syscall.SYS_FLOCK, + "MSYNC": syscall.SYS_MSYNC, + "READV": syscall.SYS_READV, + "WRITEV": syscall.SYS_WRITEV, + "GETSID": syscall.SYS_GETSID, + "FDATASYNC": syscall.SYS_FDATASYNC, + "_SYSCTL": syscall.SYS__SYSCTL, + "MLOCK": syscall.SYS_MLOCK, + "MUNLOCK": syscall.SYS_MUNLOCK, + "MLOCKALL": syscall.SYS_MLOCKALL, + "MUNLOCKALL": syscall.SYS_MUNLOCKALL, + "SCHED_SETPARAM": syscall.SYS_SCHED_SETPARAM, + "SCHED_GETPARAM": syscall.SYS_SCHED_GETPARAM, + "SCHED_SETSCHEDULER": syscall.SYS_SCHED_SETSCHEDULER, + "SCHED_GETSCHEDULER": syscall.SYS_SCHED_GETSCHEDULER, + "SCHED_YIELD": syscall.SYS_SCHED_YIELD, + "SCHED_GET_PRIORITY_MAX": syscall.SYS_SCHED_GET_PRIORITY_MAX, + "SCHED_GET_PRIORITY_MIN": syscall.SYS_SCHED_GET_PRIORITY_MIN, + "SCHED_RR_GET_INTERVAL": syscall.SYS_SCHED_RR_GET_INTERVAL, + "NANOSLEEP": syscall.SYS_NANOSLEEP, + "MREMAP": syscall.SYS_MREMAP, + "SETRESUID": syscall.SYS_SETRESUID, + "GETRESUID": syscall.SYS_GETRESUID, + "VM86": syscall.SYS_VM86, + "QUERY_MODULE": syscall.SYS_QUERY_MODULE, + "POLL": syscall.SYS_POLL, + "NFSSERVCTL": syscall.SYS_NFSSERVCTL, + "SETRESGID": syscall.SYS_SETRESGID, + "GETRESGID": syscall.SYS_GETRESGID, + "PRCTL": syscall.SYS_PRCTL, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "RT_SIGACTION": syscall.SYS_RT_SIGACTION, + "RT_SIGPROCMASK": syscall.SYS_RT_SIGPROCMASK, + "RT_SIGPENDING": syscall.SYS_RT_SIGPENDING, + "RT_SIGTIMEDWAIT": syscall.SYS_RT_SIGTIMEDWAIT, + "RT_SIGQUEUEINFO": syscall.SYS_RT_SIGQUEUEINFO, + "RT_SIGSUSPEND": syscall.SYS_RT_SIGSUSPEND, + "PREAD64": syscall.SYS_PREAD64, + "PWRITE64": syscall.SYS_PWRITE64, + "CHOWN": syscall.SYS_CHOWN, + "GETCWD": syscall.SYS_GETCWD, + "CAPGET": syscall.SYS_CAPGET, + "CAPSET": syscall.SYS_CAPSET, + "SIGALTSTACK": syscall.SYS_SIGALTSTACK, + "SENDFILE": syscall.SYS_SENDFILE, + "GETPMSG": syscall.SYS_GETPMSG, + "PUTPMSG": syscall.SYS_PUTPMSG, + "VFORK": syscall.SYS_VFORK, + "UGETRLIMIT": syscall.SYS_UGETRLIMIT, + "MMAP2": syscall.SYS_MMAP2, + "TRUNCATE64": syscall.SYS_TRUNCATE64, + "FTRUNCATE64": syscall.SYS_FTRUNCATE64, + "STAT64": syscall.SYS_STAT64, + "LSTAT64": syscall.SYS_LSTAT64, + "FSTAT64": syscall.SYS_FSTAT64, + "LCHOWN32": syscall.SYS_LCHOWN32, + "GETUID32": syscall.SYS_GETUID32, + "GETGID32": syscall.SYS_GETGID32, + "GETEUID32": syscall.SYS_GETEUID32, + "GETEGID32": syscall.SYS_GETEGID32, + "SETREUID32": syscall.SYS_SETREUID32, + "SETREGID32": syscall.SYS_SETREGID32, + "GETGROUPS32": syscall.SYS_GETGROUPS32, + "SETGROUPS32": syscall.SYS_SETGROUPS32, + "FCHOWN32": syscall.SYS_FCHOWN32, + "SETRESUID32": syscall.SYS_SETRESUID32, + "GETRESUID32": syscall.SYS_GETRESUID32, + "SETRESGID32": syscall.SYS_SETRESGID32, + "GETRESGID32": syscall.SYS_GETRESGID32, + "CHOWN32": syscall.SYS_CHOWN32, + "SETUID32": syscall.SYS_SETUID32, + "SETGID32": syscall.SYS_SETGID32, + "SETFSUID32": syscall.SYS_SETFSUID32, + "SETFSGID32": syscall.SYS_SETFSGID32, + "PIVOT_ROOT": syscall.SYS_PIVOT_ROOT, + "MINCORE": syscall.SYS_MINCORE, + "MADVISE": syscall.SYS_MADVISE, + "MADVISE1": syscall.SYS_MADVISE1, + "GETDENTS64": syscall.SYS_GETDENTS64, + "FCNTL64": syscall.SYS_FCNTL64, + "GETTID": syscall.SYS_GETTID, + "READAHEAD": syscall.SYS_READAHEAD, + "SETXATTR": syscall.SYS_SETXATTR, + "LSETXATTR": syscall.SYS_LSETXATTR, + "FSETXATTR": syscall.SYS_FSETXATTR, + "GETXATTR": syscall.SYS_GETXATTR, + "LGETXATTR": syscall.SYS_LGETXATTR, + "FGETXATTR": syscall.SYS_FGETXATTR, + "LISTXATTR": syscall.SYS_LISTXATTR, + "LLISTXATTR": syscall.SYS_LLISTXATTR, + "FLISTXATTR": syscall.SYS_FLISTXATTR, + "REMOVEXATTR": syscall.SYS_REMOVEXATTR, + "LREMOVEXATTR": syscall.SYS_LREMOVEXATTR, + "FREMOVEXATTR": syscall.SYS_FREMOVEXATTR, + "TKILL": syscall.SYS_TKILL, + "SENDFILE64": syscall.SYS_SENDFILE64, + "FUTEX": syscall.SYS_FUTEX, + "SCHED_SETAFFINITY": syscall.SYS_SCHED_SETAFFINITY, + "SCHED_GETAFFINITY": syscall.SYS_SCHED_GETAFFINITY, + "SET_THREAD_AREA": syscall.SYS_SET_THREAD_AREA, + "GET_THREAD_AREA": syscall.SYS_GET_THREAD_AREA, + "IO_SETUP": syscall.SYS_IO_SETUP, + "IO_DESTROY": syscall.SYS_IO_DESTROY, + "IO_GETEVENTS": syscall.SYS_IO_GETEVENTS, + "IO_SUBMIT": syscall.SYS_IO_SUBMIT, + "IO_CANCEL": syscall.SYS_IO_CANCEL, + "FADVISE64": syscall.SYS_FADVISE64, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "LOOKUP_DCOOKIE": syscall.SYS_LOOKUP_DCOOKIE, + "EPOLL_CREATE": syscall.SYS_EPOLL_CREATE, + "EPOLL_CTL": syscall.SYS_EPOLL_CTL, + "EPOLL_WAIT": syscall.SYS_EPOLL_WAIT, + "REMAP_FILE_PAGES": syscall.SYS_REMAP_FILE_PAGES, + "SET_TID_ADDRESS": syscall.SYS_SET_TID_ADDRESS, + "TIMER_CREATE": syscall.SYS_TIMER_CREATE, + "TIMER_SETTIME": syscall.SYS_TIMER_SETTIME, + "TIMER_GETTIME": syscall.SYS_TIMER_GETTIME, + "TIMER_GETOVERRUN": syscall.SYS_TIMER_GETOVERRUN, + "TIMER_DELETE": syscall.SYS_TIMER_DELETE, + "CLOCK_SETTIME": syscall.SYS_CLOCK_SETTIME, + "CLOCK_GETTIME": syscall.SYS_CLOCK_GETTIME, + "CLOCK_GETRES": syscall.SYS_CLOCK_GETRES, + "CLOCK_NANOSLEEP": syscall.SYS_CLOCK_NANOSLEEP, + "STATFS64": syscall.SYS_STATFS64, + "FSTATFS64": syscall.SYS_FSTATFS64, + "TGKILL": syscall.SYS_TGKILL, + "UTIMES": syscall.SYS_UTIMES, + "FADVISE64_64": syscall.SYS_FADVISE64_64, + "VSERVER": syscall.SYS_VSERVER, + "MBIND": syscall.SYS_MBIND, + "GET_MEMPOLICY": syscall.SYS_GET_MEMPOLICY, + "SET_MEMPOLICY": syscall.SYS_SET_MEMPOLICY, + "MQ_OPEN": syscall.SYS_MQ_OPEN, + "MQ_UNLINK": syscall.SYS_MQ_UNLINK, + "MQ_TIMEDSEND": syscall.SYS_MQ_TIMEDSEND, + "MQ_TIMEDRECEIVE": syscall.SYS_MQ_TIMEDRECEIVE, + "MQ_NOTIFY": syscall.SYS_MQ_NOTIFY, + "MQ_GETSETATTR": syscall.SYS_MQ_GETSETATTR, + "KEXEC_LOAD": syscall.SYS_KEXEC_LOAD, + "WAITID": syscall.SYS_WAITID, + "ADD_KEY": syscall.SYS_ADD_KEY, + "REQUEST_KEY": syscall.SYS_REQUEST_KEY, + "KEYCTL": syscall.SYS_KEYCTL, + "IOPRIO_SET": syscall.SYS_IOPRIO_SET, + "IOPRIO_GET": syscall.SYS_IOPRIO_GET, + "INOTIFY_INIT": syscall.SYS_INOTIFY_INIT, + "INOTIFY_ADD_WATCH": syscall.SYS_INOTIFY_ADD_WATCH, + "INOTIFY_RM_WATCH": syscall.SYS_INOTIFY_RM_WATCH, + "MIGRATE_PAGES": syscall.SYS_MIGRATE_PAGES, + "OPENAT": syscall.SYS_OPENAT, + "MKDIRAT": syscall.SYS_MKDIRAT, + "MKNODAT": syscall.SYS_MKNODAT, + "FCHOWNAT": syscall.SYS_FCHOWNAT, + "FUTIMESAT": syscall.SYS_FUTIMESAT, + "FSTATAT64": syscall.SYS_FSTATAT64, + "UNLINKAT": syscall.SYS_UNLINKAT, + "RENAMEAT": syscall.SYS_RENAMEAT, + "LINKAT": syscall.SYS_LINKAT, + "SYMLINKAT": syscall.SYS_SYMLINKAT, + "READLINKAT": syscall.SYS_READLINKAT, + "FCHMODAT": syscall.SYS_FCHMODAT, + "FACCESSAT": syscall.SYS_FACCESSAT, + "PSELECT6": syscall.SYS_PSELECT6, + "PPOLL": syscall.SYS_PPOLL, + "UNSHARE": syscall.SYS_UNSHARE, + "SET_ROBUST_LIST": syscall.SYS_SET_ROBUST_LIST, + "GET_ROBUST_LIST": syscall.SYS_GET_ROBUST_LIST, + "SPLICE": syscall.SYS_SPLICE, + "SYNC_FILE_RANGE": syscall.SYS_SYNC_FILE_RANGE, + "TEE": syscall.SYS_TEE, + "VMSPLICE": syscall.SYS_VMSPLICE, + "MOVE_PAGES": syscall.SYS_MOVE_PAGES, + "GETCPU": syscall.SYS_GETCPU, + "EPOLL_PWAIT": syscall.SYS_EPOLL_PWAIT, + "UTIMENSAT": syscall.SYS_UTIMENSAT, + "SIGNALFD": syscall.SYS_SIGNALFD, + "TIMERFD_CREATE": syscall.SYS_TIMERFD_CREATE, + "EVENTFD": syscall.SYS_EVENTFD, + "FALLOCATE": syscall.SYS_FALLOCATE, + "TIMERFD_SETTIME": syscall.SYS_TIMERFD_SETTIME, + "TIMERFD_GETTIME": syscall.SYS_TIMERFD_GETTIME, + "SIGNALFD4": syscall.SYS_SIGNALFD4, + "EVENTFD2": syscall.SYS_EVENTFD2, + "EPOLL_CREATE1": syscall.SYS_EPOLL_CREATE1, + "DUP3": syscall.SYS_DUP3, + "PIPE2": syscall.SYS_PIPE2, + "INOTIFY_INIT1": syscall.SYS_INOTIFY_INIT1, + "PREADV": syscall.SYS_PREADV, + "PWRITEV": syscall.SYS_PWRITEV, + "RT_TGSIGQUEUEINFO": syscall.SYS_RT_TGSIGQUEUEINFO, + "PERF_EVENT_OPEN": syscall.SYS_PERF_EVENT_OPEN, + "RECVMMSG": syscall.SYS_RECVMMSG, + "FANOTIFY_INIT": syscall.SYS_FANOTIFY_INIT, + "FANOTIFY_MARK": syscall.SYS_FANOTIFY_MARK, + "PRLIMIT64": syscall.SYS_PRLIMIT64, +} + +var SyscallMapMin = map[string]uint32{ + "WRITE": syscall.SYS_WRITE, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "FUTEX": syscall.SYS_FUTEX, +} diff --git a/seccomp/syscall_linux_amd64.go b/seccomp/syscall_linux_amd64.go new file mode 100755 index 000000000..b44d5546e --- /dev/null +++ b/seccomp/syscall_linux_amd64.go @@ -0,0 +1,329 @@ +// +build linux +// +build amd64 + +package seccomp + +import ( + "syscall" +) + +const ( + SECCOMP_RET_KILL = 0x00000000 + SECCOMP_RET_TRAP = 0x00030000 + SECCOMP_RET_ALLOW = 0x7fff0000 + SECCOMP_MODE_FILTER = 0x2 + PR_SET_NO_NEW_PRIVS = 0x26 +) + +var SyscallMap = map[string]uint32{ + "READ": syscall.SYS_READ, + "WRITE": syscall.SYS_WRITE, + "OPEN": syscall.SYS_OPEN, + "CLOSE": syscall.SYS_CLOSE, + "STAT": syscall.SYS_STAT, + "FSTAT": syscall.SYS_FSTAT, + "LSTAT": syscall.SYS_LSTAT, + "POLL": syscall.SYS_POLL, + "LSEEK": syscall.SYS_LSEEK, + "MMAP": syscall.SYS_MMAP, + "MPROTECT": syscall.SYS_MPROTECT, + "MUNMAP": syscall.SYS_MUNMAP, + "BRK": syscall.SYS_BRK, + "RT_SIGACTION": syscall.SYS_RT_SIGACTION, + "RT_SIGPROCMASK": syscall.SYS_RT_SIGPROCMASK, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "IOCTL": syscall.SYS_IOCTL, + "PREAD64": syscall.SYS_PREAD64, + "PWRITE64": syscall.SYS_PWRITE64, + "READV": syscall.SYS_READV, + "WRITEV": syscall.SYS_WRITEV, + "ACCESS": syscall.SYS_ACCESS, + "PIPE": syscall.SYS_PIPE, + "SELECT": syscall.SYS_SELECT, + "SCHED_YIELD": syscall.SYS_SCHED_YIELD, + "MREMAP": syscall.SYS_MREMAP, + "MSYNC": syscall.SYS_MSYNC, + "MINCORE": syscall.SYS_MINCORE, + "MADVISE": syscall.SYS_MADVISE, + "SHMGET": syscall.SYS_SHMGET, + "SHMAT": syscall.SYS_SHMAT, + "SHMCTL": syscall.SYS_SHMCTL, + "DUP": syscall.SYS_DUP, + "DUP2": syscall.SYS_DUP2, + "PAUSE": syscall.SYS_PAUSE, + "NANOSLEEP": syscall.SYS_NANOSLEEP, + "GETITIMER": syscall.SYS_GETITIMER, + "ALARM": syscall.SYS_ALARM, + "SETITIMER": syscall.SYS_SETITIMER, + "GETPID": syscall.SYS_GETPID, + "SENDFILE": syscall.SYS_SENDFILE, + "SOCKET": syscall.SYS_SOCKET, + "CONNECT": syscall.SYS_CONNECT, + "ACCEPT": syscall.SYS_ACCEPT, + "SENDTO": syscall.SYS_SENDTO, + "RECVFROM": syscall.SYS_RECVFROM, + "SENDMSG": syscall.SYS_SENDMSG, + "RECVMSG": syscall.SYS_RECVMSG, + "SHUTDOWN": syscall.SYS_SHUTDOWN, + "BIND": syscall.SYS_BIND, + "LISTEN": syscall.SYS_LISTEN, + "GETSOCKNAME": syscall.SYS_GETSOCKNAME, + "GETPEERNAME": syscall.SYS_GETPEERNAME, + "SOCKETPAIR": syscall.SYS_SOCKETPAIR, + "SETSOCKOPT": syscall.SYS_SETSOCKOPT, + "GETSOCKOPT": syscall.SYS_GETSOCKOPT, + "CLONE": syscall.SYS_CLONE, + "FORK": syscall.SYS_FORK, + "VFORK": syscall.SYS_VFORK, + "EXECVE": syscall.SYS_EXECVE, + "EXIT": syscall.SYS_EXIT, + "WAIT4": syscall.SYS_WAIT4, + "KILL": syscall.SYS_KILL, + "UNAME": syscall.SYS_UNAME, + "SEMGET": syscall.SYS_SEMGET, + "SEMOP": syscall.SYS_SEMOP, + "SEMCTL": syscall.SYS_SEMCTL, + "SHMDT": syscall.SYS_SHMDT, + "MSGGET": syscall.SYS_MSGGET, + "MSGSND": syscall.SYS_MSGSND, + "MSGRCV": syscall.SYS_MSGRCV, + "MSGCTL": syscall.SYS_MSGCTL, + "FCNTL": syscall.SYS_FCNTL, + "FLOCK": syscall.SYS_FLOCK, + "FSYNC": syscall.SYS_FSYNC, + "FDATASYNC": syscall.SYS_FDATASYNC, + "TRUNCATE": syscall.SYS_TRUNCATE, + "FTRUNCATE": syscall.SYS_FTRUNCATE, + "GETDENTS": syscall.SYS_GETDENTS, + "GETCWD": syscall.SYS_GETCWD, + "CHDIR": syscall.SYS_CHDIR, + "FCHDIR": syscall.SYS_FCHDIR, + "RENAME": syscall.SYS_RENAME, + "MKDIR": syscall.SYS_MKDIR, + "RMDIR": syscall.SYS_RMDIR, + "CREAT": syscall.SYS_CREAT, + "LINK": syscall.SYS_LINK, + "UNLINK": syscall.SYS_UNLINK, + "SYMLINK": syscall.SYS_SYMLINK, + "READLINK": syscall.SYS_READLINK, + "CHMOD": syscall.SYS_CHMOD, + "FCHMOD": syscall.SYS_FCHMOD, + "CHOWN": syscall.SYS_CHOWN, + "FCHOWN": syscall.SYS_FCHOWN, + "LCHOWN": syscall.SYS_LCHOWN, + "UMASK": syscall.SYS_UMASK, + "GETTIMEOFDAY": syscall.SYS_GETTIMEOFDAY, + "GETRLIMIT": syscall.SYS_GETRLIMIT, + "GETRUSAGE": syscall.SYS_GETRUSAGE, + "SYSINFO": syscall.SYS_SYSINFO, + "TIMES": syscall.SYS_TIMES, + "PTRACE": syscall.SYS_PTRACE, + "GETUID": syscall.SYS_GETUID, + "SYSLOG": syscall.SYS_SYSLOG, + "GETGID": syscall.SYS_GETGID, + "SETUID": syscall.SYS_SETUID, + "SETGID": syscall.SYS_SETGID, + "GETEUID": syscall.SYS_GETEUID, + "GETEGID": syscall.SYS_GETEGID, + "SETPGID": syscall.SYS_SETPGID, + "GETPPID": syscall.SYS_GETPPID, + "GETPGRP": syscall.SYS_GETPGRP, + "SETSID": syscall.SYS_SETSID, + "SETREUID": syscall.SYS_SETREUID, + "SETREGID": syscall.SYS_SETREGID, + "GETGROUPS": syscall.SYS_GETGROUPS, + "SETGROUPS": syscall.SYS_SETGROUPS, + "SETRESUID": syscall.SYS_SETRESUID, + "GETRESUID": syscall.SYS_GETRESUID, + "SETRESGID": syscall.SYS_SETRESGID, + "GETRESGID": syscall.SYS_GETRESGID, + "GETPGID": syscall.SYS_GETPGID, + "SETFSUID": syscall.SYS_SETFSUID, + "SETFSGID": syscall.SYS_SETFSGID, + "GETSID": syscall.SYS_GETSID, + "CAPGET": syscall.SYS_CAPGET, + "CAPSET": syscall.SYS_CAPSET, + "RT_SIGPENDING": syscall.SYS_RT_SIGPENDING, + "RT_SIGTIMEDWAIT": syscall.SYS_RT_SIGTIMEDWAIT, + "RT_SIGQUEUEINFO": syscall.SYS_RT_SIGQUEUEINFO, + "RT_SIGSUSPEND": syscall.SYS_RT_SIGSUSPEND, + "SIGALTSTACK": syscall.SYS_SIGALTSTACK, + "UTIME": syscall.SYS_UTIME, + "MKNOD": syscall.SYS_MKNOD, + "USELIB": syscall.SYS_USELIB, + "PERSONALITY": syscall.SYS_PERSONALITY, + "USTAT": syscall.SYS_USTAT, + "STATFS": syscall.SYS_STATFS, + "FSTATFS": syscall.SYS_FSTATFS, + "SYSFS": syscall.SYS_SYSFS, + "GETPRIORITY": syscall.SYS_GETPRIORITY, + "SETPRIORITY": syscall.SYS_SETPRIORITY, + "SCHED_SETPARAM": syscall.SYS_SCHED_SETPARAM, + "SCHED_GETPARAM": syscall.SYS_SCHED_GETPARAM, + "SCHED_SETSCHEDULER": syscall.SYS_SCHED_SETSCHEDULER, + "SCHED_GETSCHEDULER": syscall.SYS_SCHED_GETSCHEDULER, + "SCHED_GET_PRIORITY_MAX": syscall.SYS_SCHED_GET_PRIORITY_MAX, + "SCHED_GET_PRIORITY_MIN": syscall.SYS_SCHED_GET_PRIORITY_MIN, + "SCHED_RR_GET_INTERVAL": syscall.SYS_SCHED_RR_GET_INTERVAL, + "MLOCK": syscall.SYS_MLOCK, + "MUNLOCK": syscall.SYS_MUNLOCK, + "MLOCKALL": syscall.SYS_MLOCKALL, + "MUNLOCKALL": syscall.SYS_MUNLOCKALL, + "VHANGUP": syscall.SYS_VHANGUP, + "MODIFY_LDT": syscall.SYS_MODIFY_LDT, + "PIVOT_ROOT": syscall.SYS_PIVOT_ROOT, + "_SYSCTL": syscall.SYS__SYSCTL, + "PRCTL": syscall.SYS_PRCTL, + "ARCH_PRCTL": syscall.SYS_ARCH_PRCTL, + "ADJTIMEX": syscall.SYS_ADJTIMEX, + "SETRLIMIT": syscall.SYS_SETRLIMIT, + "CHROOT": syscall.SYS_CHROOT, + "SYNC": syscall.SYS_SYNC, + "ACCT": syscall.SYS_ACCT, + "SETTIMEOFDAY": syscall.SYS_SETTIMEOFDAY, + "MOUNT": syscall.SYS_MOUNT, + "UMOUNT2": syscall.SYS_UMOUNT2, + "SWAPON": syscall.SYS_SWAPON, + "SWAPOFF": syscall.SYS_SWAPOFF, + "REBOOT": syscall.SYS_REBOOT, + "SETHOSTNAME": syscall.SYS_SETHOSTNAME, + "SETDOMAINNAME": syscall.SYS_SETDOMAINNAME, + "IOPL": syscall.SYS_IOPL, + "IOPERM": syscall.SYS_IOPERM, + "CREATE_MODULE": syscall.SYS_CREATE_MODULE, + "INIT_MODULE": syscall.SYS_INIT_MODULE, + "DELETE_MODULE": syscall.SYS_DELETE_MODULE, + "GET_KERNEL_SYMS": syscall.SYS_GET_KERNEL_SYMS, + "QUERY_MODULE": syscall.SYS_QUERY_MODULE, + "QUOTACTL": syscall.SYS_QUOTACTL, + "NFSSERVCTL": syscall.SYS_NFSSERVCTL, + "GETPMSG": syscall.SYS_GETPMSG, + "PUTPMSG": syscall.SYS_PUTPMSG, + "AFS_SYSCALL": syscall.SYS_AFS_SYSCALL, + "TUXCALL": syscall.SYS_TUXCALL, + "SECURITY": syscall.SYS_SECURITY, + "GETTID": syscall.SYS_GETTID, + "READAHEAD": syscall.SYS_READAHEAD, + "SETXATTR": syscall.SYS_SETXATTR, + "LSETXATTR": syscall.SYS_LSETXATTR, + "FSETXATTR": syscall.SYS_FSETXATTR, + "GETXATTR": syscall.SYS_GETXATTR, + "LGETXATTR": syscall.SYS_LGETXATTR, + "FGETXATTR": syscall.SYS_FGETXATTR, + "LISTXATTR": syscall.SYS_LISTXATTR, + "LLISTXATTR": syscall.SYS_LLISTXATTR, + "FLISTXATTR": syscall.SYS_FLISTXATTR, + "REMOVEXATTR": syscall.SYS_REMOVEXATTR, + "LREMOVEXATTR": syscall.SYS_LREMOVEXATTR, + "FREMOVEXATTR": syscall.SYS_FREMOVEXATTR, + "TKILL": syscall.SYS_TKILL, + "TIME": syscall.SYS_TIME, + "FUTEX": syscall.SYS_FUTEX, + "SCHED_SETAFFINITY": syscall.SYS_SCHED_SETAFFINITY, + "SCHED_GETAFFINITY": syscall.SYS_SCHED_GETAFFINITY, + "SET_THREAD_AREA": syscall.SYS_SET_THREAD_AREA, + "IO_SETUP": syscall.SYS_IO_SETUP, + "IO_DESTROY": syscall.SYS_IO_DESTROY, + "IO_GETEVENTS": syscall.SYS_IO_GETEVENTS, + "IO_SUBMIT": syscall.SYS_IO_SUBMIT, + "IO_CANCEL": syscall.SYS_IO_CANCEL, + "GET_THREAD_AREA": syscall.SYS_GET_THREAD_AREA, + "LOOKUP_DCOOKIE": syscall.SYS_LOOKUP_DCOOKIE, + "EPOLL_CREATE": syscall.SYS_EPOLL_CREATE, + "EPOLL_CTL_OLD": syscall.SYS_EPOLL_CTL_OLD, + "EPOLL_WAIT_OLD": syscall.SYS_EPOLL_WAIT_OLD, + "REMAP_FILE_PAGES": syscall.SYS_REMAP_FILE_PAGES, + "GETDENTS64": syscall.SYS_GETDENTS64, + "SET_TID_ADDRESS": syscall.SYS_SET_TID_ADDRESS, + "RESTART_SYSCALL": syscall.SYS_RESTART_SYSCALL, + "SEMTIMEDOP": syscall.SYS_SEMTIMEDOP, + "FADVISE64": syscall.SYS_FADVISE64, + "TIMER_CREATE": syscall.SYS_TIMER_CREATE, + "TIMER_SETTIME": syscall.SYS_TIMER_SETTIME, + "TIMER_GETTIME": syscall.SYS_TIMER_GETTIME, + "TIMER_GETOVERRUN": syscall.SYS_TIMER_GETOVERRUN, + "TIMER_DELETE": syscall.SYS_TIMER_DELETE, + "CLOCK_SETTIME": syscall.SYS_CLOCK_SETTIME, + "CLOCK_GETTIME": syscall.SYS_CLOCK_GETTIME, + "CLOCK_GETRES": syscall.SYS_CLOCK_GETRES, + "CLOCK_NANOSLEEP": syscall.SYS_CLOCK_NANOSLEEP, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "EPOLL_WAIT": syscall.SYS_EPOLL_WAIT, + "EPOLL_CTL": syscall.SYS_EPOLL_CTL, + "TGKILL": syscall.SYS_TGKILL, + "UTIMES": syscall.SYS_UTIMES, + "VSERVER": syscall.SYS_VSERVER, + "MBIND": syscall.SYS_MBIND, + "SET_MEMPOLICY": syscall.SYS_SET_MEMPOLICY, + "GET_MEMPOLICY": syscall.SYS_GET_MEMPOLICY, + "MQ_OPEN": syscall.SYS_MQ_OPEN, + "MQ_UNLINK": syscall.SYS_MQ_UNLINK, + "MQ_TIMEDSEND": syscall.SYS_MQ_TIMEDSEND, + "MQ_TIMEDRECEIVE": syscall.SYS_MQ_TIMEDRECEIVE, + "MQ_NOTIFY": syscall.SYS_MQ_NOTIFY, + "MQ_GETSETATTR": syscall.SYS_MQ_GETSETATTR, + "KEXEC_LOAD": syscall.SYS_KEXEC_LOAD, + "WAITID": syscall.SYS_WAITID, + "ADD_KEY": syscall.SYS_ADD_KEY, + "REQUEST_KEY": syscall.SYS_REQUEST_KEY, + "KEYCTL": syscall.SYS_KEYCTL, + "IOPRIO_SET": syscall.SYS_IOPRIO_SET, + "IOPRIO_GET": syscall.SYS_IOPRIO_GET, + "INOTIFY_INIT": syscall.SYS_INOTIFY_INIT, + "INOTIFY_ADD_WATCH": syscall.SYS_INOTIFY_ADD_WATCH, + "INOTIFY_RM_WATCH": syscall.SYS_INOTIFY_RM_WATCH, + "MIGRATE_PAGES": syscall.SYS_MIGRATE_PAGES, + "OPENAT": syscall.SYS_OPENAT, + "MKDIRAT": syscall.SYS_MKDIRAT, + "MKNODAT": syscall.SYS_MKNODAT, + "FCHOWNAT": syscall.SYS_FCHOWNAT, + "FUTIMESAT": syscall.SYS_FUTIMESAT, + "NEWFSTATAT": syscall.SYS_NEWFSTATAT, + "UNLINKAT": syscall.SYS_UNLINKAT, + "RENAMEAT": syscall.SYS_RENAMEAT, + "LINKAT": syscall.SYS_LINKAT, + "SYMLINKAT": syscall.SYS_SYMLINKAT, + "READLINKAT": syscall.SYS_READLINKAT, + "FCHMODAT": syscall.SYS_FCHMODAT, + "FACCESSAT": syscall.SYS_FACCESSAT, + "PSELECT6": syscall.SYS_PSELECT6, + "PPOLL": syscall.SYS_PPOLL, + "UNSHARE": syscall.SYS_UNSHARE, + "SET_ROBUST_LIST": syscall.SYS_SET_ROBUST_LIST, + "GET_ROBUST_LIST": syscall.SYS_GET_ROBUST_LIST, + "SPLICE": syscall.SYS_SPLICE, + "TEE": syscall.SYS_TEE, + "SYNC_FILE_RANGE": syscall.SYS_SYNC_FILE_RANGE, + "VMSPLICE": syscall.SYS_VMSPLICE, + "MOVE_PAGES": syscall.SYS_MOVE_PAGES, + "UTIMENSAT": syscall.SYS_UTIMENSAT, + "EPOLL_PWAIT": syscall.SYS_EPOLL_PWAIT, + "SIGNALFD": syscall.SYS_SIGNALFD, + "TIMERFD_CREATE": syscall.SYS_TIMERFD_CREATE, + "EVENTFD": syscall.SYS_EVENTFD, + "FALLOCATE": syscall.SYS_FALLOCATE, + "TIMERFD_SETTIME": syscall.SYS_TIMERFD_SETTIME, + "TIMERFD_GETTIME": syscall.SYS_TIMERFD_GETTIME, + "ACCEPT4": syscall.SYS_ACCEPT4, + "SIGNALFD4": syscall.SYS_SIGNALFD4, + "EVENTFD2": syscall.SYS_EVENTFD2, + "EPOLL_CREATE1": syscall.SYS_EPOLL_CREATE1, + "DUP3": syscall.SYS_DUP3, + "PIPE2": syscall.SYS_PIPE2, + "INOTIFY_INIT1": syscall.SYS_INOTIFY_INIT1, + "PREADV": syscall.SYS_PREADV, + "PWRITEV": syscall.SYS_PWRITEV, + "RT_TGSIGQUEUEINFO": syscall.SYS_RT_TGSIGQUEUEINFO, + "PERF_EVENT_OPEN": syscall.SYS_PERF_EVENT_OPEN, + "RECVMMSG": syscall.SYS_RECVMMSG, + "FANOTIFY_INIT": syscall.SYS_FANOTIFY_INIT, + "FANOTIFY_MARK": syscall.SYS_FANOTIFY_MARK, + "PRLIMIT64": syscall.SYS_PRLIMIT64, +} + +var SyscallMapMin = map[string]int{ + "WRITE": syscall.SYS_WRITE, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "FUTEX": syscall.SYS_FUTEX, +} diff --git a/seccomp/syscall_linux_arm.go b/seccomp/syscall_linux_arm.go new file mode 100644 index 000000000..141ec76a6 --- /dev/null +++ b/seccomp/syscall_linux_arm.go @@ -0,0 +1,373 @@ +// +build linux +// +build arm + +package seccomp + +import ( + "syscall" +) + +const ( + SECCOMP_RET_KILL = 0x00000000 + SECCOMP_RET_TRAP = 0x00030000 + SECCOMP_RET_ALLOW = 0x7fff0000 + SECCOMP_MODE_FILTER = 0x2 + PR_SET_NO_NEW_PRIVS = 0x26 +) + +var SyscallMap = map[string]uint32{ + "OABI_SYSCALL_BASE": syscall.SYS_OABI_SYSCALL_BASE, + "SYSCALL_BASE": syscall.SYS_SYSCALL_BASE, + "RESTART_SYSCALL": syscall.SYS_RESTART_SYSCALL, + "EXIT": syscall.SYS_EXIT, + "FORK": syscall.SYS_FORK, + "READ": syscall.SYS_READ, + "WRITE": syscall.SYS_WRITE, + "OPEN": syscall.SYS_OPEN, + "CLOSE": syscall.SYS_CLOSE, + "CREAT": syscall.SYS_CREAT, + "LINK": syscall.SYS_LINK, + "UNLINK": syscall.SYS_UNLINK, + "EXECVE": syscall.SYS_EXECVE, + "CHDIR": syscall.SYS_CHDIR, + "TIME": syscall.SYS_TIME, + "MKNOD": syscall.SYS_MKNOD, + "CHMOD": syscall.SYS_CHMOD, + "LCHOWN": syscall.SYS_LCHOWN, + "LSEEK": syscall.SYS_LSEEK, + "GETPID": syscall.SYS_GETPID, + "MOUNT": syscall.SYS_MOUNT, + "UMOUNT": syscall.SYS_UMOUNT, + "SETUID": syscall.SYS_SETUID, + "GETUID": syscall.SYS_GETUID, + "STIME": syscall.SYS_STIME, + "PTRACE": syscall.SYS_PTRACE, + "ALARM": syscall.SYS_ALARM, + "PAUSE": syscall.SYS_PAUSE, + "UTIME": syscall.SYS_UTIME, + "ACCESS": syscall.SYS_ACCESS, + "NICE": syscall.SYS_NICE, + "SYNC": syscall.SYS_SYNC, + "KILL": syscall.SYS_KILL, + "RENAME": syscall.SYS_RENAME, + "MKDIR": syscall.SYS_MKDIR, + "RMDIR": syscall.SYS_RMDIR, + "DUP": syscall.SYS_DUP, + "PIPE": syscall.SYS_PIPE, + "TIMES": syscall.SYS_TIMES, + "BRK": syscall.SYS_BRK, + "SETGID": syscall.SYS_SETGID, + "GETGID": syscall.SYS_GETGID, + "GETEUID": syscall.SYS_GETEUID, + "GETEGID": syscall.SYS_GETEGID, + "ACCT": syscall.SYS_ACCT, + "UMOUNT2": syscall.SYS_UMOUNT2, + "IOCTL": syscall.SYS_IOCTL, + "FCNTL": syscall.SYS_FCNTL, + "SETPGID": syscall.SYS_SETPGID, + "UMASK": syscall.SYS_UMASK, + "CHROOT": syscall.SYS_CHROOT, + "USTAT": syscall.SYS_USTAT, + "DUP2": syscall.SYS_DUP2, + "GETPPID": syscall.SYS_GETPPID, + "GETPGRP": syscall.SYS_GETPGRP, + "SETSID": syscall.SYS_SETSID, + "SIGACTION": syscall.SYS_SIGACTION, + "SETREUID": syscall.SYS_SETREUID, + "SETREGID": syscall.SYS_SETREGID, + "SIGSUSPEND": syscall.SYS_SIGSUSPEND, + "SIGPENDING": syscall.SYS_SIGPENDING, + "SETHOSTNAME": syscall.SYS_SETHOSTNAME, + "SETRLIMIT": syscall.SYS_SETRLIMIT, + "GETRLIMIT": syscall.SYS_GETRLIMIT, + "GETRUSAGE": syscall.SYS_GETRUSAGE, + "GETTIMEOFDAY": syscall.SYS_GETTIMEOFDAY, + "SETTIMEOFDAY": syscall.SYS_SETTIMEOFDAY, + "GETGROUPS": syscall.SYS_GETGROUPS, + "SETGROUPS": syscall.SYS_SETGROUPS, + "SELECT": syscall.SYS_SELECT, + "SYMLINK": syscall.SYS_SYMLINK, + "READLINK": syscall.SYS_READLINK, + "USELIB": syscall.SYS_USELIB, + "SWAPON": syscall.SYS_SWAPON, + "REBOOT": syscall.SYS_REBOOT, + "READDIR": syscall.SYS_READDIR, + "MMAP": syscall.SYS_MMAP, + "MUNMAP": syscall.SYS_MUNMAP, + "TRUNCATE": syscall.SYS_TRUNCATE, + "FTRUNCATE": syscall.SYS_FTRUNCATE, + "FCHMOD": syscall.SYS_FCHMOD, + "FCHOWN": syscall.SYS_FCHOWN, + "GETPRIORITY": syscall.SYS_GETPRIORITY, + "SETPRIORITY": syscall.SYS_SETPRIORITY, + "STATFS": syscall.SYS_STATFS, + "FSTATFS": syscall.SYS_FSTATFS, + "SOCKETCALL": syscall.SYS_SOCKETCALL, + "SYSLOG": syscall.SYS_SYSLOG, + "SETITIMER": syscall.SYS_SETITIMER, + "GETITIMER": syscall.SYS_GETITIMER, + "STAT": syscall.SYS_STAT, + "LSTAT": syscall.SYS_LSTAT, + "FSTAT": syscall.SYS_FSTAT, + "VHANGUP": syscall.SYS_VHANGUP, + "SYSCALL": syscall.SYS_SYSCALL, + "WAIT4": syscall.SYS_WAIT4, + "SWAPOFF": syscall.SYS_SWAPOFF, + "SYSINFO": syscall.SYS_SYSINFO, + "IPC": syscall.SYS_IPC, + "FSYNC": syscall.SYS_FSYNC, + "SIGRETURN": syscall.SYS_SIGRETURN, + "CLONE": syscall.SYS_CLONE, + "SETDOMAINNAME": syscall.SYS_SETDOMAINNAME, + "UNAME": syscall.SYS_UNAME, + "ADJTIMEX": syscall.SYS_ADJTIMEX, + "MPROTECT": syscall.SYS_MPROTECT, + "SIGPROCMASK": syscall.SYS_SIGPROCMASK, + "INIT_MODULE": syscall.SYS_INIT_MODULE, + "DELETE_MODULE": syscall.SYS_DELETE_MODULE, + "QUOTACTL": syscall.SYS_QUOTACTL, + "GETPGID": syscall.SYS_GETPGID, + "FCHDIR": syscall.SYS_FCHDIR, + "BDFLUSH": syscall.SYS_BDFLUSH, + "SYSFS": syscall.SYS_SYSFS, + "PERSONALITY": syscall.SYS_PERSONALITY, + "SETFSUID": syscall.SYS_SETFSUID, + "SETFSGID": syscall.SYS_SETFSGID, + "_LLSEEK": syscall.SYS__LLSEEK, + "GETDENTS": syscall.SYS_GETDENTS, + "_NEWSELECT": syscall.SYS__NEWSELECT, + "FLOCK": syscall.SYS_FLOCK, + "MSYNC": syscall.SYS_MSYNC, + "READV": syscall.SYS_READV, + "WRITEV": syscall.SYS_WRITEV, + "GETSID": syscall.SYS_GETSID, + "FDATASYNC": syscall.SYS_FDATASYNC, + "_SYSCTL": syscall.SYS__SYSCTL, + "MLOCK": syscall.SYS_MLOCK, + "MUNLOCK": syscall.SYS_MUNLOCK, + "MLOCKALL": syscall.SYS_MLOCKALL, + "MUNLOCKALL": syscall.SYS_MUNLOCKALL, + "SCHED_SETPARAM": syscall.SYS_SCHED_SETPARAM, + "SCHED_GETPARAM": syscall.SYS_SCHED_GETPARAM, + "SCHED_SETSCHEDULER": syscall.SYS_SCHED_SETSCHEDULER, + "SCHED_GETSCHEDULER": syscall.SYS_SCHED_GETSCHEDULER, + "SCHED_YIELD": syscall.SYS_SCHED_YIELD, + "SCHED_GET_PRIORITY_MAX": syscall.SYS_SCHED_GET_PRIORITY_MAX, + "SCHED_GET_PRIORITY_MIN": syscall.SYS_SCHED_GET_PRIORITY_MIN, + "SCHED_RR_GET_INTERVAL": syscall.SYS_SCHED_RR_GET_INTERVAL, + "NANOSLEEP": syscall.SYS_NANOSLEEP, + "MREMAP": syscall.SYS_MREMAP, + "SETRESUID": syscall.SYS_SETRESUID, + "GETRESUID": syscall.SYS_GETRESUID, + "POLL": syscall.SYS_POLL, + "NFSSERVCTL": syscall.SYS_NFSSERVCTL, + "SETRESGID": syscall.SYS_SETRESGID, + "GETRESGID": syscall.SYS_GETRESGID, + "PRCTL": syscall.SYS_PRCTL, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "RT_SIGACTION": syscall.SYS_RT_SIGACTION, + "RT_SIGPROCMASK": syscall.SYS_RT_SIGPROCMASK, + "RT_SIGPENDING": syscall.SYS_RT_SIGPENDING, + "RT_SIGTIMEDWAIT": syscall.SYS_RT_SIGTIMEDWAIT, + "RT_SIGQUEUEINFO": syscall.SYS_RT_SIGQUEUEINFO, + "RT_SIGSUSPEND": syscall.SYS_RT_SIGSUSPEND, + "PREAD64": syscall.SYS_PREAD64, + "PWRITE64": syscall.SYS_PWRITE64, + "CHOWN": syscall.SYS_CHOWN, + "GETCWD": syscall.SYS_GETCWD, + "CAPGET": syscall.SYS_CAPGET, + "CAPSET": syscall.SYS_CAPSET, + "SIGALTSTACK": syscall.SYS_SIGALTSTACK, + "SENDFILE": syscall.SYS_SENDFILE, + "VFORK": syscall.SYS_VFORK, + "UGETRLIMIT": syscall.SYS_UGETRLIMIT, + "MMAP2": syscall.SYS_MMAP2, + "TRUNCATE64": syscall.SYS_TRUNCATE64, + "FTRUNCATE64": syscall.SYS_FTRUNCATE64, + "STAT64": syscall.SYS_STAT64, + "LSTAT64": syscall.SYS_LSTAT64, + "FSTAT64": syscall.SYS_FSTAT64, + "LCHOWN32": syscall.SYS_LCHOWN32, + "GETUID32": syscall.SYS_GETUID32, + "GETGID32": syscall.SYS_GETGID32, + "GETEUID32": syscall.SYS_GETEUID32, + "GETEGID32": syscall.SYS_GETEGID32, + "SETREUID32": syscall.SYS_SETREUID32, + "SETREGID32": syscall.SYS_SETREGID32, + "GETGROUPS32": syscall.SYS_GETGROUPS32, + "SETGROUPS32": syscall.SYS_SETGROUPS32, + "FCHOWN32": syscall.SYS_FCHOWN32, + "SETRESUID32": syscall.SYS_SETRESUID32, + "GETRESUID32": syscall.SYS_GETRESUID32, + "SETRESGID32": syscall.SYS_SETRESGID32, + "GETRESGID32": syscall.SYS_GETRESGID32, + "CHOWN32": syscall.SYS_CHOWN32, + "SETUID32": syscall.SYS_SETUID32, + "SETGID32": syscall.SYS_SETGID32, + "SETFSUID32": syscall.SYS_SETFSUID32, + "SETFSGID32": syscall.SYS_SETFSGID32, + "GETDENTS64": syscall.SYS_GETDENTS64, + "PIVOT_ROOT": syscall.SYS_PIVOT_ROOT, + "MINCORE": syscall.SYS_MINCORE, + "MADVISE": syscall.SYS_MADVISE, + "FCNTL64": syscall.SYS_FCNTL64, + "GETTID": syscall.SYS_GETTID, + "READAHEAD": syscall.SYS_READAHEAD, + "SETXATTR": syscall.SYS_SETXATTR, + "LSETXATTR": syscall.SYS_LSETXATTR, + "FSETXATTR": syscall.SYS_FSETXATTR, + "GETXATTR": syscall.SYS_GETXATTR, + "LGETXATTR": syscall.SYS_LGETXATTR, + "FGETXATTR": syscall.SYS_FGETXATTR, + "LISTXATTR": syscall.SYS_LISTXATTR, + "LLISTXATTR": syscall.SYS_LLISTXATTR, + "FLISTXATTR": syscall.SYS_FLISTXATTR, + "REMOVEXATTR": syscall.SYS_REMOVEXATTR, + "LREMOVEXATTR": syscall.SYS_LREMOVEXATTR, + "FREMOVEXATTR": syscall.SYS_FREMOVEXATTR, + "TKILL": syscall.SYS_TKILL, + "SENDFILE64": syscall.SYS_SENDFILE64, + "FUTEX": syscall.SYS_FUTEX, + "SCHED_SETAFFINITY": syscall.SYS_SCHED_SETAFFINITY, + "SCHED_GETAFFINITY": syscall.SYS_SCHED_GETAFFINITY, + "IO_SETUP": syscall.SYS_IO_SETUP, + "IO_DESTROY": syscall.SYS_IO_DESTROY, + "IO_GETEVENTS": syscall.SYS_IO_GETEVENTS, + "IO_SUBMIT": syscall.SYS_IO_SUBMIT, + "IO_CANCEL": syscall.SYS_IO_CANCEL, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "LOOKUP_DCOOKIE": syscall.SYS_LOOKUP_DCOOKIE, + "EPOLL_CREATE": syscall.SYS_EPOLL_CREATE, + "EPOLL_CTL": syscall.SYS_EPOLL_CTL, + "EPOLL_WAIT": syscall.SYS_EPOLL_WAIT, + "REMAP_FILE_PAGES": syscall.SYS_REMAP_FILE_PAGES, + "SET_TID_ADDRESS": syscall.SYS_SET_TID_ADDRESS, + "TIMER_CREATE": syscall.SYS_TIMER_CREATE, + "TIMER_SETTIME": syscall.SYS_TIMER_SETTIME, + "TIMER_GETTIME": syscall.SYS_TIMER_GETTIME, + "TIMER_GETOVERRUN": syscall.SYS_TIMER_GETOVERRUN, + "TIMER_DELETE": syscall.SYS_TIMER_DELETE, + "CLOCK_SETTIME": syscall.SYS_CLOCK_SETTIME, + "CLOCK_GETTIME": syscall.SYS_CLOCK_GETTIME, + "CLOCK_GETRES": syscall.SYS_CLOCK_GETRES, + "CLOCK_NANOSLEEP": syscall.SYS_CLOCK_NANOSLEEP, + "STATFS64": syscall.SYS_STATFS64, + "FSTATFS64": syscall.SYS_FSTATFS64, + "TGKILL": syscall.SYS_TGKILL, + "UTIMES": syscall.SYS_UTIMES, + "ARM_FADVISE64_64": syscall.SYS_ARM_FADVISE64_64, + "PCICONFIG_IOBASE": syscall.SYS_PCICONFIG_IOBASE, + "PCICONFIG_READ": syscall.SYS_PCICONFIG_READ, + "PCICONFIG_WRITE": syscall.SYS_PCICONFIG_WRITE, + "MQ_OPEN": syscall.SYS_MQ_OPEN, + "MQ_UNLINK": syscall.SYS_MQ_UNLINK, + "MQ_TIMEDSEND": syscall.SYS_MQ_TIMEDSEND, + "MQ_TIMEDRECEIVE": syscall.SYS_MQ_TIMEDRECEIVE, + "MQ_NOTIFY": syscall.SYS_MQ_NOTIFY, + "MQ_GETSETATTR": syscall.SYS_MQ_GETSETATTR, + "WAITID": syscall.SYS_WAITID, + "SOCKET": syscall.SYS_SOCKET, + "BIND": syscall.SYS_BIND, + "CONNECT": syscall.SYS_CONNECT, + "LISTEN": syscall.SYS_LISTEN, + "ACCEPT": syscall.SYS_ACCEPT, + "GETSOCKNAME": syscall.SYS_GETSOCKNAME, + "GETPEERNAME": syscall.SYS_GETPEERNAME, + "SOCKETPAIR": syscall.SYS_SOCKETPAIR, + "SEND": syscall.SYS_SEND, + "SENDTO": syscall.SYS_SENDTO, + "RECV": syscall.SYS_RECV, + "RECVFROM": syscall.SYS_RECVFROM, + "SHUTDOWN": syscall.SYS_SHUTDOWN, + "SETSOCKOPT": syscall.SYS_SETSOCKOPT, + "GETSOCKOPT": syscall.SYS_GETSOCKOPT, + "SENDMSG": syscall.SYS_SENDMSG, + "RECVMSG": syscall.SYS_RECVMSG, + "SEMOP": syscall.SYS_SEMOP, + "SEMGET": syscall.SYS_SEMGET, + "SEMCTL": syscall.SYS_SEMCTL, + "MSGSND": syscall.SYS_MSGSND, + "MSGRCV": syscall.SYS_MSGRCV, + "MSGGET": syscall.SYS_MSGGET, + "MSGCTL": syscall.SYS_MSGCTL, + "SHMAT": syscall.SYS_SHMAT, + "SHMDT": syscall.SYS_SHMDT, + "SHMGET": syscall.SYS_SHMGET, + "SHMCTL": syscall.SYS_SHMCTL, + "ADD_KEY": syscall.SYS_ADD_KEY, + "REQUEST_KEY": syscall.SYS_REQUEST_KEY, + "KEYCTL": syscall.SYS_KEYCTL, + "SEMTIMEDOP": syscall.SYS_SEMTIMEDOP, + "VSERVER": syscall.SYS_VSERVER, + "IOPRIO_SET": syscall.SYS_IOPRIO_SET, + "IOPRIO_GET": syscall.SYS_IOPRIO_GET, + "INOTIFY_INIT": syscall.SYS_INOTIFY_INIT, + "INOTIFY_ADD_WATCH": syscall.SYS_INOTIFY_ADD_WATCH, + "INOTIFY_RM_WATCH": syscall.SYS_INOTIFY_RM_WATCH, + "MBIND": syscall.SYS_MBIND, + "GET_MEMPOLICY": syscall.SYS_GET_MEMPOLICY, + "SET_MEMPOLICY": syscall.SYS_SET_MEMPOLICY, + "OPENAT": syscall.SYS_OPENAT, + "MKDIRAT": syscall.SYS_MKDIRAT, + "MKNODAT": syscall.SYS_MKNODAT, + "FCHOWNAT": syscall.SYS_FCHOWNAT, + "FUTIMESAT": syscall.SYS_FUTIMESAT, + "FSTATAT64": syscall.SYS_FSTATAT64, + "UNLINKAT": syscall.SYS_UNLINKAT, + "RENAMEAT": syscall.SYS_RENAMEAT, + "LINKAT": syscall.SYS_LINKAT, + "SYMLINKAT": syscall.SYS_SYMLINKAT, + "READLINKAT": syscall.SYS_READLINKAT, + "FCHMODAT": syscall.SYS_FCHMODAT, + "FACCESSAT": syscall.SYS_FACCESSAT, + "PSELECT6": syscall.SYS_PSELECT6, + "PPOLL": syscall.SYS_PPOLL, + "UNSHARE": syscall.SYS_UNSHARE, + "SET_ROBUST_LIST": syscall.SYS_SET_ROBUST_LIST, + "GET_ROBUST_LIST": syscall.SYS_GET_ROBUST_LIST, + "SPLICE": syscall.SYS_SPLICE, + "ARM_SYNC_FILE_RANGE": syscall.SYS_ARM_SYNC_FILE_RANGE, + "TEE": syscall.SYS_TEE, + "VMSPLICE": syscall.SYS_VMSPLICE, + "MOVE_PAGES": syscall.SYS_MOVE_PAGES, + "GETCPU": syscall.SYS_GETCPU, + "EPOLL_PWAIT": syscall.SYS_EPOLL_PWAIT, + "KEXEC_LOAD": syscall.SYS_KEXEC_LOAD, + "UTIMENSAT": syscall.SYS_UTIMENSAT, + "SIGNALFD": syscall.SYS_SIGNALFD, + "TIMERFD_CREATE": syscall.SYS_TIMERFD_CREATE, + "EVENTFD": syscall.SYS_EVENTFD, + "FALLOCATE": syscall.SYS_FALLOCATE, + "TIMERFD_SETTIME": syscall.SYS_TIMERFD_SETTIME, + "TIMERFD_GETTIME": syscall.SYS_TIMERFD_GETTIME, + "SIGNALFD4": syscall.SYS_SIGNALFD4, + "EVENTFD2": syscall.SYS_EVENTFD2, + "EPOLL_CREATE1": syscall.SYS_EPOLL_CREATE1, + "DUP3": syscall.SYS_DUP3, + "PIPE2": syscall.SYS_PIPE2, + "INOTIFY_INIT1": syscall.SYS_INOTIFY_INIT1, + "PREADV": syscall.SYS_PREADV, + "PWRITEV": syscall.SYS_PWRITEV, + "RT_TGSIGQUEUEINFO": syscall.SYS_RT_TGSIGQUEUEINFO, + "PERF_EVENT_OPEN": syscall.SYS_PERF_EVENT_OPEN, + "RECVMMSG": syscall.SYS_RECVMMSG, + "ACCEPT4": syscall.SYS_ACCEPT4, + "FANOTIFY_INIT": syscall.SYS_FANOTIFY_INIT, + "FANOTIFY_MARK": syscall.SYS_FANOTIFY_MARK, + "PRLIMIT64": syscall.SYS_PRLIMIT64, + "NAME_TO_HANDLE_AT": syscall.SYS_NAME_TO_HANDLE_AT, + "OPEN_BY_HANDLE_AT": syscall.SYS_OPEN_BY_HANDLE_AT, + "CLOCK_ADJTIME": syscall.SYS_CLOCK_ADJTIME, + "SYNCFS": syscall.SYS_SYNCFS, + "SENDMMSG": syscall.SYS_SENDMMSG, + "SETNS": syscall.SYS_SETNS, + "PROCESS_VM_READV": syscall.SYS_PROCESS_VM_READV, + "PROCESS_VM_WRITEV": syscall.SYS_PROCESS_VM_WRITEV, +} + +var SyscallMapMin = map[string]int{ + "WRITE": syscall.SYS_WRITE, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "FUTEX": syscall.SYS_FUTEX, +} diff --git a/seccomp/syscall_linux_arm64.go b/seccomp/syscall_linux_arm64.go new file mode 100644 index 000000000..4c94ef916 --- /dev/null +++ b/seccomp/syscall_linux_arm64.go @@ -0,0 +1,294 @@ +// +build linux +// +build arm64 + +package seccomp + +import ( + "syscall" +) + +const ( + SECCOMP_RET_KILL = 0x00000000 + SECCOMP_RET_TRAP = 0x00030000 + SECCOMP_RET_ALLOW = 0x7fff0000 + SECCOMP_MODE_FILTER = 0x2 + PR_SET_NO_NEW_PRIVS = 0x26 +) + +var SyscallMap = map[string]uint32{ + "IO_SETUP": syscall.SYS_IO_SETUP, + "IO_DESTROY": syscall.SYS_IO_DESTROY, + "IO_SUBMIT": syscall.SYS_IO_SUBMIT, + "IO_CANCEL": syscall.SYS_IO_CANCEL, + "IO_GETEVENTS": syscall.SYS_IO_GETEVENTS, + "SETXATTR": syscall.SYS_SETXATTR, + "LSETXATTR": syscall.SYS_LSETXATTR, + "FSETXATTR": syscall.SYS_FSETXATTR, + "GETXATTR": syscall.SYS_GETXATTR, + "LGETXATTR": syscall.SYS_LGETXATTR, + "FGETXATTR": syscall.SYS_FGETXATTR, + "LISTXATTR": syscall.SYS_LISTXATTR, + "LLISTXATTR": syscall.SYS_LLISTXATTR, + "FLISTXATTR": syscall.SYS_FLISTXATTR, + "REMOVEXATTR": syscall.SYS_REMOVEXATTR, + "LREMOVEXATTR": syscall.SYS_LREMOVEXATTR, + "FREMOVEXATTR": syscall.SYS_FREMOVEXATTR, + "GETCWD": syscall.SYS_GETCWD, + "LOOKUP_DCOOKIE": syscall.SYS_LOOKUP_DCOOKIE, + "EVENTFD2": syscall.SYS_EVENTFD2, + "EPOLL_CREATE1": syscall.SYS_EPOLL_CREATE1, + "EPOLL_CTL": syscall.SYS_EPOLL_CTL, + "EPOLL_PWAIT": syscall.SYS_EPOLL_PWAIT, + "DUP": syscall.SYS_DUP, + "DUP3": syscall.SYS_DUP3, + "FCNTL": syscall.SYS_FCNTL, + "INOTIFY_INIT1": syscall.SYS_INOTIFY_INIT1, + "INOTIFY_ADD_WATCH": syscall.SYS_INOTIFY_ADD_WATCH, + "INOTIFY_RM_WATCH": syscall.SYS_INOTIFY_RM_WATCH, + "IOCTL": syscall.SYS_IOCTL, + "IOPRIO_SET": syscall.SYS_IOPRIO_SET, + "IOPRIO_GET": syscall.SYS_IOPRIO_GET, + "FLOCK": syscall.SYS_FLOCK, + "MKNODAT": syscall.SYS_MKNODAT, + "MKDIRAT": syscall.SYS_MKDIRAT, + "UNLINKAT": syscall.SYS_UNLINKAT, + "SYMLINKAT": syscall.SYS_SYMLINKAT, + "LINKAT": syscall.SYS_LINKAT, + "RENAMEAT": syscall.SYS_RENAMEAT, + "UMOUNT2": syscall.SYS_UMOUNT2, + "MOUNT": syscall.SYS_MOUNT, + "PIVOT_ROOT": syscall.SYS_PIVOT_ROOT, + "NFSSERVCTL": syscall.SYS_NFSSERVCTL, + "STATFS": syscall.SYS_STATFS, + "FSTATFS": syscall.SYS_FSTATFS, + "TRUNCATE": syscall.SYS_TRUNCATE, + "FTRUNCATE": syscall.SYS_FTRUNCATE, + "FALLOCATE": syscall.SYS_FALLOCATE, + "FACCESSAT": syscall.SYS_FACCESSAT, + "CHDIR": syscall.SYS_CHDIR, + "FCHDIR": syscall.SYS_FCHDIR, + "CHROOT": syscall.SYS_CHROOT, + "FCHMOD": syscall.SYS_FCHMOD, + "FCHMODAT": syscall.SYS_FCHMODAT, + "FCHOWNAT": syscall.SYS_FCHOWNAT, + "FCHOWN": syscall.SYS_FCHOWN, + "OPENAT": syscall.SYS_OPENAT, + "CLOSE": syscall.SYS_CLOSE, + "VHANGUP": syscall.SYS_VHANGUP, + "PIPE2": syscall.SYS_PIPE2, + "QUOTACTL": syscall.SYS_QUOTACTL, + "GETDENTS64": syscall.SYS_GETDENTS64, + "LSEEK": syscall.SYS_LSEEK, + "READ": syscall.SYS_READ, + "WRITE": syscall.SYS_WRITE, + "READV": syscall.SYS_READV, + "WRITEV": syscall.SYS_WRITEV, + "PREAD64": syscall.SYS_PREAD64, + "PWRITE64": syscall.SYS_PWRITE64, + "PREADV": syscall.SYS_PREADV, + "PWRITEV": syscall.SYS_PWRITEV, + "SENDFILE": syscall.SYS_SENDFILE, + "PSELECT6": syscall.SYS_PSELECT6, + "PPOLL": syscall.SYS_PPOLL, + "SIGNALFD4": syscall.SYS_SIGNALFD4, + "VMSPLICE": syscall.SYS_VMSPLICE, + "SPLICE": syscall.SYS_SPLICE, + "TEE": syscall.SYS_TEE, + "READLINKAT": syscall.SYS_READLINKAT, + "FSTATAT": syscall.SYS_FSTATAT, + "FSTAT": syscall.SYS_FSTAT, + "SYNC": syscall.SYS_SYNC, + "FSYNC": syscall.SYS_FSYNC, + "FDATASYNC": syscall.SYS_FDATASYNC, + "SYNC_FILE_RANGE2": syscall.SYS_SYNC_FILE_RANGE2, + "SYNC_FILE_RANGE": syscall.SYS_SYNC_FILE_RANGE, + "TIMERFD_CREATE": syscall.SYS_TIMERFD_CREATE, + "TIMERFD_SETTIME": syscall.SYS_TIMERFD_SETTIME, + "TIMERFD_GETTIME": syscall.SYS_TIMERFD_GETTIME, + "UTIMENSAT": syscall.SYS_UTIMENSAT, + "ACCT": syscall.SYS_ACCT, + "CAPGET": syscall.SYS_CAPGET, + "CAPSET": syscall.SYS_CAPSET, + "PERSONALITY": syscall.SYS_PERSONALITY, + "EXIT": syscall.SYS_EXIT, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "WAITID": syscall.SYS_WAITID, + "SET_TID_ADDRESS": syscall.SYS_SET_TID_ADDRESS, + "UNSHARE": syscall.SYS_UNSHARE, + "FUTEX": syscall.SYS_FUTEX, + "SET_ROBUST_LIST": syscall.SYS_SET_ROBUST_LIST, + "GET_ROBUST_LIST": syscall.SYS_GET_ROBUST_LIST, + "NANOSLEEP": syscall.SYS_NANOSLEEP, + "GETITIMER": syscall.SYS_GETITIMER, + "SETITIMER": syscall.SYS_SETITIMER, + "KEXEC_LOAD": syscall.SYS_KEXEC_LOAD, + "INIT_MODULE": syscall.SYS_INIT_MODULE, + "DELETE_MODULE": syscall.SYS_DELETE_MODULE, + "TIMER_CREATE": syscall.SYS_TIMER_CREATE, + "TIMER_GETTIME": syscall.SYS_TIMER_GETTIME, + "TIMER_GETOVERRUN": syscall.SYS_TIMER_GETOVERRUN, + "TIMER_SETTIME": syscall.SYS_TIMER_SETTIME, + "TIMER_DELETE": syscall.SYS_TIMER_DELETE, + "CLOCK_SETTIME": syscall.SYS_CLOCK_SETTIME, + "CLOCK_GETTIME": syscall.SYS_CLOCK_GETTIME, + "CLOCK_GETRES": syscall.SYS_CLOCK_GETRES, + "CLOCK_NANOSLEEP": syscall.SYS_CLOCK_NANOSLEEP, + "SYSLOG": syscall.SYS_SYSLOG, + "PTRACE": syscall.SYS_PTRACE, + "SCHED_SETPARAM": syscall.SYS_SCHED_SETPARAM, + "SCHED_SETSCHEDULER": syscall.SYS_SCHED_SETSCHEDULER, + "SCHED_GETSCHEDULER": syscall.SYS_SCHED_GETSCHEDULER, + "SCHED_GETPARAM": syscall.SYS_SCHED_GETPARAM, + "SCHED_SETAFFINITY": syscall.SYS_SCHED_SETAFFINITY, + "SCHED_GETAFFINITY": syscall.SYS_SCHED_GETAFFINITY, + "SCHED_YIELD": syscall.SYS_SCHED_YIELD, + "SCHED_GET_PRIORITY_MAX": syscall.SYS_SCHED_GET_PRIORITY_MAX, + "SCHED_GET_PRIORITY_MIN": syscall.SYS_SCHED_GET_PRIORITY_MIN, + "SCHED_RR_GET_INTERVAL": syscall.SYS_SCHED_RR_GET_INTERVAL, + "RESTART_SYSCALL": syscall.SYS_RESTART_SYSCALL, + "KILL": syscall.SYS_KILL, + "TKILL": syscall.SYS_TKILL, + "TGKILL": syscall.SYS_TGKILL, + "SIGALTSTACK": syscall.SYS_SIGALTSTACK, + "RT_SIGSUSPEND": syscall.SYS_RT_SIGSUSPEND, + "RT_SIGACTION": syscall.SYS_RT_SIGACTION, + "RT_SIGPROCMASK": syscall.SYS_RT_SIGPROCMASK, + "RT_SIGPENDING": syscall.SYS_RT_SIGPENDING, + "RT_SIGTIMEDWAIT": syscall.SYS_RT_SIGTIMEDWAIT, + "RT_SIGQUEUEINFO": syscall.SYS_RT_SIGQUEUEINFO, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "SETPRIORITY": syscall.SYS_SETPRIORITY, + "GETPRIORITY": syscall.SYS_GETPRIORITY, + "REBOOT": syscall.SYS_REBOOT, + "SETREGID": syscall.SYS_SETREGID, + "SETGID": syscall.SYS_SETGID, + "SETREUID": syscall.SYS_SETREUID, + "SETUID": syscall.SYS_SETUID, + "SETRESUID": syscall.SYS_SETRESUID, + "GETRESUID": syscall.SYS_GETRESUID, + "SETRESGID": syscall.SYS_SETRESGID, + "GETRESGID": syscall.SYS_GETRESGID, + "SETFSUID": syscall.SYS_SETFSUID, + "SETFSGID": syscall.SYS_SETFSGID, + "TIMES": syscall.SYS_TIMES, + "SETPGID": syscall.SYS_SETPGID, + "GETPGID": syscall.SYS_GETPGID, + "GETSID": syscall.SYS_GETSID, + "SETSID": syscall.SYS_SETSID, + "GETGROUPS": syscall.SYS_GETGROUPS, + "SETGROUPS": syscall.SYS_SETGROUPS, + "UNAME": syscall.SYS_UNAME, + "SETHOSTNAME": syscall.SYS_SETHOSTNAME, + "SETDOMAINNAME": syscall.SYS_SETDOMAINNAME, + "GETRLIMIT": syscall.SYS_GETRLIMIT, + "SETRLIMIT": syscall.SYS_SETRLIMIT, + "GETRUSAGE": syscall.SYS_GETRUSAGE, + "UMASK": syscall.SYS_UMASK, + "PRCTL": syscall.SYS_PRCTL, + "GETCPU": syscall.SYS_GETCPU, + "GETTIMEOFDAY": syscall.SYS_GETTIMEOFDAY, + "SETTIMEOFDAY": syscall.SYS_SETTIMEOFDAY, + "ADJTIMEX": syscall.SYS_ADJTIMEX, + "GETPID": syscall.SYS_GETPID, + "GETPPID": syscall.SYS_GETPPID, + "GETUID": syscall.SYS_GETUID, + "GETEUID": syscall.SYS_GETEUID, + "GETGID": syscall.SYS_GETGID, + "GETEGID": syscall.SYS_GETEGID, + "GETTID": syscall.SYS_GETTID, + "SYSINFO": syscall.SYS_SYSINFO, + "MQ_OPEN": syscall.SYS_MQ_OPEN, + "MQ_UNLINK": syscall.SYS_MQ_UNLINK, + "MQ_TIMEDSEND": syscall.SYS_MQ_TIMEDSEND, + "MQ_TIMEDRECEIVE": syscall.SYS_MQ_TIMEDRECEIVE, + "MQ_NOTIFY": syscall.SYS_MQ_NOTIFY, + "MQ_GETSETATTR": syscall.SYS_MQ_GETSETATTR, + "MSGGET": syscall.SYS_MSGGET, + "MSGCTL": syscall.SYS_MSGCTL, + "MSGRCV": syscall.SYS_MSGRCV, + "MSGSND": syscall.SYS_MSGSND, + "SEMGET": syscall.SYS_SEMGET, + "SEMCTL": syscall.SYS_SEMCTL, + "SEMTIMEDOP": syscall.SYS_SEMTIMEDOP, + "SEMOP": syscall.SYS_SEMOP, + "SHMGET": syscall.SYS_SHMGET, + "SHMCTL": syscall.SYS_SHMCTL, + "SHMAT": syscall.SYS_SHMAT, + "SHMDT": syscall.SYS_SHMDT, + "SOCKET": syscall.SYS_SOCKET, + "SOCKETPAIR": syscall.SYS_SOCKETPAIR, + "BIND": syscall.SYS_BIND, + "LISTEN": syscall.SYS_LISTEN, + "ACCEPT": syscall.SYS_ACCEPT, + "CONNECT": syscall.SYS_CONNECT, + "GETSOCKNAME": syscall.SYS_GETSOCKNAME, + "GETPEERNAME": syscall.SYS_GETPEERNAME, + "SENDTO": syscall.SYS_SENDTO, + "RECVFROM": syscall.SYS_RECVFROM, + "SETSOCKOPT": syscall.SYS_SETSOCKOPT, + "GETSOCKOPT": syscall.SYS_GETSOCKOPT, + "SHUTDOWN": syscall.SYS_SHUTDOWN, + "SENDMSG": syscall.SYS_SENDMSG, + "RECVMSG": syscall.SYS_RECVMSG, + "READAHEAD": syscall.SYS_READAHEAD, + "BRK": syscall.SYS_BRK, + "MUNMAP": syscall.SYS_MUNMAP, + "MREMAP": syscall.SYS_MREMAP, + "ADD_KEY": syscall.SYS_ADD_KEY, + "REQUEST_KEY": syscall.SYS_REQUEST_KEY, + "KEYCTL": syscall.SYS_KEYCTL, + "CLONE": syscall.SYS_CLONE, + "EXECVE": syscall.SYS_EXECVE, + "MMAP": syscall.SYS_MMAP, + "FADVISE64": syscall.SYS_FADVISE64, + "SWAPON": syscall.SYS_SWAPON, + "SWAPOFF": syscall.SYS_SWAPOFF, + "MPROTECT": syscall.SYS_MPROTECT, + "MSYNC": syscall.SYS_MSYNC, + "MLOCK": syscall.SYS_MLOCK, + "MUNLOCK": syscall.SYS_MUNLOCK, + "MLOCKALL": syscall.SYS_MLOCKALL, + "MUNLOCKALL": syscall.SYS_MUNLOCKALL, + "MINCORE": syscall.SYS_MINCORE, + "MADVISE": syscall.SYS_MADVISE, + "REMAP_FILE_PAGES": syscall.SYS_REMAP_FILE_PAGES, + "MBIND": syscall.SYS_MBIND, + "GET_MEMPOLICY": syscall.SYS_GET_MEMPOLICY, + "SET_MEMPOLICY": syscall.SYS_SET_MEMPOLICY, + "MIGRATE_PAGES": syscall.SYS_MIGRATE_PAGES, + "MOVE_PAGES": syscall.SYS_MOVE_PAGES, + "RT_TGSIGQUEUEINFO": syscall.SYS_RT_TGSIGQUEUEINFO, + "PERF_EVENT_OPEN": syscall.SYS_PERF_EVENT_OPEN, + "ACCEPT4": syscall.SYS_ACCEPT4, + "RECVMMSG": syscall.SYS_RECVMMSG, + "ARCH_SPECIFIC_SYSCALL": syscall.SYS_ARCH_SPECIFIC_SYSCALL, + "WAIT4": syscall.SYS_WAIT4, + "PRLIMIT64": syscall.SYS_PRLIMIT64, + "FANOTIFY_INIT": syscall.SYS_FANOTIFY_INIT, + "FANOTIFY_MARK": syscall.SYS_FANOTIFY_MARK, + "NAME_TO_HANDLE_AT": syscall.SYS_NAME_TO_HANDLE_AT, + "OPEN_BY_HANDLE_AT": syscall.SYS_OPEN_BY_HANDLE_AT, + "CLOCK_ADJTIME": syscall.SYS_CLOCK_ADJTIME, + "SYNCFS": syscall.SYS_SYNCFS, + "SETNS": syscall.SYS_SETNS, + "SENDMMSG": syscall.SYS_SENDMMSG, + "PROCESS_VM_READV": syscall.SYS_PROCESS_VM_READV, + "PROCESS_VM_WRITEV": syscall.SYS_PROCESS_VM_WRITEV, + "KCMP": syscall.SYS_KCMP, + "FINIT_MODULE": syscall.SYS_FINIT_MODULE, + "SCHED_SETATTR": syscall.SYS_SCHED_SETATTR, + "SCHED_GETATTR": syscall.SYS_SCHED_GETATTR, + "RENAMEAT2": syscall.SYS_RENAMEAT2, + "SECCOMP": syscall.SYS_SECCOMP, + "GETRANDOM": syscall.SYS_GETRANDOM, + "MEMFD_CREATE": syscall.SYS_MEMFD_CREATE, + "BPF": syscall.SYS_BPF, + "EXECVEAT": syscall.SYS_EXECVEAT, +} + +var SyscallMapMin = map[string]int{ + "WRITE": syscall.SYS_WRITE, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "FUTEX": syscall.SYS_FUTEX, +} diff --git a/seccomp/syscall_linux_ppc64.go b/seccomp/syscall_linux_ppc64.go new file mode 100644 index 000000000..43af1bb22 --- /dev/null +++ b/seccomp/syscall_linux_ppc64.go @@ -0,0 +1,370 @@ +// +build linux +// +build ppc64 + +package seccomp + +import ( + "syscall" +) + +const ( + SECCOMP_RET_KILL = 0x00000000 + SECCOMP_RET_TRAP = 0x00030000 + SECCOMP_RET_ALLOW = 0x7fff0000 + SECCOMP_MODE_FILTER = 0x2 + PR_SET_NO_NEW_PRIVS = 0x26 +) + +var SyscallMap = map[string]uint32{ + "RESTART_SYSCALL": syscall.SYS_RESTART_SYSCALL, + "EXIT": syscall.SYS_EXIT, + "FORK": syscall.SYS_FORK, + "READ": syscall.SYS_READ, + "WRITE": syscall.SYS_WRITE, + "OPEN": syscall.SYS_OPEN, + "CLOSE": syscall.SYS_CLOSE, + "WAITPID": syscall.SYS_WAITPID, + "CREAT": syscall.SYS_CREAT, + "LINK": syscall.SYS_LINK, + "UNLINK": syscall.SYS_UNLINK, + "EXECVE": syscall.SYS_EXECVE, + "CHDIR": syscall.SYS_CHDIR, + "TIME": syscall.SYS_TIME, + "MKNOD": syscall.SYS_MKNOD, + "CHMOD": syscall.SYS_CHMOD, + "LCHOWN": syscall.SYS_LCHOWN, + "BREAK": syscall.SYS_BREAK, + "OLDSTAT": syscall.SYS_OLDSTAT, + "LSEEK": syscall.SYS_LSEEK, + "GETPID": syscall.SYS_GETPID, + "MOUNT": syscall.SYS_MOUNT, + "UMOUNT": syscall.SYS_UMOUNT, + "SETUID": syscall.SYS_SETUID, + "GETUID": syscall.SYS_GETUID, + "STIME": syscall.SYS_STIME, + "PTRACE": syscall.SYS_PTRACE, + "ALARM": syscall.SYS_ALARM, + "OLDFSTAT": syscall.SYS_OLDFSTAT, + "PAUSE": syscall.SYS_PAUSE, + "UTIME": syscall.SYS_UTIME, + "STTY": syscall.SYS_STTY, + "GTTY": syscall.SYS_GTTY, + "ACCESS": syscall.SYS_ACCESS, + "NICE": syscall.SYS_NICE, + "FTIME": syscall.SYS_FTIME, + "SYNC": syscall.SYS_SYNC, + "KILL": syscall.SYS_KILL, + "RENAME": syscall.SYS_RENAME, + "MKDIR": syscall.SYS_MKDIR, + "RMDIR": syscall.SYS_RMDIR, + "DUP": syscall.SYS_DUP, + "PIPE": syscall.SYS_PIPE, + "TIMES": syscall.SYS_TIMES, + "PROF": syscall.SYS_PROF, + "BRK": syscall.SYS_BRK, + "SETGID": syscall.SYS_SETGID, + "GETGID": syscall.SYS_GETGID, + "SIGNAL": syscall.SYS_SIGNAL, + "GETEUID": syscall.SYS_GETEUID, + "GETEGID": syscall.SYS_GETEGID, + "ACCT": syscall.SYS_ACCT, + "UMOUNT2": syscall.SYS_UMOUNT2, + "LOCK": syscall.SYS_LOCK, + "IOCTL": syscall.SYS_IOCTL, + "FCNTL": syscall.SYS_FCNTL, + "MPX": syscall.SYS_MPX, + "SETPGID": syscall.SYS_SETPGID, + "ULIMIT": syscall.SYS_ULIMIT, + "OLDOLDUNAME": syscall.SYS_OLDOLDUNAME, + "UMASK": syscall.SYS_UMASK, + "CHROOT": syscall.SYS_CHROOT, + "USTAT": syscall.SYS_USTAT, + "DUP2": syscall.SYS_DUP2, + "GETPPID": syscall.SYS_GETPPID, + "GETPGRP": syscall.SYS_GETPGRP, + "SETSID": syscall.SYS_SETSID, + "SIGACTION": syscall.SYS_SIGACTION, + "SGETMASK": syscall.SYS_SGETMASK, + "SSETMASK": syscall.SYS_SSETMASK, + "SETREUID": syscall.SYS_SETREUID, + "SETREGID": syscall.SYS_SETREGID, + "SIGSUSPEND": syscall.SYS_SIGSUSPEND, + "SIGPENDING": syscall.SYS_SIGPENDING, + "SETHOSTNAME": syscall.SYS_SETHOSTNAME, + "SETRLIMIT": syscall.SYS_SETRLIMIT, + "GETRLIMIT": syscall.SYS_GETRLIMIT, + "GETRUSAGE": syscall.SYS_GETRUSAGE, + "GETTIMEOFDAY": syscall.SYS_GETTIMEOFDAY, + "SETTIMEOFDAY": syscall.SYS_SETTIMEOFDAY, + "GETGROUPS": syscall.SYS_GETGROUPS, + "SETGROUPS": syscall.SYS_SETGROUPS, + "SELECT": syscall.SYS_SELECT, + "SYMLINK": syscall.SYS_SYMLINK, + "OLDLSTAT": syscall.SYS_OLDLSTAT, + "READLINK": syscall.SYS_READLINK, + "USELIB": syscall.SYS_USELIB, + "SWAPON": syscall.SYS_SWAPON, + "REBOOT": syscall.SYS_REBOOT, + "READDIR": syscall.SYS_READDIR, + "MMAP": syscall.SYS_MMAP, + "MUNMAP": syscall.SYS_MUNMAP, + "TRUNCATE": syscall.SYS_TRUNCATE, + "FTRUNCATE": syscall.SYS_FTRUNCATE, + "FCHMOD": syscall.SYS_FCHMOD, + "FCHOWN": syscall.SYS_FCHOWN, + "GETPRIORITY": syscall.SYS_GETPRIORITY, + "SETPRIORITY": syscall.SYS_SETPRIORITY, + "PROFIL": syscall.SYS_PROFIL, + "STATFS": syscall.SYS_STATFS, + "FSTATFS": syscall.SYS_FSTATFS, + "IOPERM": syscall.SYS_IOPERM, + "SOCKETCALL": syscall.SYS_SOCKETCALL, + "SYSLOG": syscall.SYS_SYSLOG, + "SETITIMER": syscall.SYS_SETITIMER, + "GETITIMER": syscall.SYS_GETITIMER, + "STAT": syscall.SYS_STAT, + "LSTAT": syscall.SYS_LSTAT, + "FSTAT": syscall.SYS_FSTAT, + "OLDUNAME": syscall.SYS_OLDUNAME, + "IOPL": syscall.SYS_IOPL, + "VHANGUP": syscall.SYS_VHANGUP, + "IDLE": syscall.SYS_IDLE, + "VM86": syscall.SYS_VM86, + "WAIT4": syscall.SYS_WAIT4, + "SWAPOFF": syscall.SYS_SWAPOFF, + "SYSINFO": syscall.SYS_SYSINFO, + "IPC": syscall.SYS_IPC, + "FSYNC": syscall.SYS_FSYNC, + "SIGRETURN": syscall.SYS_SIGRETURN, + "CLONE": syscall.SYS_CLONE, + "SETDOMAINNAME": syscall.SYS_SETDOMAINNAME, + "UNAME": syscall.SYS_UNAME, + "MODIFY_LDT": syscall.SYS_MODIFY_LDT, + "ADJTIMEX": syscall.SYS_ADJTIMEX, + "MPROTECT": syscall.SYS_MPROTECT, + "SIGPROCMASK": syscall.SYS_SIGPROCMASK, + "CREATE_MODULE": syscall.SYS_CREATE_MODULE, + "INIT_MODULE": syscall.SYS_INIT_MODULE, + "DELETE_MODULE": syscall.SYS_DELETE_MODULE, + "GET_KERNEL_SYMS": syscall.SYS_GET_KERNEL_SYMS, + "QUOTACTL": syscall.SYS_QUOTACTL, + "GETPGID": syscall.SYS_GETPGID, + "FCHDIR": syscall.SYS_FCHDIR, + "BDFLUSH": syscall.SYS_BDFLUSH, + "SYSFS": syscall.SYS_SYSFS, + "PERSONALITY": syscall.SYS_PERSONALITY, + "AFS_SYSCALL": syscall.SYS_AFS_SYSCALL, + "SETFSUID": syscall.SYS_SETFSUID, + "SETFSGID": syscall.SYS_SETFSGID, + "_LLSEEK": syscall.SYS__LLSEEK, + "GETDENTS": syscall.SYS_GETDENTS, + "_NEWSELECT": syscall.SYS__NEWSELECT, + "FLOCK": syscall.SYS_FLOCK, + "MSYNC": syscall.SYS_MSYNC, + "READV": syscall.SYS_READV, + "WRITEV": syscall.SYS_WRITEV, + "GETSID": syscall.SYS_GETSID, + "FDATASYNC": syscall.SYS_FDATASYNC, + "_SYSCTL": syscall.SYS__SYSCTL, + "MLOCK": syscall.SYS_MLOCK, + "MUNLOCK": syscall.SYS_MUNLOCK, + "MLOCKALL": syscall.SYS_MLOCKALL, + "MUNLOCKALL": syscall.SYS_MUNLOCKALL, + "SCHED_SETPARAM": syscall.SYS_SCHED_SETPARAM, + "SCHED_GETPARAM": syscall.SYS_SCHED_GETPARAM, + "SCHED_SETSCHEDULER": syscall.SYS_SCHED_SETSCHEDULER, + "SCHED_GETSCHEDULER": syscall.SYS_SCHED_GETSCHEDULER, + "SCHED_YIELD": syscall.SYS_SCHED_YIELD, + "SCHED_GET_PRIORITY_MAX": syscall.SYS_SCHED_GET_PRIORITY_MAX, + "SCHED_GET_PRIORITY_MIN": syscall.SYS_SCHED_GET_PRIORITY_MIN, + "SCHED_RR_GET_INTERVAL": syscall.SYS_SCHED_RR_GET_INTERVAL, + "NANOSLEEP": syscall.SYS_NANOSLEEP, + "MREMAP": syscall.SYS_MREMAP, + "SETRESUID": syscall.SYS_SETRESUID, + "GETRESUID": syscall.SYS_GETRESUID, + "QUERY_MODULE": syscall.SYS_QUERY_MODULE, + "POLL": syscall.SYS_POLL, + "NFSSERVCTL": syscall.SYS_NFSSERVCTL, + "SETRESGID": syscall.SYS_SETRESGID, + "GETRESGID": syscall.SYS_GETRESGID, + "PRCTL": syscall.SYS_PRCTL, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "RT_SIGACTION": syscall.SYS_RT_SIGACTION, + "RT_SIGPROCMASK": syscall.SYS_RT_SIGPROCMASK, + "RT_SIGPENDING": syscall.SYS_RT_SIGPENDING, + "RT_SIGTIMEDWAIT": syscall.SYS_RT_SIGTIMEDWAIT, + "RT_SIGQUEUEINFO": syscall.SYS_RT_SIGQUEUEINFO, + "RT_SIGSUSPEND": syscall.SYS_RT_SIGSUSPEND, + "PREAD64": syscall.SYS_PREAD64, + "PWRITE64": syscall.SYS_PWRITE64, + "CHOWN": syscall.SYS_CHOWN, + "GETCWD": syscall.SYS_GETCWD, + "CAPGET": syscall.SYS_CAPGET, + "CAPSET": syscall.SYS_CAPSET, + "SIGALTSTACK": syscall.SYS_SIGALTSTACK, + "SENDFILE": syscall.SYS_SENDFILE, + "GETPMSG": syscall.SYS_GETPMSG, + "PUTPMSG": syscall.SYS_PUTPMSG, + "VFORK": syscall.SYS_VFORK, + "UGETRLIMIT": syscall.SYS_UGETRLIMIT, + "READAHEAD": syscall.SYS_READAHEAD, + "PCICONFIG_READ": syscall.SYS_PCICONFIG_READ, + "PCICONFIG_WRITE": syscall.SYS_PCICONFIG_WRITE, + "PCICONFIG_IOBASE": syscall.SYS_PCICONFIG_IOBASE, + "MULTIPLEXER": syscall.SYS_MULTIPLEXER, + "GETDENTS64": syscall.SYS_GETDENTS64, + "PIVOT_ROOT": syscall.SYS_PIVOT_ROOT, + "MADVISE": syscall.SYS_MADVISE, + "MINCORE": syscall.SYS_MINCORE, + "GETTID": syscall.SYS_GETTID, + "TKILL": syscall.SYS_TKILL, + "SETXATTR": syscall.SYS_SETXATTR, + "LSETXATTR": syscall.SYS_LSETXATTR, + "FSETXATTR": syscall.SYS_FSETXATTR, + "GETXATTR": syscall.SYS_GETXATTR, + "LGETXATTR": syscall.SYS_LGETXATTR, + "FGETXATTR": syscall.SYS_FGETXATTR, + "LISTXATTR": syscall.SYS_LISTXATTR, + "LLISTXATTR": syscall.SYS_LLISTXATTR, + "FLISTXATTR": syscall.SYS_FLISTXATTR, + "REMOVEXATTR": syscall.SYS_REMOVEXATTR, + "LREMOVEXATTR": syscall.SYS_LREMOVEXATTR, + "FREMOVEXATTR": syscall.SYS_FREMOVEXATTR, + "FUTEX": syscall.SYS_FUTEX, + "SCHED_SETAFFINITY": syscall.SYS_SCHED_SETAFFINITY, + "SCHED_GETAFFINITY": syscall.SYS_SCHED_GETAFFINITY, + "TUXCALL": syscall.SYS_TUXCALL, + "IO_SETUP": syscall.SYS_IO_SETUP, + "IO_DESTROY": syscall.SYS_IO_DESTROY, + "IO_GETEVENTS": syscall.SYS_IO_GETEVENTS, + "IO_SUBMIT": syscall.SYS_IO_SUBMIT, + "IO_CANCEL": syscall.SYS_IO_CANCEL, + "SET_TID_ADDRESS": syscall.SYS_SET_TID_ADDRESS, + "FADVISE64": syscall.SYS_FADVISE64, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "LOOKUP_DCOOKIE": syscall.SYS_LOOKUP_DCOOKIE, + "EPOLL_CREATE": syscall.SYS_EPOLL_CREATE, + "EPOLL_CTL": syscall.SYS_EPOLL_CTL, + "EPOLL_WAIT": syscall.SYS_EPOLL_WAIT, + "REMAP_FILE_PAGES": syscall.SYS_REMAP_FILE_PAGES, + "TIMER_CREATE": syscall.SYS_TIMER_CREATE, + "TIMER_SETTIME": syscall.SYS_TIMER_SETTIME, + "TIMER_GETTIME": syscall.SYS_TIMER_GETTIME, + "TIMER_GETOVERRUN": syscall.SYS_TIMER_GETOVERRUN, + "TIMER_DELETE": syscall.SYS_TIMER_DELETE, + "CLOCK_SETTIME": syscall.SYS_CLOCK_SETTIME, + "CLOCK_GETTIME": syscall.SYS_CLOCK_GETTIME, + "CLOCK_GETRES": syscall.SYS_CLOCK_GETRES, + "CLOCK_NANOSLEEP": syscall.SYS_CLOCK_NANOSLEEP, + "SWAPCONTEXT": syscall.SYS_SWAPCONTEXT, + "TGKILL": syscall.SYS_TGKILL, + "UTIMES": syscall.SYS_UTIMES, + "STATFS64": syscall.SYS_STATFS64, + "FSTATFS64": syscall.SYS_FSTATFS64, + "RTAS": syscall.SYS_RTAS, + "SYS_DEBUG_SETCONTEXT": syscall.SYS_SYS_DEBUG_SETCONTEXT, + "MIGRATE_PAGES": syscall.SYS_MIGRATE_PAGES, + "MBIND": syscall.SYS_MBIND, + "GET_MEMPOLICY": syscall.SYS_GET_MEMPOLICY, + "SET_MEMPOLICY": syscall.SYS_SET_MEMPOLICY, + "MQ_OPEN": syscall.SYS_MQ_OPEN, + "MQ_UNLINK": syscall.SYS_MQ_UNLINK, + "MQ_TIMEDSEND": syscall.SYS_MQ_TIMEDSEND, + "MQ_TIMEDRECEIVE": syscall.SYS_MQ_TIMEDRECEIVE, + "MQ_NOTIFY": syscall.SYS_MQ_NOTIFY, + "MQ_GETSETATTR": syscall.SYS_MQ_GETSETATTR, + "KEXEC_LOAD": syscall.SYS_KEXEC_LOAD, + "ADD_KEY": syscall.SYS_ADD_KEY, + "REQUEST_KEY": syscall.SYS_REQUEST_KEY, + "KEYCTL": syscall.SYS_KEYCTL, + "WAITID": syscall.SYS_WAITID, + "IOPRIO_SET": syscall.SYS_IOPRIO_SET, + "IOPRIO_GET": syscall.SYS_IOPRIO_GET, + "INOTIFY_INIT": syscall.SYS_INOTIFY_INIT, + "INOTIFY_ADD_WATCH": syscall.SYS_INOTIFY_ADD_WATCH, + "INOTIFY_RM_WATCH": syscall.SYS_INOTIFY_RM_WATCH, + "SPU_RUN": syscall.SYS_SPU_RUN, + "SPU_CREATE": syscall.SYS_SPU_CREATE, + "PSELECT6": syscall.SYS_PSELECT6, + "PPOLL": syscall.SYS_PPOLL, + "UNSHARE": syscall.SYS_UNSHARE, + "SPLICE": syscall.SYS_SPLICE, + "TEE": syscall.SYS_TEE, + "VMSPLICE": syscall.SYS_VMSPLICE, + "OPENAT": syscall.SYS_OPENAT, + "MKDIRAT": syscall.SYS_MKDIRAT, + "MKNODAT": syscall.SYS_MKNODAT, + "FCHOWNAT": syscall.SYS_FCHOWNAT, + "FUTIMESAT": syscall.SYS_FUTIMESAT, + "NEWFSTATAT": syscall.SYS_NEWFSTATAT, + "UNLINKAT": syscall.SYS_UNLINKAT, + "RENAMEAT": syscall.SYS_RENAMEAT, + "LINKAT": syscall.SYS_LINKAT, + "SYMLINKAT": syscall.SYS_SYMLINKAT, + "READLINKAT": syscall.SYS_READLINKAT, + "FCHMODAT": syscall.SYS_FCHMODAT, + "FACCESSAT": syscall.SYS_FACCESSAT, + "GET_ROBUST_LIST": syscall.SYS_GET_ROBUST_LIST, + "SET_ROBUST_LIST": syscall.SYS_SET_ROBUST_LIST, + "MOVE_PAGES": syscall.SYS_MOVE_PAGES, + "GETCPU": syscall.SYS_GETCPU, + "EPOLL_PWAIT": syscall.SYS_EPOLL_PWAIT, + "UTIMENSAT": syscall.SYS_UTIMENSAT, + "SIGNALFD": syscall.SYS_SIGNALFD, + "TIMERFD_CREATE": syscall.SYS_TIMERFD_CREATE, + "EVENTFD": syscall.SYS_EVENTFD, + "SYNC_FILE_RANGE2": syscall.SYS_SYNC_FILE_RANGE2, + "FALLOCATE": syscall.SYS_FALLOCATE, + "SUBPAGE_PROT": syscall.SYS_SUBPAGE_PROT, + "TIMERFD_SETTIME": syscall.SYS_TIMERFD_SETTIME, + "TIMERFD_GETTIME": syscall.SYS_TIMERFD_GETTIME, + "SIGNALFD4": syscall.SYS_SIGNALFD4, + "EVENTFD2": syscall.SYS_EVENTFD2, + "EPOLL_CREATE1": syscall.SYS_EPOLL_CREATE1, + "DUP3": syscall.SYS_DUP3, + "PIPE2": syscall.SYS_PIPE2, + "INOTIFY_INIT1": syscall.SYS_INOTIFY_INIT1, + "PERF_EVENT_OPEN": syscall.SYS_PERF_EVENT_OPEN, + "PREADV": syscall.SYS_PREADV, + "PWRITEV": syscall.SYS_PWRITEV, + "RT_TGSIGQUEUEINFO": syscall.SYS_RT_TGSIGQUEUEINFO, + "FANOTIFY_INIT": syscall.SYS_FANOTIFY_INIT, + "FANOTIFY_MARK": syscall.SYS_FANOTIFY_MARK, + "PRLIMIT64": syscall.SYS_PRLIMIT64, + "SOCKET": syscall.SYS_SOCKET, + "BIND": syscall.SYS_BIND, + "CONNECT": syscall.SYS_CONNECT, + "LISTEN": syscall.SYS_LISTEN, + "ACCEPT": syscall.SYS_ACCEPT, + "GETSOCKNAME": syscall.SYS_GETSOCKNAME, + "GETPEERNAME": syscall.SYS_GETPEERNAME, + "SOCKETPAIR": syscall.SYS_SOCKETPAIR, + "SEND": syscall.SYS_SEND, + "SENDTO": syscall.SYS_SENDTO, + "RECV": syscall.SYS_RECV, + "RECVFROM": syscall.SYS_RECVFROM, + "SHUTDOWN": syscall.SYS_SHUTDOWN, + "SETSOCKOPT": syscall.SYS_SETSOCKOPT, + "GETSOCKOPT": syscall.SYS_GETSOCKOPT, + "SENDMSG": syscall.SYS_SENDMSG, + "RECVMSG": syscall.SYS_RECVMSG, + "RECVMMSG": syscall.SYS_RECVMMSG, + "ACCEPT4": syscall.SYS_ACCEPT4, + "NAME_TO_HANDLE_AT": syscall.SYS_NAME_TO_HANDLE_AT, + "OPEN_BY_HANDLE_AT": syscall.SYS_OPEN_BY_HANDLE_AT, + "CLOCK_ADJTIME": syscall.SYS_CLOCK_ADJTIME, + "SYNCFS": syscall.SYS_SYNCFS, + "SENDMMSG": syscall.SYS_SENDMMSG, + "SETNS": syscall.SYS_SETNS, + "PROCESS_VM_READV": syscall.SYS_PROCESS_VM_READV, + "PROCESS_VM_WRITEV": syscall.SYS_PROCESS_VM_WRITEV, + "FINIT_MODULE": syscall.SYS_FINIT_MODULE, + "KCMP": syscall.SYS_KCMP, +} + +var SyscallMapMin = map[string]int{ + "WRITE": syscall.SYS_WRITE, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "FUTEX": syscall.SYS_FUTEX, +} diff --git a/standard_init_linux.go b/standard_init_linux.go index 251c09f69..445c1fa29 100644 --- a/standard_init_linux.go +++ b/standard_init_linux.go @@ -99,5 +99,8 @@ func (l *linuxStandardInit) Init() error { if syscall.Getppid() != l.parentPid { return syscall.Kill(syscall.Getpid(), syscall.SIGKILL) } + if err := finalizeSeccomp(l.config); err != nil { + return err + } return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ()) } From 12a41c825d61aa65a982dcc6b801b06df7eb5292 Mon Sep 17 00:00:00 2001 From: yangshukui Date: Fri, 22 May 2015 19:10:20 -0400 Subject: [PATCH 2/4] seccomp surport filter args 1. add args surport for seccomp 2. add CLONE_SECCOMP flag for preventing seccomp feature Signed-off-by: Yang Shukui --- Makefile | 1 + configs/config.go | 10 +- configs/namespaces_syscall.go | 17 +- configs/namespaces_unix.go | 13 +- container_linux.go | 7 + hack/seccomp.pl | 56 ++++ hack/seccomp.sh | 3 + hack/syscall.sample | 405 +++++++++++++++++++++++++++ init_linux.go | 14 +- integration/exec_test.go | 89 ++++-- integration/template_test.go | 4 + seccomp/seccomp.go | 481 +++++++++++++++++++++++++++++---- seccomp/seccomp.test | 107 ++++++++ seccomp/seccomp386.go | 117 ++++++++ seccomp/seccomp_test.go | 58 ++++ seccomp/syscall_linux_386.go | 364 ------------------------- seccomp/syscall_linux_amd64.go | 329 ---------------------- seccomp/syscall_linux_arm.go | 373 ------------------------- seccomp/syscall_linux_arm64.go | 294 -------------------- seccomp/syscall_linux_ppc64.go | 370 ------------------------- 20 files changed, 1295 insertions(+), 1817 deletions(-) create mode 100755 hack/seccomp.pl create mode 100755 hack/seccomp.sh create mode 100644 hack/syscall.sample mode change 100755 => 100644 seccomp/seccomp.go create mode 100644 seccomp/seccomp.test create mode 100644 seccomp/seccomp386.go create mode 100644 seccomp/seccomp_test.go delete mode 100644 seccomp/syscall_linux_386.go delete mode 100755 seccomp/syscall_linux_amd64.go delete mode 100644 seccomp/syscall_linux_arm.go delete mode 100644 seccomp/syscall_linux_arm64.go delete mode 100644 seccomp/syscall_linux_ppc64.go diff --git a/Makefile b/Makefile index 1a2e23e04..ac9570133 100644 --- a/Makefile +++ b/Makefile @@ -18,6 +18,7 @@ direct-test-short: go test $(TEST_TAGS) -cover -test.short -v $(GO_PACKAGES) direct-build: + hack/seccomp.sh go build -v $(GO_PACKAGES) direct-install: diff --git a/configs/config.go b/configs/config.go index f18afc81e..e75e5701a 100644 --- a/configs/config.go +++ b/configs/config.go @@ -13,6 +13,10 @@ type IDMap struct { Size int `json:"size"` } +type SeccompConf struct { + SysCalls []int `json:"syscalls"` +} + // TODO Windows. Many of these fields should be factored out into those parts // which are common across platforms, and those which are platform specific. @@ -61,9 +65,6 @@ type Config struct { // All capbilities not specified will be dropped from the processes capability mask Capabilities []string `json:"capabilities"` - // SysCalls specify the system calls to keep when executing the process inside the container - SysCalls []string `json:"syscalls"` - // Networks specifies the container's network setup to be created Networks []*Network `json:"networks"` @@ -107,4 +108,7 @@ type Config struct { // SystemProperties is a map of properties and their values. It is the equivalent of using // sysctl -w my.property.name value in Linux. SystemProperties map[string]string `json:"system_properties"` + + // SysCalls specify the system calls to keep when executing the process inside the container + Seccomps SeccompConf `json:"seccomp"` } diff --git a/configs/namespaces_syscall.go b/configs/namespaces_syscall.go index c962999ef..d3bd38934 100644 --- a/configs/namespaces_syscall.go +++ b/configs/namespaces_syscall.go @@ -4,17 +4,22 @@ package configs import "syscall" +var ( + CLONE_SECCOMP = 0x10000 //diffrent from other flag, hard code +) + func (n *Namespace) Syscall() int { return namespaceInfo[n.Type] } var namespaceInfo = map[NamespaceType]int{ - NEWNET: syscall.CLONE_NEWNET, - NEWNS: syscall.CLONE_NEWNS, - NEWUSER: syscall.CLONE_NEWUSER, - NEWIPC: syscall.CLONE_NEWIPC, - NEWUTS: syscall.CLONE_NEWUTS, - NEWPID: syscall.CLONE_NEWPID, + NEWNET: syscall.CLONE_NEWNET, + NEWNS: syscall.CLONE_NEWNS, + NEWUSER: syscall.CLONE_NEWUSER, + NEWIPC: syscall.CLONE_NEWIPC, + NEWUTS: syscall.CLONE_NEWUTS, + NEWPID: syscall.CLONE_NEWPID, + NEWSECCOMP: CLONE_SECCOMP, } // CloneFlags parses the container's Namespaces options to set the correct diff --git a/configs/namespaces_unix.go b/configs/namespaces_unix.go index 7bc908546..61dd74b89 100644 --- a/configs/namespaces_unix.go +++ b/configs/namespaces_unix.go @@ -5,12 +5,13 @@ package configs import "fmt" const ( - NEWNET NamespaceType = "NEWNET" - NEWPID NamespaceType = "NEWPID" - NEWNS NamespaceType = "NEWNS" - NEWUTS NamespaceType = "NEWUTS" - NEWIPC NamespaceType = "NEWIPC" - NEWUSER NamespaceType = "NEWUSER" + NEWNET NamespaceType = "NEWNET" + NEWPID NamespaceType = "NEWPID" + NEWNS NamespaceType = "NEWNS" + NEWUTS NamespaceType = "NEWUTS" + NEWIPC NamespaceType = "NEWIPC" + NEWUSER NamespaceType = "NEWUSER" + NEWSECCOMP NamespaceType = "NEWSECCOMP" ) func NamespaceTypes() []NamespaceType { diff --git a/container_linux.go b/container_linux.go index 215f35d38..b833c9e54 100644 --- a/container_linux.go +++ b/container_linux.go @@ -169,6 +169,13 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c cmd.SysProcAttr.Credential = &syscall.Credential{} } } + if cloneFlags&uintptr(configs.CLONE_SECCOMP) != 0 { + //os don't surport for CLONE_SECCOMP, remote it + c.config.Namespaces.Remove(configs.NEWSECCOMP) + cloneFlags = c.config.Namespaces.CloneFlags() + } else { + c.config.Seccomps.SysCalls = []int{} + } cmd.Env = append(cmd.Env, t) cmd.SysProcAttr.Cloneflags = cloneFlags return &initProcess{ diff --git a/hack/seccomp.pl b/hack/seccomp.pl new file mode 100755 index 000000000..eed74152a --- /dev/null +++ b/hack/seccomp.pl @@ -0,0 +1,56 @@ +#!/usr/bin/perl + +# ./seccomp.pl < syscall.sample > seccompsyscall.go + +use strict; +use warnings; + +my $pid = open(my $in, "-|") // die "Couldn't fork1 ($!)\n"; + +if($pid == 0) { + $pid = open(my $out, "|-") // die "Couldn't fork2 ($!)\n"; + if($pid == 0) { + exec "cpp" or die "Couldn't exec cpp ($!)\n"; + exit 1; + } + + print $out "#include \n"; + while(<>) { + if(/^\w/) { + my $name="$_"; + chomp($name); + + print $out $name; + print $out " = "; + print $out "__NR_$_"; + } + } + close $out; + exit 0; +} +print "package seccomp\r\n\r\n"; +print "var syscallMap = map[string] int {\n"; +while(<$in>) { + my $line=$_; + + if($line =~ /^[\da-z_]/) + { + my @personal=split(/=/); + $personal[0] =~ s/[ ]//; + $personal[1] =~ s/[\r\n]//; + print " \""; + print $personal[0]; + print "\""; + print " : "; + if (($personal[1] !~ /[0-9]/) || length($personal[1]) > 4) + { + print "-1,\r\n"; + }else{ + print $personal[1]; + print ",\r\n"; + } + } +} + +print "}\r\n"; + diff --git a/hack/seccomp.sh b/hack/seccomp.sh new file mode 100755 index 000000000..3b35d500f --- /dev/null +++ b/hack/seccomp.sh @@ -0,0 +1,3 @@ +#/bin/bash +cat seccomp/seccomp_main.go | sed '1,5d' > ~/seccomp_main.go +hack/seccomp.pl < hack/syscall.sample > seccomp/seccompsyscall.go diff --git a/hack/syscall.sample b/hack/syscall.sample new file mode 100644 index 000000000..b1f61d5d7 --- /dev/null +++ b/hack/syscall.sample @@ -0,0 +1,405 @@ +access +chdir +chmod +chown +chown32 +close +creat +dup +dup2 +dup3 +epoll_create +epoll_create1 +epoll_ctl +epoll_ctl_old +epoll_pwait +epoll_wait +epoll_wait_old +eventfd +eventfd2 +faccessat +fadvise64 +fadvise64_64 +fallocate +fanotify_init +fanotify_mark +ioctl +fchdir +fchmod +fchmodat +fchown +fchown32 +fchownat +fcntl +fcntl64 +fdatasync +fgetxattr +flistxattr +flock +fremovexattr +fsetxattr +fstat +fstat64 +fstatat64 +fstatfs +fstatfs64 +fsync +ftruncate +ftruncate64 +getcwd +getdents +getdents64 +getxattr +inotify_add_watch +inotify_init +inotify_init1 +inotify_rm_watch +io_cancel +io_destroy +io_getevents +io_setup +io_submit +lchown +lchown32 +lgetxattr +link +linkat +listxattr +llistxattr +llseek +_llseek +lremovexattr +lseek +lsetxattr +lstat +lstat64 +mkdir +mkdirat +mknod +mknodat +newfstatat +_newselect +oldfstat +oldlstat +oldolduname +oldstat +olduname +oldwait4 +open +openat +pipe +pipe2 +poll +ppoll +pread64 +preadv +futimesat +pselect6 +pwrite64 +pwritev +read +readahead +readdir +readlink +readlinkat +readv +removexattr +rename +renameat +rmdir +select +sendfile +sendfile64 +setxattr +splice +stat +stat64 +statfs +statfs64 +symlink +symlinkat +sync +sync_file_range +sync_file_range2 +syncfs +tee +truncate +truncate64 +umask +unlink +unlinkat +ustat +utime +utimensat +utimes +write +writev + +// Network related +accept +accept4 +bind +connect +getpeername +getsockname +getsockopt +listen +recv +recvfrom +recvmmsg +recvmsg +send +sendmmsg +sendmsg +sendto +setsockopt +shutdown +socket +socketcall +socketpair +sethostname + +// Signal related +pause +rt_sigaction +rt_sigpending +rt_sigprocmask +rt_sigqueueinfo +rt_sigreturn +rt_sigsuspend +rt_sigtimedwait +rt_tgsigqueueinfo +sigaction +sigaltstack +signal +signalfd +signalfd4 +sigpending +sigprocmask +sigreturn +sigsuspend + +// Other needed POSIX +alarm +brk +clock_adjtime +clock_getres +clock_gettime +clock_nanosleep +clock_settime +gettimeofday +nanosleep +nice +sysinfo +syslog +time +timer_create +timer_delete +timerfd_create +timerfd_gettime +timerfd_settime +timer_getoverrun +timer_gettime +timer_settime +times +uname + +// Memory control +madvise +mbind +mincore +mlock +mlockall +mmap +mmap2 +mprotect +mremap +msync +munlock +munlockall +munmap +remap_file_pages +set_mempolicy +vmsplice + +// Process control +capget +capset +clone +execve +exit +exit_group +fork +getcpu +getpgid +getpgrp +getpid +getppid +getpriority +getresgid +getresgid32 +getresuid +getresuid32 +getrlimit +getrusage +getsid +getuid +getuid32 +getegid +getegid32 +geteuid +geteuid32 +getgid +getgid32 +getgroups +getgroups32 +getitimer +get_mempolicy +kill +prctl +prlimit64 +sched_getaffinity +sched_getparam +sched_get_priority_max +sched_get_priority_min +sched_getscheduler +sched_rr_get_interval +sched_setaffinity +sched_setparam +sched_setscheduler +sched_yield +setfsgid +setfsgid32 +setfsuid +setfsuid32 +setgid +setgid32 +setgroups +setgroups32 +setitimer +setpgid +setpriority +setregid +setregid32 +setresgid +setresgid32 +setresuid +setresuid32 +setreuid +setreuid32 +setrlimit +setsid +setuid +setuid32 +ugetrlimit +vfork +wait4 +waitid +waitpid + +// IPC +ipc +mq_getsetattr +mq_notify +mq_open +mq_timedreceive +mq_timedsend +mq_unlink +msgctl +msgget +msgrcv +msgsnd +semctl +semget +semop +semtimedop +shmat +shmctl +shmdt +shmget + +// Linux specific, mostly needed for thread-related stuff +arch_prctl +get_robust_list +get_thread_area +gettid +futex +restart_syscall +set_robust_list +set_thread_area +set_tid_address +tgkill +tkill + +// Admin syscalls, these are blocked +acct +adjtimex +bdflush +chroot +create_module +delete_module +get_kernel_syms +idle +init_module +ioperm +iopl +ioprio_get +ioprio_set +kexec_load +lookup_dcookie +migrate_pages +modify_ldt +mount +move_pages +name_to_handle_at +nfsservctl +open_by_handle_at +perf_event_open +pivot_root +process_vm_readv +process_vm_writev +ptrace +query_module +quotactl +reboot +setdomainname +setns +settimeofday +sgetmask +ssetmask +stime +swapoff +swapon +_sysctl +sysfs +sys_setaltroot +umount +umount2 +unshare +uselib +vhangup +vm86 +vm86old + +// Kernel key management +add_key +keyctl +request_key + +// Unimplemented +afs_syscall +break +ftime +getpmsg +gtty +lock +madvise1 +mpx +prof +profil +putpmsg +security +stty +tuxcall +ulimit +vserver diff --git a/init_linux.go b/init_linux.go index 969d4c2a2..bd97364e5 100644 --- a/init_linux.go +++ b/init_linux.go @@ -262,15 +262,13 @@ func killCgroupProcesses(m cgroups.Manager) error { } func finalizeSeccomp(config *initConfig) error { - scmpCtx, _ := seccomp.ScmpInit(seccomp.ScmpActAllow) - if 0 == len(config.Config.SysCalls) { - for key := range seccomp.SyscallMap { + if len(config.Config.Seccomps.SysCalls) > 0 { + scmpCtx, _ := seccomp.ScmpInit(seccomp.ScmpActAllow) + for _, key := range config.Config.Seccomps.SysCalls { seccomp.ScmpAdd(scmpCtx, key, seccomp.ScmpActAllow) } - } else { - for _, call := range config.Config.SysCalls { - seccomp.ScmpAdd(scmpCtx, call, seccomp.ScmpActAllow) - } + return seccomp.ScmpLoad(scmpCtx) } - return seccomp.ScmpLoad(scmpCtx) + + return nil } diff --git a/integration/exec_test.go b/integration/exec_test.go index df6569b0a..f9dcc0037 100644 --- a/integration/exec_test.go +++ b/integration/exec_test.go @@ -1,11 +1,15 @@ package integration import ( + "bufio" "bytes" + "errors" "fmt" + "io" "io/ioutil" "os" "path/filepath" + "runtime" "strconv" "strings" "syscall" @@ -14,7 +18,6 @@ import ( "github.com/docker/libcontainer" "github.com/docker/libcontainer/cgroups/systemd" "github.com/docker/libcontainer/configs" - "github.com/docker/libcontainer/seccomp" ) func TestExecPS(t *testing.T) { @@ -717,24 +720,78 @@ func TestSystemProperties(t *testing.T) { } } -func allExcept(calls []string) []string { - num := len(seccomp.SyscallMap) - len(calls) - filter := make([]string, num) +func genSeccompConfigFile(file string, calls []int) error { + callBegin := 0 + callEnd := 0 + if runtime.GOARCH == "386" { + callEnd = 340 + } else if runtime.GOARCH == "amd64" { + callEnd = 302 + } else if runtime.GOARCH == "arm" { + callEnd = 377 + } else if runtime.GOARCH == "arm64" { + callEnd = 281 + } else if runtime.GOARCH == "ppc64" || runtime.GOARCH == "ppc64le" { + callEnd = 354 + } + + conf := fmt.Sprintf("%d\nwhitelist\n", 1) i := 0 - for key := range seccomp.SyscallMap { + nr := callBegin + for nr <= callEnd { j := 0 - for _, key1 := range calls { - if strings.EqualFold(key, key1) { + for _, key := range calls { + if nr == key { break } j++ } if j == len(calls) { - filter[i] = key + callfilter := fmt.Sprintf("%d\n", nr) + conf += callfilter i++ } + nr++ } - return filter + fout, err := os.Create(file) + defer fout.Close() + if err == nil { + fout.WriteString(conf) + } + return nil +} + +func genSeccompSyscall(configFile string, Seccomps *configs.SeccompConf) error { + f, err := os.Open(configFile) + defer f.Close() + if nil == err { + buff := bufio.NewReader(f) + firstl, err := buff.ReadString('\n') + if err != nil || io.EOF == err { + return errors.New("initSeccomp ReadString, firstl") + } + ver := 0 + fmt.Sscanf(firstl, "%d\n", &ver) + if err != nil || 1 != ver { + return errors.New("initSeccomp Sscanf") + } + + secondl, err := buff.ReadString('\n') + if err != nil || io.EOF == err || strings.EqualFold(secondl, "whitelist") { + return errors.New("initSeccomp ReadString, secondl") + } + nr := 0 + for { + line, err := buff.ReadString('\n') + if err != nil || io.EOF == err { + break + } + fmt.Sscanf(line, "%d\n", &nr) + Seccomps.SysCalls = append(Seccomps.SysCalls, nr) + } + return nil + } + return nil } func TestSeccompNotStat(t *testing.T) { @@ -747,13 +804,13 @@ func TestSeccompNotStat(t *testing.T) { t.Fatal(err) } defer remove(rootfs) - config := newTemplateConfig(rootfs) - exceptCall := []string{"STAT"} - config.SysCalls = allExcept(exceptCall) + exceptCall := []int{syscall.SYS_STAT} + genSeccompConfigFile("seccomp.conf", exceptCall) + genSeccompSyscall("seccomp.conf", &config.Seccomps) out, _, err := runContainer(config, "", "/bin/sh", "-c", "ls / -l") if err == nil { - t.Fatal("runContainer should be failed") + t.Fatal("runontainer[ls without SYS_STAT] should be failed") } else { fmt.Println(out) } @@ -763,7 +820,6 @@ func TestSeccompStat(t *testing.T) { if testing.Short() { return } - rootfs, err := newRootfs() if err != nil { t.Fatal(err) @@ -771,8 +827,9 @@ func TestSeccompStat(t *testing.T) { defer remove(rootfs) config := newTemplateConfig(rootfs) - exceptCall := []string{} - config.SysCalls = allExcept(exceptCall) + exceptCall := []int{} + genSeccompConfigFile("seccomp.conf", exceptCall) + genSeccompSyscall("seccomp.conf", &config.Seccomps) out, _, err := runContainer(config, "", "/bin/sh", "-c", "ls / -l") if err != nil { t.Fatal(err) diff --git a/integration/template_test.go b/integration/template_test.go index cb991b417..02a738e9f 100644 --- a/integration/template_test.go +++ b/integration/template_test.go @@ -44,6 +44,7 @@ func newTemplateConfig(rootfs string) *configs.Config { {Type: configs.NEWIPC}, {Type: configs.NEWPID}, {Type: configs.NEWNET}, + {Type: configs.NEWSECCOMP}, }), Cgroups: &configs.Cgroup{ Name: "test", @@ -114,5 +115,8 @@ func newTemplateConfig(rootfs string) *configs.Config { Soft: uint64(1025), }, }, + Seccomps: configs.SeccompConf{ + SysCalls: make([]int, 0, 512), + }, } } diff --git a/seccomp/seccomp.go b/seccomp/seccomp.go old mode 100755 new mode 100644 index 6e74ae75d..91a6fb79d --- a/seccomp/seccomp.go +++ b/seccomp/seccomp.go @@ -3,10 +3,70 @@ package seccomp import ( "errors" "fmt" + "os" + "os/signal" + "runtime" + "strings" "syscall" "unsafe" ) +const ( + EQ = 0 + NE = 1 + GE = 2 + LE = 3 +) + +const ( + ALLOW = 0 + DENY = 1 + JUMP = 2 +) + +const ( + JUMP_JT = 0xff + JUMP_JF = 0xff + LABEL_JT = 0xfe + LABEL_JF = 0xfe +) + +const ( + pseudoCall = 30 +) + +const ( + ScmpActAllow = 0x0 + + PF_LD = 0x0 + BPF_RET = syscall.BPF_RET + BPF_K = syscall.BPF_K + BPF_ABS = syscall.BPF_ABS + BPF_JMP = syscall.BPF_JMP + BPF_JEQ = syscall.BPF_JEQ + BPF_W = syscall.BPF_W + BPF_LD = syscall.BPF_LD + BPF_JA = syscall.BPF_JA + BPF_MEM = syscall.BPF_MEM + BPF_ST = syscall.BPF_ST + BPF_JGT = syscall.BPF_JGT + BPF_JGE = syscall.BPF_JGE + BPF_JSET = syscall.BPF_JSET + + SECCOMP_RET_KILL = 0x00000000 + SECCOMP_RET_TRAP = 0x00030000 + SECCOMP_RET_ALLOW = 0x7fff0000 + SECCOMP_MODE_FILTER = 0x2 + PR_SET_NO_NEW_PRIVS = 0x26 +) + +type seccompData struct { + nr int32 + arch uint32 + insPointer uint64 + args [6]uint64 +} + type sockFilter struct { code uint16 jt uint8 @@ -19,58 +79,207 @@ type sockFprog struct { filt []sockFilter } +type FilterArgs struct { + Args []Filter +} + type Action struct { - syscall uint32 - action int - args []string + action int + args []FilterArgs +} + +type Filter struct { + Arg uint32 //index of args which start from zero + Op int //operation, such ass EQ/NE/GE/LE + V uint //the value of arg +} + +type bpfLabel struct { + label string + location uint32 +} + +type bpfLabels struct { + count uint32 + labels []bpfLabel } type ScmpCtx struct { - CallMap map[string]Action - act int + CallMap map[int]*Action + filter []sockFilter + label bpfLabels } -var ScmpActAllow = 0 +type argOFunc func(uint32) uint32 +type argFunc func(*ScmpCtx, uint32) +type jFunc func(*ScmpCtx, uint, sockFilter) +type addFunc func(ctx *ScmpCtx, call int, action int, args ...FilterArgs) error -func ScmpInit(action int) (*ScmpCtx, error) { - ctx := ScmpCtx{ - CallMap: make(map[string]Action), - act: action, +var secData seccompData = seccompData{0, 0, 0, [6]uint64{0, 0, 0, 0, 0, 0}} +var hiArg argOFunc +var loArg argOFunc +var arg argFunc +var jEq jFunc +var jNe jFunc +var jGe jFunc +var jLe jFunc +var secAdd addFunc = nil + +var op [4]jFunc + +var ( + sysCallMin = 0 + sysCallMax = 0 +) +var sigSec bool = false + +func arg32(ctx *ScmpCtx, idx uint32) { + ctx.filter = append(ctx.filter, + scmpBpfStmt(BPF_LD+BPF_W+BPF_ABS, loArg(idx))) +} + +func jEq32(ctx *ScmpCtx, v uint, jt sockFilter) { + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, uint32(v), 0, 1)) + ctx.filter = append(ctx.filter, jt) +} + +func jNe32(ctx *ScmpCtx, v uint, jt sockFilter) { + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, uint32(v), 1, 0)) + ctx.filter = append(ctx.filter, jt) +} + +func jGe32(ctx *ScmpCtx, v uint, jt sockFilter) { + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JGE+BPF_K, uint32(v), 0, 1)) + ctx.filter = append(ctx.filter, jt) +} + +func jLe32(ctx *ScmpCtx, v uint, jt sockFilter) { + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JGT+BPF_K, uint32(v), 1, 0)) + ctx.filter = append(ctx.filter, jt) +} + +func arg64(ctx *ScmpCtx, idx uint32) { + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_W+BPF_ABS, loArg(idx))) + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_ST, 0)) + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_W+BPF_ABS, hiArg(idx))) + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_ST, 1)) +} + +func jNe64(ctx *ScmpCtx, v uint, jt sockFilter) { + lo := uint32(uint64(v) % 0x100000000) + hi := uint32(uint64(v) / 0x100000000) + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, (hi), 5, 0)) + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 0)) + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, (lo), 2, 0)) + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) + ctx.filter = append(ctx.filter, jt) + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) +} + +func jGe64(ctx *ScmpCtx, v uint, jt sockFilter) { + lo := uint32(uint64(v) % 0x100000000) + hi := uint32(uint64(v) / 0x100000000) + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JGT+BPF_K, (hi), 4, 0)) + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, (hi), 0, 5)) + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 0)) + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JGE+BPF_K, (lo), 0, 2)) + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) + ctx.filter = append(ctx.filter, jt) + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) +} + +func jEq64(ctx *ScmpCtx, v uint, jt sockFilter) { + lo := uint32(uint64(v) % 0x100000000) + hi := uint32(uint64(v) / 0x100000000) + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, (hi), 0, 5)) + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 0)) + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, (lo), 0, 2)) + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) + ctx.filter = append(ctx.filter, jt) + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) +} + +func jLe64(ctx *ScmpCtx, v uint, jt sockFilter) { + lo := uint32(uint64(v) % 0x100000000) + hi := uint32(uint64(v) / 0x100000000) + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JGT+BPF_K, (hi), 6, 0)) + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, (hi), 0, 3)) + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 0)) + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JGT+BPF_K, (lo), 2, 0)) + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) + ctx.filter = append(ctx.filter, jt) + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) +} + +func allow(ctx *ScmpCtx) { + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)) +} + +func deny(ctx *ScmpCtx) { + ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_RET+BPF_K, SECCOMP_RET_TRAP)) +} + +func jump(ctx *ScmpCtx, lb string) { + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JA, findLabel(&ctx.label, lb), + JUMP_JT, JUMP_JF)) +} + +func label(ctx *ScmpCtx, lb string) { + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JA, findLabel(&ctx.label, lb), + LABEL_JT, LABEL_JF)) +} + +func secCall(ctx *ScmpCtx, nr int, jt sockFilter) { + ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, uint32(nr), 0, 1)) + ctx.filter = append(ctx.filter, jt) +} + +func findLabel(labels *bpfLabels, lb string) uint32 { + var id uint32 + for id = 0; id < labels.count; id++ { + if true == strings.EqualFold(lb, labels.labels[id].label) { + return id + } } - return &ctx, nil + tlabel := bpfLabel{lb, 0xffffffff} + labels.labels = append(labels.labels, tlabel) + labels.count += 1 + return id } -func ScmpAdd(ctx *ScmpCtx, call string, action int, args ...string) error { - _, exists := ctx.CallMap[call] - if exists { - return errors.New("syscall exist") +func hiArgLittle(idx uint32) uint32 { + if idx < 0 || idx >= 6 { + return 0 } - //fmt.Printf("%s\n", call) + hi := uint32(unsafe.Offsetof(secData.args)) + uint32(unsafe.Alignof(secData.args[0]))*idx + uint32(unsafe.Sizeof(secData.arch)) + return uint32(hi) +} - sysCall, sysExists := SyscallMap[call] - if sysExists { - ctx.CallMap[call] = Action{sysCall, action, args} - return nil +func hiArgBig(idx uint32) uint32 { + if idx >= 6 { + return 0 } - return errors.New("syscall not surport") + hi := uint32(unsafe.Offsetof(secData.args)) + 8*idx + return uint32(hi) } -func ScmpDel(ctx *ScmpCtx, call string) error { - _, exists := ctx.CallMap[call] - if exists { - delete(ctx.CallMap, call) - return nil +func isLittle() bool { + litEndian := true + x := 0x1234 + p := unsafe.Pointer(&x) + p2 := (*[unsafe.Sizeof(0)]byte)(p) + if p2[0] == 0 { + litEndian = false } - - return errors.New("syscall not exist") + return litEndian } -func ScmpBpfStmt(code uint16, k uint32) sockFilter { +func scmpBpfStmt(code uint16, k uint32) sockFilter { return sockFilter{code, 0, 0, k} } -func ScmpBpfJump(code uint16, k uint32, jt, jf uint8) sockFilter { +func scmpBpfJump(code uint16, k uint32, jt, jf uint8) sockFilter { return sockFilter{code, jt, jf, k} } @@ -91,33 +300,154 @@ func scmpfilter(prog *sockFprog) (err error) { return nil } +func CombineArgs(args1 []FilterArgs, args2 []FilterArgs) []FilterArgs { + ilen1 := len(args1) + if ilen1 > len(args2) { + ilen1 = len(args2) + } + for i1 := 0; i1 < ilen1; i1++ { + jlen1 := len(args1[i1].Args) + jlen2 := len(args2[i1].Args) + for j2 := 0; j2 < jlen2; j2++ { + num := 0 + for j1 := 0; j1 < jlen1; j1++ { + if args1[i1].Args[j1] == args2[i1].Args[j2] { + break + } + num = num + 1 + } + if num == jlen1 { + args1[i1].Args = append(args1[i1].Args, args2[i1].Args[j2]) + } + } + } + if ilen1 < len(args2) { + args1 = append(args1, args2[ilen1:]...) + } + return args1 +} + +func Sys(call string) int { + number, exists := syscallMap[call] + if exists { + return number + } + return -1 +} + +func ScmpInit(action int) (*ScmpCtx, error) { + ctx := ScmpCtx{ + CallMap: make(map[int]*Action), + filter: make([]sockFilter, 0, 128), + label: bpfLabels{ + count: 0, + labels: make([]bpfLabel, 0, 128), + }, + } + + ctx.filter = append(ctx.filter, + sockFilter{PF_LD + BPF_W + BPF_ABS, 0, 0, uint32(unsafe.Offsetof(secData.nr))}) + return &ctx, nil +} + +func ScmpDel(ctx *ScmpCtx, call int) error { + _, exists := ctx.CallMap[call] + if exists { + delete(ctx.CallMap, call) + return nil + } + + return errors.New("syscall not exist") +} + +func ScmpAdd(ctx *ScmpCtx, call int, action int, args ...FilterArgs) error { + if call < 0 { + return errors.New("syscall error, call < 0") + } + + if call <= sysCallMax { + _, exists := ctx.CallMap[call] + if exists { + return errors.New("syscall exist") + } + ctx.CallMap[call] = &Action{action, args} + return nil + } else { + if nil != secAdd { + return secAdd(ctx, call, action, args...) + } + } + + return errors.New("syscall not surport") +} + func ScmpLoad(ctx *ScmpCtx) error { - for key := range SyscallMapMin { - ScmpAdd(ctx, key, ScmpActAllow) + for call, act := range ctx.CallMap { + if len(act.args) == 0 { + secCall(ctx, call, scmpBpfStmt(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)) + } else { + if len(act.args[0].Args) > 0 { + lb := fmt.Sprintf("lb-%d-%d", call, act.args[0].Args[0].Arg) + secCall(ctx, call, + scmpBpfJump(BPF_JMP+BPF_JA, findLabel(&ctx.label, lb), + JUMP_JT, JUMP_JF)) + } + } } + deny(ctx) - num := len(ctx.CallMap) - filter := make([]sockFilter, num*2+3) + for call, act := range ctx.CallMap { + for i := 0; i < len(act.args); i++ { + if len(act.args[i].Args) > 0 { + lb := fmt.Sprintf("lb-%d-%d", call, act.args[i].Args[0].Arg) + label(ctx, lb) + arg(ctx, act.args[i].Args[0].Arg) + } - i := 0 - filter[i] = ScmpBpfStmt(syscall.BPF_LD+syscall.BPF_W+syscall.BPF_ABS, 0) - i++ + for j := 0; j < len(act.args[i].Args); j++ { + var jf sockFilter + if len(act.args)-1 > i && len(act.args[i+1].Args) > 0 { + lbj := fmt.Sprintf("lb-%d-%d", call, act.args[i+1].Args[0].Arg) + jf = scmpBpfJump(BPF_JMP+BPF_JA, + findLabel(&ctx.label, lbj), JUMP_JT, JUMP_JF) + } else { + jf = scmpBpfStmt(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) + } + op[act.args[i].Args[j].Op](ctx, act.args[i].Args[j].V, jf) + } - for _, value := range ctx.CallMap { - filter[i] = ScmpBpfJump(syscall.BPF_JMP+syscall.BPF_JEQ+syscall.BPF_K, value.syscall, 0, 1) - i++ - filter[i] = ScmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, SECCOMP_RET_ALLOW) - i++ + deny(ctx) + } } - filter[i] = ScmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, SECCOMP_RET_TRAP) - i++ - filter[i] = ScmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, SECCOMP_RET_KILL) - i++ + idx := int32(len(ctx.filter) - 1) + for ; idx >= 0; idx-- { + filter := &ctx.filter[idx] + if filter.code != (BPF_JMP + BPF_JA) { + continue + } + rel := int32(filter.jt)<<8 | int32(filter.jf) + if ((JUMP_JT << 8) | JUMP_JF) == rel { + if ctx.label.labels[filter.k].location == 0xffffffff { + return errors.New("Unresolved label") + } + filter.k = ctx.label.labels[filter.k].location - uint32(idx+1) + filter.jt = 0 + filter.jf = 0 + } else if ((LABEL_JT << 8) | LABEL_JF) == rel { + if ctx.label.labels[filter.k].location != 0xffffffff { + return errors.New("Duplicate label use") + } + ctx.label.labels[filter.k].location = uint32(idx) + filter.k = 0 + filter.jt = 0 + filter.jf = 0 + } + } prog := sockFprog{ - len: uint16(i), - filt: filter, + len: uint16(len(ctx.filter)), + filt: ctx.filter, } if nil != prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) { @@ -131,3 +461,58 @@ func ScmpLoad(ctx *ScmpCtx) error { } return nil } + +func sigSeccomp() { + sigSec = true +} + +func ScmpError() bool { + ret := sigSec + sigSec = false + return ret +} + +func init() { + if runtime.GOARCH == "386" { + sysCallMax = 340 + } else if runtime.GOARCH == "amd64" { + sysCallMax = 302 + } else if runtime.GOARCH == "arm" { + sysCallMax = 377 + } else if runtime.GOARCH == "arm64" { + sysCallMax = 281 + } else if runtime.GOARCH == "ppc64" { + sysCallMax = 354 + } else if runtime.GOARCH == "ppc64le" { + sysCallMax = 354 + } + if isLittle() { + hiArg = hiArgLittle + loArg = hiArgBig + } else { + hiArg = hiArgBig + loArg = hiArgLittle + } + + var length int + if 8 == int(unsafe.Sizeof(length)) { + arg = arg64 + jEq = jEq64 + jNe = jNe64 + jGe = jGe64 + jLe = jLe64 + } else { + arg = arg32 + jEq = jEq32 + jNe = jNe32 + jGe = jGe32 + jLe = jLe32 + } + op[EQ] = jEq + op[NE] = jNe + op[GE] = jGe + op[LE] = jLe + chSignal := make(chan os.Signal) + signal.Notify(chSignal, syscall.SIGSYS) + go sigSeccomp() +} diff --git a/seccomp/seccomp.test b/seccomp/seccomp.test new file mode 100644 index 000000000..25a5554ff --- /dev/null +++ b/seccomp/seccomp.test @@ -0,0 +1,107 @@ + +package main + +import ( + "fmt" + "flag" + "os" + "syscall" + + sec "seccomp" +) + +const ( + STDIN_FILENO = 0 + STDOUT_FILENO = 1 + BUFLEN = 8 +) + +func writeOk(args []string) { + scmpCtx, _ := sec.ScmpInit(sec.ScmpActAllow) + + sec.ScmpAdd(scmpCtx, sec.Sys("exit"), sec.ScmpActAllow) + sec.ScmpAdd(scmpCtx, sec.Sys("exit_group"), sec.ScmpActAllow) + + //the first arg is STDOUT_FILENO, the third arg must be <= BUFLEN + sec.ScmpAdd(scmpCtx, sec.Sys("write"), sec.ScmpActAllow, + sec.FilterArgs{[]sec.Filter{{0, sec.EQ, STDOUT_FILENO}}}, + sec.FilterArgs{[]sec.Filter{{2, sec.LE, BUFLEN}}}, + ) + + sec.ScmpLoad(scmpCtx) + fmt.Printf("8888888\n") //ok +} + +func writeErr(args []string) { + scmpCtx, _ := sec.ScmpInit(sec.ScmpActAllow) + + sec.ScmpAdd(scmpCtx, sec.Sys("exit"), sec.ScmpActAllow) + sec.ScmpAdd(scmpCtx, sec.Sys("exit_group"), sec.ScmpActAllow) + + sec.ScmpAdd(scmpCtx, sec.Sys("write"), sec.ScmpActAllow, + sec.FilterArgs{[]sec.Filter{{0, sec.EQ, STDOUT_FILENO}}}, + sec.FilterArgs{[]sec.Filter{{2, sec.LE, BUFLEN}}}, + ) + + sec.ScmpLoad(scmpCtx) + + // bad system call + fmt.Printf("99999999\n") +} + +func socketOk(args []string) { + scmpCtx, _ := sec.ScmpInit(sec.ScmpActAllow) + + //for 386, the next line is same as + //sec.ScmpAdd(scmpCtx, sec.Sys("socketcall"), sec.ScmpActAllow, + // sec.FilterArgs{[]sec.Filter{{0, sec.EQ, 1}}}, + //) + //SYS_SOCKET = 1 + sec.ScmpAdd(scmpCtx, sec.Sys("socket"), sec.ScmpActAllow) + + sec.ScmpAdd(scmpCtx, sec.Sys("exit"), sec.ScmpActAllow) + sec.ScmpAdd(scmpCtx, sec.Sys("exit_group"), sec.ScmpActAllow) + + sec.ScmpAdd(scmpCtx, sec.Sys("write"), sec.ScmpActAllow, + sec.FilterArgs{[]sec.Filter{{0, sec.EQ, STDOUT_FILENO}}}, + sec.FilterArgs{[]sec.Filter{{2, sec.LE, BUFLEN}}}, + ) + + sec.ScmpLoad(scmpCtx) + + syscall.Socket(syscall.AF_INET, syscall.SOCK_STREAM, syscall.IPPROTO_IP) + fmt.Printf("Sock ok\n") +} + +func socketErr(args []string) { + scmpCtx, _ := sec.ScmpInit(sec.ScmpActAllow) + + sec.ScmpAdd(scmpCtx, sec.Sys("exit"), sec.ScmpActAllow) + sec.ScmpAdd(scmpCtx, sec.Sys("exit_group"), sec.ScmpActAllow) + + sec.ScmpLoad(scmpCtx) + + // bad system call + syscall.Socket(syscall.AF_INET, syscall.SOCK_STREAM, syscall.IPPROTO_IP) +} + + + +func main() { + flag.Parse() + + if 1 == flag.NArg() { + idx := 0 + args := os.Args[(idx + 1):] + if flag.Arg(idx) == "writeOk" { + writeOk(args) + } else if flag.Arg(idx) == "writeErr" { + writeErr(args) + } else if flag.Arg(idx) == "socketOk" { + socketOk(args) + } else if flag.Arg(idx) == "socketErr" { + socketErr(args) + } + } +} + diff --git a/seccomp/seccomp386.go b/seccomp/seccomp386.go new file mode 100644 index 000000000..db696e6f1 --- /dev/null +++ b/seccomp/seccomp386.go @@ -0,0 +1,117 @@ +// +build linux +// +build 386 + +package seccomp + +import ( + "errors" +) + +var ( + syscallInterval = 100 + ipcNr = syscallInterval + 0 + socketcallNr = syscallInterval + ipcNr + callipc = 0 + callsocket = 0 +) + +func scmpAdd386(ctx *ScmpCtx, call int, action int, args ...FilterArgs) error { + var syscallNo int + pseCall := call - sysCallMax + if (pseCall >= ipcNr) && (pseCall < ipcNr+syscallInterval) { + syscallNo, _ = syscallMap["ipc"] + pseCall = (pseCall - ipcNr) % ipcNr + + } else if (pseCall >= socketcallNr) && (pseCall < socketcallNr+syscallInterval) { + syscallNo, _ = syscallMap["socketcall"] + pseCall = (pseCall - socketcallNr) % socketcallNr + } else { + return errors.New("scmpAdd386, syscall error") + } + act, exists := ctx.CallMap[syscallNo] + if !exists { + newArg := make([]FilterArgs, len(args)+1) + newArg[0].Args = make([]Filter, 1) + newArg[0].Args[0].Op = EQ + newArg[0].Args[0].Arg = 0 + newArg[0].Args[0].V = uint(pseCall) + for i := 0; i < len(args); i++ { + alen := len(args[i].Args) + if alen > 0 { + newArg[i+1].Args = make([]Filter, alen) + for j := 0; j < alen; i++ { + newArg[i+1].Args[j].Op = args[i].Args[j].Op + newArg[i+1].Args[j].Arg = args[i].Args[j].Arg + newArg[i+1].Args[j].V = args[i].Args[j].V + } + } + } + ctx.CallMap[syscallNo] = &Action{action, newArg} + } else { + newArg := make([]FilterArgs, len(args)) + for i := 0; i < len(args); i++ { + alen := len(args[i].Args) + if alen > 0 { + newArg[i].Args = make([]Filter, alen) + for j := 0; j < alen; i++ { + newArg[i].Args[j].Op = args[i].Args[j].Op + newArg[i].Args[j].Arg = args[i].Args[j].Arg + newArg[i].Args[j].V = args[i].Args[j].V + } + } + } + act.args = CombineArgs(act.args, newArg) + } + + return nil +} + +func resetCallipc(call string, num int) { + syscallMap[call] = num + callipc +} + +func resetCallsocket(call string, num int) { + syscallMap[call] = num + callsocket +} + +func init() { + sysCallMax = 340 + callipc = ipcNr + sysCallMax + callsocket = socketcallNr + sysCallMax + secAdd = scmpAdd386 + + resetCallipc("semop", 1) + resetCallipc("semget", 2) + resetCallipc("semctl", 3) + resetCallipc("semtimedop", 4) + resetCallipc("msgsnd", 11) + resetCallipc("msgrcv", 12) + resetCallipc("msgget", 13) + resetCallipc("msgctl", 14) + resetCallipc("shmat", 21) + resetCallipc("shmdt", 22) + resetCallipc("shmget", 23) + resetCallipc("shmctl", 24) + + resetCallsocket("socket", 1) + resetCallsocket("bind", 2) + resetCallsocket("connect", 3) + resetCallsocket("listen", 4) + resetCallsocket("accept", 5) + resetCallsocket("getsockname", 6) + resetCallsocket("getpeername", 7) + resetCallsocket("socketpair", 8) + resetCallsocket("send", 9) + resetCallsocket("recv", 10) + resetCallsocket("sendto", 11) + resetCallsocket("recvfrom", 12) + resetCallsocket("shutdown", 13) + resetCallsocket("setsockopt", 14) + resetCallsocket("getsockopt", 15) + resetCallsocket("sendmsg", 16) + resetCallsocket("recvmsg", 17) + resetCallsocket("accept4", 18) + resetCallsocket("recvmmsg", 19) + resetCallsocket("sendmmsg", 20) + +} diff --git a/seccomp/seccomp_test.go b/seccomp/seccomp_test.go new file mode 100644 index 000000000..f0db718f9 --- /dev/null +++ b/seccomp/seccomp_test.go @@ -0,0 +1,58 @@ +package seccomp + +import ( + "fmt" + "os/exec" + "testing" +) + +var osec = "/go/src/seccomp_main.go" + +func secMain(t *testing.T, args []string) { + if len(args) < 1 { + return + } + + cmd := args[0] + path := "go" + argv := []string{"run", osec} + argv = append(argv, args[0:]...) + + c := exec.Command(path, argv...) + _, err := c.Output() + fmt.Printf("do %s, err is [%v]\n", cmd, err) + if err != nil { + if "writeOk" == cmd || "socketOk" == cmd { + t.Fatal(err) + } + } else { + if "writeErr" == cmd || "socketErr" == cmd { + t.Fatal(err) + } + } +} + +func commandGC(file string) { + c := exec.Command("rm", "-rf", file) + d, _ := c.Output() + fmt.Println(string(d)) +} + +func cp(src, dst string) { + c := exec.Command("cp", "-ra", src, dst) + d, _ := c.Output() + fmt.Println(string(d)) +} + +func TestSeccomp(t *testing.T) { + //hard code + cp("../seccomp", "/go/src/") + cp("./seccomp.test", osec) + defer commandGC("/go/src/seccomp") + defer commandGC(osec) + + secMain(t, []string{"writeOk"}) + secMain(t, []string{"writeErr"}) + secMain(t, []string{"socketOk"}) + secMain(t, []string{"socketErr"}) +} diff --git a/seccomp/syscall_linux_386.go b/seccomp/syscall_linux_386.go deleted file mode 100644 index ad98e1626..000000000 --- a/seccomp/syscall_linux_386.go +++ /dev/null @@ -1,364 +0,0 @@ -// +build linux -// +build 386 - -package seccomp - -import ( - "syscall" -) - -const ( - SECCOMP_RET_KILL = 0x00000000 - SECCOMP_RET_TRAP = 0x00030000 - SECCOMP_RET_ALLOW = 0x7fff0000 - SECCOMP_MODE_FILTER = 0x2 - PR_SET_NO_NEW_PRIVS = 0x26 -) - -var SyscallMap = map[string]uint32{ - "RESTART_SYSCALL": syscall.SYS_RESTART_SYSCALL, - "EXIT": syscall.SYS_EXIT, - "FORK": syscall.SYS_FORK, - "READ": syscall.SYS_READ, - "WRITE": syscall.SYS_WRITE, - "OPEN": syscall.SYS_OPEN, - "CLOSE": syscall.SYS_CLOSE, - "WAITPID": syscall.SYS_WAITPID, - "CREAT": syscall.SYS_CREAT, - "LINK": syscall.SYS_LINK, - "UNLINK": syscall.SYS_UNLINK, - "EXECVE": syscall.SYS_EXECVE, - "CHDIR": syscall.SYS_CHDIR, - "TIME": syscall.SYS_TIME, - "MKNOD": syscall.SYS_MKNOD, - "CHMOD": syscall.SYS_CHMOD, - "LCHOWN": syscall.SYS_LCHOWN, - "BREAK": syscall.SYS_BREAK, - "OLDSTAT": syscall.SYS_OLDSTAT, - "LSEEK": syscall.SYS_LSEEK, - "GETPID": syscall.SYS_GETPID, - "MOUNT": syscall.SYS_MOUNT, - "UMOUNT": syscall.SYS_UMOUNT, - "SETUID": syscall.SYS_SETUID, - "GETUID": syscall.SYS_GETUID, - "STIME": syscall.SYS_STIME, - "PTRACE": syscall.SYS_PTRACE, - "ALARM": syscall.SYS_ALARM, - "OLDFSTAT": syscall.SYS_OLDFSTAT, - "PAUSE": syscall.SYS_PAUSE, - "UTIME": syscall.SYS_UTIME, - "STTY": syscall.SYS_STTY, - "GTTY": syscall.SYS_GTTY, - "ACCESS": syscall.SYS_ACCESS, - "NICE": syscall.SYS_NICE, - "FTIME": syscall.SYS_FTIME, - "SYNC": syscall.SYS_SYNC, - "KILL": syscall.SYS_KILL, - "RENAME": syscall.SYS_RENAME, - "MKDIR": syscall.SYS_MKDIR, - "RMDIR": syscall.SYS_RMDIR, - "DUP": syscall.SYS_DUP, - "PIPE": syscall.SYS_PIPE, - "TIMES": syscall.SYS_TIMES, - "PROF": syscall.SYS_PROF, - "BRK": syscall.SYS_BRK, - "SETGID": syscall.SYS_SETGID, - "GETGID": syscall.SYS_GETGID, - "SIGNAL": syscall.SYS_SIGNAL, - "GETEUID": syscall.SYS_GETEUID, - "GETEGID": syscall.SYS_GETEGID, - "ACCT": syscall.SYS_ACCT, - "UMOUNT2": syscall.SYS_UMOUNT2, - "LOCK": syscall.SYS_LOCK, - "IOCTL": syscall.SYS_IOCTL, - "FCNTL": syscall.SYS_FCNTL, - "MPX": syscall.SYS_MPX, - "SETPGID": syscall.SYS_SETPGID, - "ULIMIT": syscall.SYS_ULIMIT, - "OLDOLDUNAME": syscall.SYS_OLDOLDUNAME, - "UMASK": syscall.SYS_UMASK, - "CHROOT": syscall.SYS_CHROOT, - "USTAT": syscall.SYS_USTAT, - "DUP2": syscall.SYS_DUP2, - "GETPPID": syscall.SYS_GETPPID, - "GETPGRP": syscall.SYS_GETPGRP, - "SETSID": syscall.SYS_SETSID, - "SIGACTION": syscall.SYS_SIGACTION, - "SGETMASK": syscall.SYS_SGETMASK, - "SSETMASK": syscall.SYS_SSETMASK, - "SETREUID": syscall.SYS_SETREUID, - "SETREGID": syscall.SYS_SETREGID, - "SIGSUSPEND": syscall.SYS_SIGSUSPEND, - "SIGPENDING": syscall.SYS_SIGPENDING, - "SETHOSTNAME": syscall.SYS_SETHOSTNAME, - "SETRLIMIT": syscall.SYS_SETRLIMIT, - "GETRLIMIT": syscall.SYS_GETRLIMIT, - "GETRUSAGE": syscall.SYS_GETRUSAGE, - "GETTIMEOFDAY": syscall.SYS_GETTIMEOFDAY, - "SETTIMEOFDAY": syscall.SYS_SETTIMEOFDAY, - "GETGROUPS": syscall.SYS_GETGROUPS, - "SETGROUPS": syscall.SYS_SETGROUPS, - "SELECT": syscall.SYS_SELECT, - "SYMLINK": syscall.SYS_SYMLINK, - "OLDLSTAT": syscall.SYS_OLDLSTAT, - "READLINK": syscall.SYS_READLINK, - "USELIB": syscall.SYS_USELIB, - "SWAPON": syscall.SYS_SWAPON, - "REBOOT": syscall.SYS_REBOOT, - "READDIR": syscall.SYS_READDIR, - "MMAP": syscall.SYS_MMAP, - "MUNMAP": syscall.SYS_MUNMAP, - "TRUNCATE": syscall.SYS_TRUNCATE, - "FTRUNCATE": syscall.SYS_FTRUNCATE, - "FCHMOD": syscall.SYS_FCHMOD, - "FCHOWN": syscall.SYS_FCHOWN, - "GETPRIORITY": syscall.SYS_GETPRIORITY, - "SETPRIORITY": syscall.SYS_SETPRIORITY, - "PROFIL": syscall.SYS_PROFIL, - "STATFS": syscall.SYS_STATFS, - "FSTATFS": syscall.SYS_FSTATFS, - "IOPERM": syscall.SYS_IOPERM, - "SOCKETCALL": syscall.SYS_SOCKETCALL, - "SYSLOG": syscall.SYS_SYSLOG, - "SETITIMER": syscall.SYS_SETITIMER, - "GETITIMER": syscall.SYS_GETITIMER, - "STAT": syscall.SYS_STAT, - "LSTAT": syscall.SYS_LSTAT, - "FSTAT": syscall.SYS_FSTAT, - "OLDUNAME": syscall.SYS_OLDUNAME, - "IOPL": syscall.SYS_IOPL, - "VHANGUP": syscall.SYS_VHANGUP, - "IDLE": syscall.SYS_IDLE, - "VM86OLD": syscall.SYS_VM86OLD, - "WAIT4": syscall.SYS_WAIT4, - "SWAPOFF": syscall.SYS_SWAPOFF, - "SYSINFO": syscall.SYS_SYSINFO, - "IPC": syscall.SYS_IPC, - "FSYNC": syscall.SYS_FSYNC, - "SIGRETURN": syscall.SYS_SIGRETURN, - "CLONE": syscall.SYS_CLONE, - "SETDOMAINNAME": syscall.SYS_SETDOMAINNAME, - "UNAME": syscall.SYS_UNAME, - "MODIFY_LDT": syscall.SYS_MODIFY_LDT, - "ADJTIMEX": syscall.SYS_ADJTIMEX, - "MPROTECT": syscall.SYS_MPROTECT, - "SIGPROCMASK": syscall.SYS_SIGPROCMASK, - "CREATE_MODULE": syscall.SYS_CREATE_MODULE, - "INIT_MODULE": syscall.SYS_INIT_MODULE, - "DELETE_MODULE": syscall.SYS_DELETE_MODULE, - "GET_KERNEL_SYMS": syscall.SYS_GET_KERNEL_SYMS, - "QUOTACTL": syscall.SYS_QUOTACTL, - "GETPGID": syscall.SYS_GETPGID, - "FCHDIR": syscall.SYS_FCHDIR, - "BDFLUSH": syscall.SYS_BDFLUSH, - "SYSFS": syscall.SYS_SYSFS, - "PERSONALITY": syscall.SYS_PERSONALITY, - "AFS_SYSCALL": syscall.SYS_AFS_SYSCALL, - "SETFSUID": syscall.SYS_SETFSUID, - "SETFSGID": syscall.SYS_SETFSGID, - "_LLSEEK": syscall.SYS__LLSEEK, - "GETDENTS": syscall.SYS_GETDENTS, - "_NEWSELECT": syscall.SYS__NEWSELECT, - "FLOCK": syscall.SYS_FLOCK, - "MSYNC": syscall.SYS_MSYNC, - "READV": syscall.SYS_READV, - "WRITEV": syscall.SYS_WRITEV, - "GETSID": syscall.SYS_GETSID, - "FDATASYNC": syscall.SYS_FDATASYNC, - "_SYSCTL": syscall.SYS__SYSCTL, - "MLOCK": syscall.SYS_MLOCK, - "MUNLOCK": syscall.SYS_MUNLOCK, - "MLOCKALL": syscall.SYS_MLOCKALL, - "MUNLOCKALL": syscall.SYS_MUNLOCKALL, - "SCHED_SETPARAM": syscall.SYS_SCHED_SETPARAM, - "SCHED_GETPARAM": syscall.SYS_SCHED_GETPARAM, - "SCHED_SETSCHEDULER": syscall.SYS_SCHED_SETSCHEDULER, - "SCHED_GETSCHEDULER": syscall.SYS_SCHED_GETSCHEDULER, - "SCHED_YIELD": syscall.SYS_SCHED_YIELD, - "SCHED_GET_PRIORITY_MAX": syscall.SYS_SCHED_GET_PRIORITY_MAX, - "SCHED_GET_PRIORITY_MIN": syscall.SYS_SCHED_GET_PRIORITY_MIN, - "SCHED_RR_GET_INTERVAL": syscall.SYS_SCHED_RR_GET_INTERVAL, - "NANOSLEEP": syscall.SYS_NANOSLEEP, - "MREMAP": syscall.SYS_MREMAP, - "SETRESUID": syscall.SYS_SETRESUID, - "GETRESUID": syscall.SYS_GETRESUID, - "VM86": syscall.SYS_VM86, - "QUERY_MODULE": syscall.SYS_QUERY_MODULE, - "POLL": syscall.SYS_POLL, - "NFSSERVCTL": syscall.SYS_NFSSERVCTL, - "SETRESGID": syscall.SYS_SETRESGID, - "GETRESGID": syscall.SYS_GETRESGID, - "PRCTL": syscall.SYS_PRCTL, - "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, - "RT_SIGACTION": syscall.SYS_RT_SIGACTION, - "RT_SIGPROCMASK": syscall.SYS_RT_SIGPROCMASK, - "RT_SIGPENDING": syscall.SYS_RT_SIGPENDING, - "RT_SIGTIMEDWAIT": syscall.SYS_RT_SIGTIMEDWAIT, - "RT_SIGQUEUEINFO": syscall.SYS_RT_SIGQUEUEINFO, - "RT_SIGSUSPEND": syscall.SYS_RT_SIGSUSPEND, - "PREAD64": syscall.SYS_PREAD64, - "PWRITE64": syscall.SYS_PWRITE64, - "CHOWN": syscall.SYS_CHOWN, - "GETCWD": syscall.SYS_GETCWD, - "CAPGET": syscall.SYS_CAPGET, - "CAPSET": syscall.SYS_CAPSET, - "SIGALTSTACK": syscall.SYS_SIGALTSTACK, - "SENDFILE": syscall.SYS_SENDFILE, - "GETPMSG": syscall.SYS_GETPMSG, - "PUTPMSG": syscall.SYS_PUTPMSG, - "VFORK": syscall.SYS_VFORK, - "UGETRLIMIT": syscall.SYS_UGETRLIMIT, - "MMAP2": syscall.SYS_MMAP2, - "TRUNCATE64": syscall.SYS_TRUNCATE64, - "FTRUNCATE64": syscall.SYS_FTRUNCATE64, - "STAT64": syscall.SYS_STAT64, - "LSTAT64": syscall.SYS_LSTAT64, - "FSTAT64": syscall.SYS_FSTAT64, - "LCHOWN32": syscall.SYS_LCHOWN32, - "GETUID32": syscall.SYS_GETUID32, - "GETGID32": syscall.SYS_GETGID32, - "GETEUID32": syscall.SYS_GETEUID32, - "GETEGID32": syscall.SYS_GETEGID32, - "SETREUID32": syscall.SYS_SETREUID32, - "SETREGID32": syscall.SYS_SETREGID32, - "GETGROUPS32": syscall.SYS_GETGROUPS32, - "SETGROUPS32": syscall.SYS_SETGROUPS32, - "FCHOWN32": syscall.SYS_FCHOWN32, - "SETRESUID32": syscall.SYS_SETRESUID32, - "GETRESUID32": syscall.SYS_GETRESUID32, - "SETRESGID32": syscall.SYS_SETRESGID32, - "GETRESGID32": syscall.SYS_GETRESGID32, - "CHOWN32": syscall.SYS_CHOWN32, - "SETUID32": syscall.SYS_SETUID32, - "SETGID32": syscall.SYS_SETGID32, - "SETFSUID32": syscall.SYS_SETFSUID32, - "SETFSGID32": syscall.SYS_SETFSGID32, - "PIVOT_ROOT": syscall.SYS_PIVOT_ROOT, - "MINCORE": syscall.SYS_MINCORE, - "MADVISE": syscall.SYS_MADVISE, - "MADVISE1": syscall.SYS_MADVISE1, - "GETDENTS64": syscall.SYS_GETDENTS64, - "FCNTL64": syscall.SYS_FCNTL64, - "GETTID": syscall.SYS_GETTID, - "READAHEAD": syscall.SYS_READAHEAD, - "SETXATTR": syscall.SYS_SETXATTR, - "LSETXATTR": syscall.SYS_LSETXATTR, - "FSETXATTR": syscall.SYS_FSETXATTR, - "GETXATTR": syscall.SYS_GETXATTR, - "LGETXATTR": syscall.SYS_LGETXATTR, - "FGETXATTR": syscall.SYS_FGETXATTR, - "LISTXATTR": syscall.SYS_LISTXATTR, - "LLISTXATTR": syscall.SYS_LLISTXATTR, - "FLISTXATTR": syscall.SYS_FLISTXATTR, - "REMOVEXATTR": syscall.SYS_REMOVEXATTR, - "LREMOVEXATTR": syscall.SYS_LREMOVEXATTR, - "FREMOVEXATTR": syscall.SYS_FREMOVEXATTR, - "TKILL": syscall.SYS_TKILL, - "SENDFILE64": syscall.SYS_SENDFILE64, - "FUTEX": syscall.SYS_FUTEX, - "SCHED_SETAFFINITY": syscall.SYS_SCHED_SETAFFINITY, - "SCHED_GETAFFINITY": syscall.SYS_SCHED_GETAFFINITY, - "SET_THREAD_AREA": syscall.SYS_SET_THREAD_AREA, - "GET_THREAD_AREA": syscall.SYS_GET_THREAD_AREA, - "IO_SETUP": syscall.SYS_IO_SETUP, - "IO_DESTROY": syscall.SYS_IO_DESTROY, - "IO_GETEVENTS": syscall.SYS_IO_GETEVENTS, - "IO_SUBMIT": syscall.SYS_IO_SUBMIT, - "IO_CANCEL": syscall.SYS_IO_CANCEL, - "FADVISE64": syscall.SYS_FADVISE64, - "EXIT_GROUP": syscall.SYS_EXIT_GROUP, - "LOOKUP_DCOOKIE": syscall.SYS_LOOKUP_DCOOKIE, - "EPOLL_CREATE": syscall.SYS_EPOLL_CREATE, - "EPOLL_CTL": syscall.SYS_EPOLL_CTL, - "EPOLL_WAIT": syscall.SYS_EPOLL_WAIT, - "REMAP_FILE_PAGES": syscall.SYS_REMAP_FILE_PAGES, - "SET_TID_ADDRESS": syscall.SYS_SET_TID_ADDRESS, - "TIMER_CREATE": syscall.SYS_TIMER_CREATE, - "TIMER_SETTIME": syscall.SYS_TIMER_SETTIME, - "TIMER_GETTIME": syscall.SYS_TIMER_GETTIME, - "TIMER_GETOVERRUN": syscall.SYS_TIMER_GETOVERRUN, - "TIMER_DELETE": syscall.SYS_TIMER_DELETE, - "CLOCK_SETTIME": syscall.SYS_CLOCK_SETTIME, - "CLOCK_GETTIME": syscall.SYS_CLOCK_GETTIME, - "CLOCK_GETRES": syscall.SYS_CLOCK_GETRES, - "CLOCK_NANOSLEEP": syscall.SYS_CLOCK_NANOSLEEP, - "STATFS64": syscall.SYS_STATFS64, - "FSTATFS64": syscall.SYS_FSTATFS64, - "TGKILL": syscall.SYS_TGKILL, - "UTIMES": syscall.SYS_UTIMES, - "FADVISE64_64": syscall.SYS_FADVISE64_64, - "VSERVER": syscall.SYS_VSERVER, - "MBIND": syscall.SYS_MBIND, - "GET_MEMPOLICY": syscall.SYS_GET_MEMPOLICY, - "SET_MEMPOLICY": syscall.SYS_SET_MEMPOLICY, - "MQ_OPEN": syscall.SYS_MQ_OPEN, - "MQ_UNLINK": syscall.SYS_MQ_UNLINK, - "MQ_TIMEDSEND": syscall.SYS_MQ_TIMEDSEND, - "MQ_TIMEDRECEIVE": syscall.SYS_MQ_TIMEDRECEIVE, - "MQ_NOTIFY": syscall.SYS_MQ_NOTIFY, - "MQ_GETSETATTR": syscall.SYS_MQ_GETSETATTR, - "KEXEC_LOAD": syscall.SYS_KEXEC_LOAD, - "WAITID": syscall.SYS_WAITID, - "ADD_KEY": syscall.SYS_ADD_KEY, - "REQUEST_KEY": syscall.SYS_REQUEST_KEY, - "KEYCTL": syscall.SYS_KEYCTL, - "IOPRIO_SET": syscall.SYS_IOPRIO_SET, - "IOPRIO_GET": syscall.SYS_IOPRIO_GET, - "INOTIFY_INIT": syscall.SYS_INOTIFY_INIT, - "INOTIFY_ADD_WATCH": syscall.SYS_INOTIFY_ADD_WATCH, - "INOTIFY_RM_WATCH": syscall.SYS_INOTIFY_RM_WATCH, - "MIGRATE_PAGES": syscall.SYS_MIGRATE_PAGES, - "OPENAT": syscall.SYS_OPENAT, - "MKDIRAT": syscall.SYS_MKDIRAT, - "MKNODAT": syscall.SYS_MKNODAT, - "FCHOWNAT": syscall.SYS_FCHOWNAT, - "FUTIMESAT": syscall.SYS_FUTIMESAT, - "FSTATAT64": syscall.SYS_FSTATAT64, - "UNLINKAT": syscall.SYS_UNLINKAT, - "RENAMEAT": syscall.SYS_RENAMEAT, - "LINKAT": syscall.SYS_LINKAT, - "SYMLINKAT": syscall.SYS_SYMLINKAT, - "READLINKAT": syscall.SYS_READLINKAT, - "FCHMODAT": syscall.SYS_FCHMODAT, - "FACCESSAT": syscall.SYS_FACCESSAT, - "PSELECT6": syscall.SYS_PSELECT6, - "PPOLL": syscall.SYS_PPOLL, - "UNSHARE": syscall.SYS_UNSHARE, - "SET_ROBUST_LIST": syscall.SYS_SET_ROBUST_LIST, - "GET_ROBUST_LIST": syscall.SYS_GET_ROBUST_LIST, - "SPLICE": syscall.SYS_SPLICE, - "SYNC_FILE_RANGE": syscall.SYS_SYNC_FILE_RANGE, - "TEE": syscall.SYS_TEE, - "VMSPLICE": syscall.SYS_VMSPLICE, - "MOVE_PAGES": syscall.SYS_MOVE_PAGES, - "GETCPU": syscall.SYS_GETCPU, - "EPOLL_PWAIT": syscall.SYS_EPOLL_PWAIT, - "UTIMENSAT": syscall.SYS_UTIMENSAT, - "SIGNALFD": syscall.SYS_SIGNALFD, - "TIMERFD_CREATE": syscall.SYS_TIMERFD_CREATE, - "EVENTFD": syscall.SYS_EVENTFD, - "FALLOCATE": syscall.SYS_FALLOCATE, - "TIMERFD_SETTIME": syscall.SYS_TIMERFD_SETTIME, - "TIMERFD_GETTIME": syscall.SYS_TIMERFD_GETTIME, - "SIGNALFD4": syscall.SYS_SIGNALFD4, - "EVENTFD2": syscall.SYS_EVENTFD2, - "EPOLL_CREATE1": syscall.SYS_EPOLL_CREATE1, - "DUP3": syscall.SYS_DUP3, - "PIPE2": syscall.SYS_PIPE2, - "INOTIFY_INIT1": syscall.SYS_INOTIFY_INIT1, - "PREADV": syscall.SYS_PREADV, - "PWRITEV": syscall.SYS_PWRITEV, - "RT_TGSIGQUEUEINFO": syscall.SYS_RT_TGSIGQUEUEINFO, - "PERF_EVENT_OPEN": syscall.SYS_PERF_EVENT_OPEN, - "RECVMMSG": syscall.SYS_RECVMMSG, - "FANOTIFY_INIT": syscall.SYS_FANOTIFY_INIT, - "FANOTIFY_MARK": syscall.SYS_FANOTIFY_MARK, - "PRLIMIT64": syscall.SYS_PRLIMIT64, -} - -var SyscallMapMin = map[string]uint32{ - "WRITE": syscall.SYS_WRITE, - "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, - "EXIT_GROUP": syscall.SYS_EXIT_GROUP, - "FUTEX": syscall.SYS_FUTEX, -} diff --git a/seccomp/syscall_linux_amd64.go b/seccomp/syscall_linux_amd64.go deleted file mode 100755 index b44d5546e..000000000 --- a/seccomp/syscall_linux_amd64.go +++ /dev/null @@ -1,329 +0,0 @@ -// +build linux -// +build amd64 - -package seccomp - -import ( - "syscall" -) - -const ( - SECCOMP_RET_KILL = 0x00000000 - SECCOMP_RET_TRAP = 0x00030000 - SECCOMP_RET_ALLOW = 0x7fff0000 - SECCOMP_MODE_FILTER = 0x2 - PR_SET_NO_NEW_PRIVS = 0x26 -) - -var SyscallMap = map[string]uint32{ - "READ": syscall.SYS_READ, - "WRITE": syscall.SYS_WRITE, - "OPEN": syscall.SYS_OPEN, - "CLOSE": syscall.SYS_CLOSE, - "STAT": syscall.SYS_STAT, - "FSTAT": syscall.SYS_FSTAT, - "LSTAT": syscall.SYS_LSTAT, - "POLL": syscall.SYS_POLL, - "LSEEK": syscall.SYS_LSEEK, - "MMAP": syscall.SYS_MMAP, - "MPROTECT": syscall.SYS_MPROTECT, - "MUNMAP": syscall.SYS_MUNMAP, - "BRK": syscall.SYS_BRK, - "RT_SIGACTION": syscall.SYS_RT_SIGACTION, - "RT_SIGPROCMASK": syscall.SYS_RT_SIGPROCMASK, - "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, - "IOCTL": syscall.SYS_IOCTL, - "PREAD64": syscall.SYS_PREAD64, - "PWRITE64": syscall.SYS_PWRITE64, - "READV": syscall.SYS_READV, - "WRITEV": syscall.SYS_WRITEV, - "ACCESS": syscall.SYS_ACCESS, - "PIPE": syscall.SYS_PIPE, - "SELECT": syscall.SYS_SELECT, - "SCHED_YIELD": syscall.SYS_SCHED_YIELD, - "MREMAP": syscall.SYS_MREMAP, - "MSYNC": syscall.SYS_MSYNC, - "MINCORE": syscall.SYS_MINCORE, - "MADVISE": syscall.SYS_MADVISE, - "SHMGET": syscall.SYS_SHMGET, - "SHMAT": syscall.SYS_SHMAT, - "SHMCTL": syscall.SYS_SHMCTL, - "DUP": syscall.SYS_DUP, - "DUP2": syscall.SYS_DUP2, - "PAUSE": syscall.SYS_PAUSE, - "NANOSLEEP": syscall.SYS_NANOSLEEP, - "GETITIMER": syscall.SYS_GETITIMER, - "ALARM": syscall.SYS_ALARM, - "SETITIMER": syscall.SYS_SETITIMER, - "GETPID": syscall.SYS_GETPID, - "SENDFILE": syscall.SYS_SENDFILE, - "SOCKET": syscall.SYS_SOCKET, - "CONNECT": syscall.SYS_CONNECT, - "ACCEPT": syscall.SYS_ACCEPT, - "SENDTO": syscall.SYS_SENDTO, - "RECVFROM": syscall.SYS_RECVFROM, - "SENDMSG": syscall.SYS_SENDMSG, - "RECVMSG": syscall.SYS_RECVMSG, - "SHUTDOWN": syscall.SYS_SHUTDOWN, - "BIND": syscall.SYS_BIND, - "LISTEN": syscall.SYS_LISTEN, - "GETSOCKNAME": syscall.SYS_GETSOCKNAME, - "GETPEERNAME": syscall.SYS_GETPEERNAME, - "SOCKETPAIR": syscall.SYS_SOCKETPAIR, - "SETSOCKOPT": syscall.SYS_SETSOCKOPT, - "GETSOCKOPT": syscall.SYS_GETSOCKOPT, - "CLONE": syscall.SYS_CLONE, - "FORK": syscall.SYS_FORK, - "VFORK": syscall.SYS_VFORK, - "EXECVE": syscall.SYS_EXECVE, - "EXIT": syscall.SYS_EXIT, - "WAIT4": syscall.SYS_WAIT4, - "KILL": syscall.SYS_KILL, - "UNAME": syscall.SYS_UNAME, - "SEMGET": syscall.SYS_SEMGET, - "SEMOP": syscall.SYS_SEMOP, - "SEMCTL": syscall.SYS_SEMCTL, - "SHMDT": syscall.SYS_SHMDT, - "MSGGET": syscall.SYS_MSGGET, - "MSGSND": syscall.SYS_MSGSND, - "MSGRCV": syscall.SYS_MSGRCV, - "MSGCTL": syscall.SYS_MSGCTL, - "FCNTL": syscall.SYS_FCNTL, - "FLOCK": syscall.SYS_FLOCK, - "FSYNC": syscall.SYS_FSYNC, - "FDATASYNC": syscall.SYS_FDATASYNC, - "TRUNCATE": syscall.SYS_TRUNCATE, - "FTRUNCATE": syscall.SYS_FTRUNCATE, - "GETDENTS": syscall.SYS_GETDENTS, - "GETCWD": syscall.SYS_GETCWD, - "CHDIR": syscall.SYS_CHDIR, - "FCHDIR": syscall.SYS_FCHDIR, - "RENAME": syscall.SYS_RENAME, - "MKDIR": syscall.SYS_MKDIR, - "RMDIR": syscall.SYS_RMDIR, - "CREAT": syscall.SYS_CREAT, - "LINK": syscall.SYS_LINK, - "UNLINK": syscall.SYS_UNLINK, - "SYMLINK": syscall.SYS_SYMLINK, - "READLINK": syscall.SYS_READLINK, - "CHMOD": syscall.SYS_CHMOD, - "FCHMOD": syscall.SYS_FCHMOD, - "CHOWN": syscall.SYS_CHOWN, - "FCHOWN": syscall.SYS_FCHOWN, - "LCHOWN": syscall.SYS_LCHOWN, - "UMASK": syscall.SYS_UMASK, - "GETTIMEOFDAY": syscall.SYS_GETTIMEOFDAY, - "GETRLIMIT": syscall.SYS_GETRLIMIT, - "GETRUSAGE": syscall.SYS_GETRUSAGE, - "SYSINFO": syscall.SYS_SYSINFO, - "TIMES": syscall.SYS_TIMES, - "PTRACE": syscall.SYS_PTRACE, - "GETUID": syscall.SYS_GETUID, - "SYSLOG": syscall.SYS_SYSLOG, - "GETGID": syscall.SYS_GETGID, - "SETUID": syscall.SYS_SETUID, - "SETGID": syscall.SYS_SETGID, - "GETEUID": syscall.SYS_GETEUID, - "GETEGID": syscall.SYS_GETEGID, - "SETPGID": syscall.SYS_SETPGID, - "GETPPID": syscall.SYS_GETPPID, - "GETPGRP": syscall.SYS_GETPGRP, - "SETSID": syscall.SYS_SETSID, - "SETREUID": syscall.SYS_SETREUID, - "SETREGID": syscall.SYS_SETREGID, - "GETGROUPS": syscall.SYS_GETGROUPS, - "SETGROUPS": syscall.SYS_SETGROUPS, - "SETRESUID": syscall.SYS_SETRESUID, - "GETRESUID": syscall.SYS_GETRESUID, - "SETRESGID": syscall.SYS_SETRESGID, - "GETRESGID": syscall.SYS_GETRESGID, - "GETPGID": syscall.SYS_GETPGID, - "SETFSUID": syscall.SYS_SETFSUID, - "SETFSGID": syscall.SYS_SETFSGID, - "GETSID": syscall.SYS_GETSID, - "CAPGET": syscall.SYS_CAPGET, - "CAPSET": syscall.SYS_CAPSET, - "RT_SIGPENDING": syscall.SYS_RT_SIGPENDING, - "RT_SIGTIMEDWAIT": syscall.SYS_RT_SIGTIMEDWAIT, - "RT_SIGQUEUEINFO": syscall.SYS_RT_SIGQUEUEINFO, - "RT_SIGSUSPEND": syscall.SYS_RT_SIGSUSPEND, - "SIGALTSTACK": syscall.SYS_SIGALTSTACK, - "UTIME": syscall.SYS_UTIME, - "MKNOD": syscall.SYS_MKNOD, - "USELIB": syscall.SYS_USELIB, - "PERSONALITY": syscall.SYS_PERSONALITY, - "USTAT": syscall.SYS_USTAT, - "STATFS": syscall.SYS_STATFS, - "FSTATFS": syscall.SYS_FSTATFS, - "SYSFS": syscall.SYS_SYSFS, - "GETPRIORITY": syscall.SYS_GETPRIORITY, - "SETPRIORITY": syscall.SYS_SETPRIORITY, - "SCHED_SETPARAM": syscall.SYS_SCHED_SETPARAM, - "SCHED_GETPARAM": syscall.SYS_SCHED_GETPARAM, - "SCHED_SETSCHEDULER": syscall.SYS_SCHED_SETSCHEDULER, - "SCHED_GETSCHEDULER": syscall.SYS_SCHED_GETSCHEDULER, - "SCHED_GET_PRIORITY_MAX": syscall.SYS_SCHED_GET_PRIORITY_MAX, - "SCHED_GET_PRIORITY_MIN": syscall.SYS_SCHED_GET_PRIORITY_MIN, - "SCHED_RR_GET_INTERVAL": syscall.SYS_SCHED_RR_GET_INTERVAL, - "MLOCK": syscall.SYS_MLOCK, - "MUNLOCK": syscall.SYS_MUNLOCK, - "MLOCKALL": syscall.SYS_MLOCKALL, - "MUNLOCKALL": syscall.SYS_MUNLOCKALL, - "VHANGUP": syscall.SYS_VHANGUP, - "MODIFY_LDT": syscall.SYS_MODIFY_LDT, - "PIVOT_ROOT": syscall.SYS_PIVOT_ROOT, - "_SYSCTL": syscall.SYS__SYSCTL, - "PRCTL": syscall.SYS_PRCTL, - "ARCH_PRCTL": syscall.SYS_ARCH_PRCTL, - "ADJTIMEX": syscall.SYS_ADJTIMEX, - "SETRLIMIT": syscall.SYS_SETRLIMIT, - "CHROOT": syscall.SYS_CHROOT, - "SYNC": syscall.SYS_SYNC, - "ACCT": syscall.SYS_ACCT, - "SETTIMEOFDAY": syscall.SYS_SETTIMEOFDAY, - "MOUNT": syscall.SYS_MOUNT, - "UMOUNT2": syscall.SYS_UMOUNT2, - "SWAPON": syscall.SYS_SWAPON, - "SWAPOFF": syscall.SYS_SWAPOFF, - "REBOOT": syscall.SYS_REBOOT, - "SETHOSTNAME": syscall.SYS_SETHOSTNAME, - "SETDOMAINNAME": syscall.SYS_SETDOMAINNAME, - "IOPL": syscall.SYS_IOPL, - "IOPERM": syscall.SYS_IOPERM, - "CREATE_MODULE": syscall.SYS_CREATE_MODULE, - "INIT_MODULE": syscall.SYS_INIT_MODULE, - "DELETE_MODULE": syscall.SYS_DELETE_MODULE, - "GET_KERNEL_SYMS": syscall.SYS_GET_KERNEL_SYMS, - "QUERY_MODULE": syscall.SYS_QUERY_MODULE, - "QUOTACTL": syscall.SYS_QUOTACTL, - "NFSSERVCTL": syscall.SYS_NFSSERVCTL, - "GETPMSG": syscall.SYS_GETPMSG, - "PUTPMSG": syscall.SYS_PUTPMSG, - "AFS_SYSCALL": syscall.SYS_AFS_SYSCALL, - "TUXCALL": syscall.SYS_TUXCALL, - "SECURITY": syscall.SYS_SECURITY, - "GETTID": syscall.SYS_GETTID, - "READAHEAD": syscall.SYS_READAHEAD, - "SETXATTR": syscall.SYS_SETXATTR, - "LSETXATTR": syscall.SYS_LSETXATTR, - "FSETXATTR": syscall.SYS_FSETXATTR, - "GETXATTR": syscall.SYS_GETXATTR, - "LGETXATTR": syscall.SYS_LGETXATTR, - "FGETXATTR": syscall.SYS_FGETXATTR, - "LISTXATTR": syscall.SYS_LISTXATTR, - "LLISTXATTR": syscall.SYS_LLISTXATTR, - "FLISTXATTR": syscall.SYS_FLISTXATTR, - "REMOVEXATTR": syscall.SYS_REMOVEXATTR, - "LREMOVEXATTR": syscall.SYS_LREMOVEXATTR, - "FREMOVEXATTR": syscall.SYS_FREMOVEXATTR, - "TKILL": syscall.SYS_TKILL, - "TIME": syscall.SYS_TIME, - "FUTEX": syscall.SYS_FUTEX, - "SCHED_SETAFFINITY": syscall.SYS_SCHED_SETAFFINITY, - "SCHED_GETAFFINITY": syscall.SYS_SCHED_GETAFFINITY, - "SET_THREAD_AREA": syscall.SYS_SET_THREAD_AREA, - "IO_SETUP": syscall.SYS_IO_SETUP, - "IO_DESTROY": syscall.SYS_IO_DESTROY, - "IO_GETEVENTS": syscall.SYS_IO_GETEVENTS, - "IO_SUBMIT": syscall.SYS_IO_SUBMIT, - "IO_CANCEL": syscall.SYS_IO_CANCEL, - "GET_THREAD_AREA": syscall.SYS_GET_THREAD_AREA, - "LOOKUP_DCOOKIE": syscall.SYS_LOOKUP_DCOOKIE, - "EPOLL_CREATE": syscall.SYS_EPOLL_CREATE, - "EPOLL_CTL_OLD": syscall.SYS_EPOLL_CTL_OLD, - "EPOLL_WAIT_OLD": syscall.SYS_EPOLL_WAIT_OLD, - "REMAP_FILE_PAGES": syscall.SYS_REMAP_FILE_PAGES, - "GETDENTS64": syscall.SYS_GETDENTS64, - "SET_TID_ADDRESS": syscall.SYS_SET_TID_ADDRESS, - "RESTART_SYSCALL": syscall.SYS_RESTART_SYSCALL, - "SEMTIMEDOP": syscall.SYS_SEMTIMEDOP, - "FADVISE64": syscall.SYS_FADVISE64, - "TIMER_CREATE": syscall.SYS_TIMER_CREATE, - "TIMER_SETTIME": syscall.SYS_TIMER_SETTIME, - "TIMER_GETTIME": syscall.SYS_TIMER_GETTIME, - "TIMER_GETOVERRUN": syscall.SYS_TIMER_GETOVERRUN, - "TIMER_DELETE": syscall.SYS_TIMER_DELETE, - "CLOCK_SETTIME": syscall.SYS_CLOCK_SETTIME, - "CLOCK_GETTIME": syscall.SYS_CLOCK_GETTIME, - "CLOCK_GETRES": syscall.SYS_CLOCK_GETRES, - "CLOCK_NANOSLEEP": syscall.SYS_CLOCK_NANOSLEEP, - "EXIT_GROUP": syscall.SYS_EXIT_GROUP, - "EPOLL_WAIT": syscall.SYS_EPOLL_WAIT, - "EPOLL_CTL": syscall.SYS_EPOLL_CTL, - "TGKILL": syscall.SYS_TGKILL, - "UTIMES": syscall.SYS_UTIMES, - "VSERVER": syscall.SYS_VSERVER, - "MBIND": syscall.SYS_MBIND, - "SET_MEMPOLICY": syscall.SYS_SET_MEMPOLICY, - "GET_MEMPOLICY": syscall.SYS_GET_MEMPOLICY, - "MQ_OPEN": syscall.SYS_MQ_OPEN, - "MQ_UNLINK": syscall.SYS_MQ_UNLINK, - "MQ_TIMEDSEND": syscall.SYS_MQ_TIMEDSEND, - "MQ_TIMEDRECEIVE": syscall.SYS_MQ_TIMEDRECEIVE, - "MQ_NOTIFY": syscall.SYS_MQ_NOTIFY, - "MQ_GETSETATTR": syscall.SYS_MQ_GETSETATTR, - "KEXEC_LOAD": syscall.SYS_KEXEC_LOAD, - "WAITID": syscall.SYS_WAITID, - "ADD_KEY": syscall.SYS_ADD_KEY, - "REQUEST_KEY": syscall.SYS_REQUEST_KEY, - "KEYCTL": syscall.SYS_KEYCTL, - "IOPRIO_SET": syscall.SYS_IOPRIO_SET, - "IOPRIO_GET": syscall.SYS_IOPRIO_GET, - "INOTIFY_INIT": syscall.SYS_INOTIFY_INIT, - "INOTIFY_ADD_WATCH": syscall.SYS_INOTIFY_ADD_WATCH, - "INOTIFY_RM_WATCH": syscall.SYS_INOTIFY_RM_WATCH, - "MIGRATE_PAGES": syscall.SYS_MIGRATE_PAGES, - "OPENAT": syscall.SYS_OPENAT, - "MKDIRAT": syscall.SYS_MKDIRAT, - "MKNODAT": syscall.SYS_MKNODAT, - "FCHOWNAT": syscall.SYS_FCHOWNAT, - "FUTIMESAT": syscall.SYS_FUTIMESAT, - "NEWFSTATAT": syscall.SYS_NEWFSTATAT, - "UNLINKAT": syscall.SYS_UNLINKAT, - "RENAMEAT": syscall.SYS_RENAMEAT, - "LINKAT": syscall.SYS_LINKAT, - "SYMLINKAT": syscall.SYS_SYMLINKAT, - "READLINKAT": syscall.SYS_READLINKAT, - "FCHMODAT": syscall.SYS_FCHMODAT, - "FACCESSAT": syscall.SYS_FACCESSAT, - "PSELECT6": syscall.SYS_PSELECT6, - "PPOLL": syscall.SYS_PPOLL, - "UNSHARE": syscall.SYS_UNSHARE, - "SET_ROBUST_LIST": syscall.SYS_SET_ROBUST_LIST, - "GET_ROBUST_LIST": syscall.SYS_GET_ROBUST_LIST, - "SPLICE": syscall.SYS_SPLICE, - "TEE": syscall.SYS_TEE, - "SYNC_FILE_RANGE": syscall.SYS_SYNC_FILE_RANGE, - "VMSPLICE": syscall.SYS_VMSPLICE, - "MOVE_PAGES": syscall.SYS_MOVE_PAGES, - "UTIMENSAT": syscall.SYS_UTIMENSAT, - "EPOLL_PWAIT": syscall.SYS_EPOLL_PWAIT, - "SIGNALFD": syscall.SYS_SIGNALFD, - "TIMERFD_CREATE": syscall.SYS_TIMERFD_CREATE, - "EVENTFD": syscall.SYS_EVENTFD, - "FALLOCATE": syscall.SYS_FALLOCATE, - "TIMERFD_SETTIME": syscall.SYS_TIMERFD_SETTIME, - "TIMERFD_GETTIME": syscall.SYS_TIMERFD_GETTIME, - "ACCEPT4": syscall.SYS_ACCEPT4, - "SIGNALFD4": syscall.SYS_SIGNALFD4, - "EVENTFD2": syscall.SYS_EVENTFD2, - "EPOLL_CREATE1": syscall.SYS_EPOLL_CREATE1, - "DUP3": syscall.SYS_DUP3, - "PIPE2": syscall.SYS_PIPE2, - "INOTIFY_INIT1": syscall.SYS_INOTIFY_INIT1, - "PREADV": syscall.SYS_PREADV, - "PWRITEV": syscall.SYS_PWRITEV, - "RT_TGSIGQUEUEINFO": syscall.SYS_RT_TGSIGQUEUEINFO, - "PERF_EVENT_OPEN": syscall.SYS_PERF_EVENT_OPEN, - "RECVMMSG": syscall.SYS_RECVMMSG, - "FANOTIFY_INIT": syscall.SYS_FANOTIFY_INIT, - "FANOTIFY_MARK": syscall.SYS_FANOTIFY_MARK, - "PRLIMIT64": syscall.SYS_PRLIMIT64, -} - -var SyscallMapMin = map[string]int{ - "WRITE": syscall.SYS_WRITE, - "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, - "EXIT_GROUP": syscall.SYS_EXIT_GROUP, - "FUTEX": syscall.SYS_FUTEX, -} diff --git a/seccomp/syscall_linux_arm.go b/seccomp/syscall_linux_arm.go deleted file mode 100644 index 141ec76a6..000000000 --- a/seccomp/syscall_linux_arm.go +++ /dev/null @@ -1,373 +0,0 @@ -// +build linux -// +build arm - -package seccomp - -import ( - "syscall" -) - -const ( - SECCOMP_RET_KILL = 0x00000000 - SECCOMP_RET_TRAP = 0x00030000 - SECCOMP_RET_ALLOW = 0x7fff0000 - SECCOMP_MODE_FILTER = 0x2 - PR_SET_NO_NEW_PRIVS = 0x26 -) - -var SyscallMap = map[string]uint32{ - "OABI_SYSCALL_BASE": syscall.SYS_OABI_SYSCALL_BASE, - "SYSCALL_BASE": syscall.SYS_SYSCALL_BASE, - "RESTART_SYSCALL": syscall.SYS_RESTART_SYSCALL, - "EXIT": syscall.SYS_EXIT, - "FORK": syscall.SYS_FORK, - "READ": syscall.SYS_READ, - "WRITE": syscall.SYS_WRITE, - "OPEN": syscall.SYS_OPEN, - "CLOSE": syscall.SYS_CLOSE, - "CREAT": syscall.SYS_CREAT, - "LINK": syscall.SYS_LINK, - "UNLINK": syscall.SYS_UNLINK, - "EXECVE": syscall.SYS_EXECVE, - "CHDIR": syscall.SYS_CHDIR, - "TIME": syscall.SYS_TIME, - "MKNOD": syscall.SYS_MKNOD, - "CHMOD": syscall.SYS_CHMOD, - "LCHOWN": syscall.SYS_LCHOWN, - "LSEEK": syscall.SYS_LSEEK, - "GETPID": syscall.SYS_GETPID, - "MOUNT": syscall.SYS_MOUNT, - "UMOUNT": syscall.SYS_UMOUNT, - "SETUID": syscall.SYS_SETUID, - "GETUID": syscall.SYS_GETUID, - "STIME": syscall.SYS_STIME, - "PTRACE": syscall.SYS_PTRACE, - "ALARM": syscall.SYS_ALARM, - "PAUSE": syscall.SYS_PAUSE, - "UTIME": syscall.SYS_UTIME, - "ACCESS": syscall.SYS_ACCESS, - "NICE": syscall.SYS_NICE, - "SYNC": syscall.SYS_SYNC, - "KILL": syscall.SYS_KILL, - "RENAME": syscall.SYS_RENAME, - "MKDIR": syscall.SYS_MKDIR, - "RMDIR": syscall.SYS_RMDIR, - "DUP": syscall.SYS_DUP, - "PIPE": syscall.SYS_PIPE, - "TIMES": syscall.SYS_TIMES, - "BRK": syscall.SYS_BRK, - "SETGID": syscall.SYS_SETGID, - "GETGID": syscall.SYS_GETGID, - "GETEUID": syscall.SYS_GETEUID, - "GETEGID": syscall.SYS_GETEGID, - "ACCT": syscall.SYS_ACCT, - "UMOUNT2": syscall.SYS_UMOUNT2, - "IOCTL": syscall.SYS_IOCTL, - "FCNTL": syscall.SYS_FCNTL, - "SETPGID": syscall.SYS_SETPGID, - "UMASK": syscall.SYS_UMASK, - "CHROOT": syscall.SYS_CHROOT, - "USTAT": syscall.SYS_USTAT, - "DUP2": syscall.SYS_DUP2, - "GETPPID": syscall.SYS_GETPPID, - "GETPGRP": syscall.SYS_GETPGRP, - "SETSID": syscall.SYS_SETSID, - "SIGACTION": syscall.SYS_SIGACTION, - "SETREUID": syscall.SYS_SETREUID, - "SETREGID": syscall.SYS_SETREGID, - "SIGSUSPEND": syscall.SYS_SIGSUSPEND, - "SIGPENDING": syscall.SYS_SIGPENDING, - "SETHOSTNAME": syscall.SYS_SETHOSTNAME, - "SETRLIMIT": syscall.SYS_SETRLIMIT, - "GETRLIMIT": syscall.SYS_GETRLIMIT, - "GETRUSAGE": syscall.SYS_GETRUSAGE, - "GETTIMEOFDAY": syscall.SYS_GETTIMEOFDAY, - "SETTIMEOFDAY": syscall.SYS_SETTIMEOFDAY, - "GETGROUPS": syscall.SYS_GETGROUPS, - "SETGROUPS": syscall.SYS_SETGROUPS, - "SELECT": syscall.SYS_SELECT, - "SYMLINK": syscall.SYS_SYMLINK, - "READLINK": syscall.SYS_READLINK, - "USELIB": syscall.SYS_USELIB, - "SWAPON": syscall.SYS_SWAPON, - "REBOOT": syscall.SYS_REBOOT, - "READDIR": syscall.SYS_READDIR, - "MMAP": syscall.SYS_MMAP, - "MUNMAP": syscall.SYS_MUNMAP, - "TRUNCATE": syscall.SYS_TRUNCATE, - "FTRUNCATE": syscall.SYS_FTRUNCATE, - "FCHMOD": syscall.SYS_FCHMOD, - "FCHOWN": syscall.SYS_FCHOWN, - "GETPRIORITY": syscall.SYS_GETPRIORITY, - "SETPRIORITY": syscall.SYS_SETPRIORITY, - "STATFS": syscall.SYS_STATFS, - "FSTATFS": syscall.SYS_FSTATFS, - "SOCKETCALL": syscall.SYS_SOCKETCALL, - "SYSLOG": syscall.SYS_SYSLOG, - "SETITIMER": syscall.SYS_SETITIMER, - "GETITIMER": syscall.SYS_GETITIMER, - "STAT": syscall.SYS_STAT, - "LSTAT": syscall.SYS_LSTAT, - "FSTAT": syscall.SYS_FSTAT, - "VHANGUP": syscall.SYS_VHANGUP, - "SYSCALL": syscall.SYS_SYSCALL, - "WAIT4": syscall.SYS_WAIT4, - "SWAPOFF": syscall.SYS_SWAPOFF, - "SYSINFO": syscall.SYS_SYSINFO, - "IPC": syscall.SYS_IPC, - "FSYNC": syscall.SYS_FSYNC, - "SIGRETURN": syscall.SYS_SIGRETURN, - "CLONE": syscall.SYS_CLONE, - "SETDOMAINNAME": syscall.SYS_SETDOMAINNAME, - "UNAME": syscall.SYS_UNAME, - "ADJTIMEX": syscall.SYS_ADJTIMEX, - "MPROTECT": syscall.SYS_MPROTECT, - "SIGPROCMASK": syscall.SYS_SIGPROCMASK, - "INIT_MODULE": syscall.SYS_INIT_MODULE, - "DELETE_MODULE": syscall.SYS_DELETE_MODULE, - "QUOTACTL": syscall.SYS_QUOTACTL, - "GETPGID": syscall.SYS_GETPGID, - "FCHDIR": syscall.SYS_FCHDIR, - "BDFLUSH": syscall.SYS_BDFLUSH, - "SYSFS": syscall.SYS_SYSFS, - "PERSONALITY": syscall.SYS_PERSONALITY, - "SETFSUID": syscall.SYS_SETFSUID, - "SETFSGID": syscall.SYS_SETFSGID, - "_LLSEEK": syscall.SYS__LLSEEK, - "GETDENTS": syscall.SYS_GETDENTS, - "_NEWSELECT": syscall.SYS__NEWSELECT, - "FLOCK": syscall.SYS_FLOCK, - "MSYNC": syscall.SYS_MSYNC, - "READV": syscall.SYS_READV, - "WRITEV": syscall.SYS_WRITEV, - "GETSID": syscall.SYS_GETSID, - "FDATASYNC": syscall.SYS_FDATASYNC, - "_SYSCTL": syscall.SYS__SYSCTL, - "MLOCK": syscall.SYS_MLOCK, - "MUNLOCK": syscall.SYS_MUNLOCK, - "MLOCKALL": syscall.SYS_MLOCKALL, - "MUNLOCKALL": syscall.SYS_MUNLOCKALL, - "SCHED_SETPARAM": syscall.SYS_SCHED_SETPARAM, - "SCHED_GETPARAM": syscall.SYS_SCHED_GETPARAM, - "SCHED_SETSCHEDULER": syscall.SYS_SCHED_SETSCHEDULER, - "SCHED_GETSCHEDULER": syscall.SYS_SCHED_GETSCHEDULER, - "SCHED_YIELD": syscall.SYS_SCHED_YIELD, - "SCHED_GET_PRIORITY_MAX": syscall.SYS_SCHED_GET_PRIORITY_MAX, - "SCHED_GET_PRIORITY_MIN": syscall.SYS_SCHED_GET_PRIORITY_MIN, - "SCHED_RR_GET_INTERVAL": syscall.SYS_SCHED_RR_GET_INTERVAL, - "NANOSLEEP": syscall.SYS_NANOSLEEP, - "MREMAP": syscall.SYS_MREMAP, - "SETRESUID": syscall.SYS_SETRESUID, - "GETRESUID": syscall.SYS_GETRESUID, - "POLL": syscall.SYS_POLL, - "NFSSERVCTL": syscall.SYS_NFSSERVCTL, - "SETRESGID": syscall.SYS_SETRESGID, - "GETRESGID": syscall.SYS_GETRESGID, - "PRCTL": syscall.SYS_PRCTL, - "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, - "RT_SIGACTION": syscall.SYS_RT_SIGACTION, - "RT_SIGPROCMASK": syscall.SYS_RT_SIGPROCMASK, - "RT_SIGPENDING": syscall.SYS_RT_SIGPENDING, - "RT_SIGTIMEDWAIT": syscall.SYS_RT_SIGTIMEDWAIT, - "RT_SIGQUEUEINFO": syscall.SYS_RT_SIGQUEUEINFO, - "RT_SIGSUSPEND": syscall.SYS_RT_SIGSUSPEND, - "PREAD64": syscall.SYS_PREAD64, - "PWRITE64": syscall.SYS_PWRITE64, - "CHOWN": syscall.SYS_CHOWN, - "GETCWD": syscall.SYS_GETCWD, - "CAPGET": syscall.SYS_CAPGET, - "CAPSET": syscall.SYS_CAPSET, - "SIGALTSTACK": syscall.SYS_SIGALTSTACK, - "SENDFILE": syscall.SYS_SENDFILE, - "VFORK": syscall.SYS_VFORK, - "UGETRLIMIT": syscall.SYS_UGETRLIMIT, - "MMAP2": syscall.SYS_MMAP2, - "TRUNCATE64": syscall.SYS_TRUNCATE64, - "FTRUNCATE64": syscall.SYS_FTRUNCATE64, - "STAT64": syscall.SYS_STAT64, - "LSTAT64": syscall.SYS_LSTAT64, - "FSTAT64": syscall.SYS_FSTAT64, - "LCHOWN32": syscall.SYS_LCHOWN32, - "GETUID32": syscall.SYS_GETUID32, - "GETGID32": syscall.SYS_GETGID32, - "GETEUID32": syscall.SYS_GETEUID32, - "GETEGID32": syscall.SYS_GETEGID32, - "SETREUID32": syscall.SYS_SETREUID32, - "SETREGID32": syscall.SYS_SETREGID32, - "GETGROUPS32": syscall.SYS_GETGROUPS32, - "SETGROUPS32": syscall.SYS_SETGROUPS32, - "FCHOWN32": syscall.SYS_FCHOWN32, - "SETRESUID32": syscall.SYS_SETRESUID32, - "GETRESUID32": syscall.SYS_GETRESUID32, - "SETRESGID32": syscall.SYS_SETRESGID32, - "GETRESGID32": syscall.SYS_GETRESGID32, - "CHOWN32": syscall.SYS_CHOWN32, - "SETUID32": syscall.SYS_SETUID32, - "SETGID32": syscall.SYS_SETGID32, - "SETFSUID32": syscall.SYS_SETFSUID32, - "SETFSGID32": syscall.SYS_SETFSGID32, - "GETDENTS64": syscall.SYS_GETDENTS64, - "PIVOT_ROOT": syscall.SYS_PIVOT_ROOT, - "MINCORE": syscall.SYS_MINCORE, - "MADVISE": syscall.SYS_MADVISE, - "FCNTL64": syscall.SYS_FCNTL64, - "GETTID": syscall.SYS_GETTID, - "READAHEAD": syscall.SYS_READAHEAD, - "SETXATTR": syscall.SYS_SETXATTR, - "LSETXATTR": syscall.SYS_LSETXATTR, - "FSETXATTR": syscall.SYS_FSETXATTR, - "GETXATTR": syscall.SYS_GETXATTR, - "LGETXATTR": syscall.SYS_LGETXATTR, - "FGETXATTR": syscall.SYS_FGETXATTR, - "LISTXATTR": syscall.SYS_LISTXATTR, - "LLISTXATTR": syscall.SYS_LLISTXATTR, - "FLISTXATTR": syscall.SYS_FLISTXATTR, - "REMOVEXATTR": syscall.SYS_REMOVEXATTR, - "LREMOVEXATTR": syscall.SYS_LREMOVEXATTR, - "FREMOVEXATTR": syscall.SYS_FREMOVEXATTR, - "TKILL": syscall.SYS_TKILL, - "SENDFILE64": syscall.SYS_SENDFILE64, - "FUTEX": syscall.SYS_FUTEX, - "SCHED_SETAFFINITY": syscall.SYS_SCHED_SETAFFINITY, - "SCHED_GETAFFINITY": syscall.SYS_SCHED_GETAFFINITY, - "IO_SETUP": syscall.SYS_IO_SETUP, - "IO_DESTROY": syscall.SYS_IO_DESTROY, - "IO_GETEVENTS": syscall.SYS_IO_GETEVENTS, - "IO_SUBMIT": syscall.SYS_IO_SUBMIT, - "IO_CANCEL": syscall.SYS_IO_CANCEL, - "EXIT_GROUP": syscall.SYS_EXIT_GROUP, - "LOOKUP_DCOOKIE": syscall.SYS_LOOKUP_DCOOKIE, - "EPOLL_CREATE": syscall.SYS_EPOLL_CREATE, - "EPOLL_CTL": syscall.SYS_EPOLL_CTL, - "EPOLL_WAIT": syscall.SYS_EPOLL_WAIT, - "REMAP_FILE_PAGES": syscall.SYS_REMAP_FILE_PAGES, - "SET_TID_ADDRESS": syscall.SYS_SET_TID_ADDRESS, - "TIMER_CREATE": syscall.SYS_TIMER_CREATE, - "TIMER_SETTIME": syscall.SYS_TIMER_SETTIME, - "TIMER_GETTIME": syscall.SYS_TIMER_GETTIME, - "TIMER_GETOVERRUN": syscall.SYS_TIMER_GETOVERRUN, - "TIMER_DELETE": syscall.SYS_TIMER_DELETE, - "CLOCK_SETTIME": syscall.SYS_CLOCK_SETTIME, - "CLOCK_GETTIME": syscall.SYS_CLOCK_GETTIME, - "CLOCK_GETRES": syscall.SYS_CLOCK_GETRES, - "CLOCK_NANOSLEEP": syscall.SYS_CLOCK_NANOSLEEP, - "STATFS64": syscall.SYS_STATFS64, - "FSTATFS64": syscall.SYS_FSTATFS64, - "TGKILL": syscall.SYS_TGKILL, - "UTIMES": syscall.SYS_UTIMES, - "ARM_FADVISE64_64": syscall.SYS_ARM_FADVISE64_64, - "PCICONFIG_IOBASE": syscall.SYS_PCICONFIG_IOBASE, - "PCICONFIG_READ": syscall.SYS_PCICONFIG_READ, - "PCICONFIG_WRITE": syscall.SYS_PCICONFIG_WRITE, - "MQ_OPEN": syscall.SYS_MQ_OPEN, - "MQ_UNLINK": syscall.SYS_MQ_UNLINK, - "MQ_TIMEDSEND": syscall.SYS_MQ_TIMEDSEND, - "MQ_TIMEDRECEIVE": syscall.SYS_MQ_TIMEDRECEIVE, - "MQ_NOTIFY": syscall.SYS_MQ_NOTIFY, - "MQ_GETSETATTR": syscall.SYS_MQ_GETSETATTR, - "WAITID": syscall.SYS_WAITID, - "SOCKET": syscall.SYS_SOCKET, - "BIND": syscall.SYS_BIND, - "CONNECT": syscall.SYS_CONNECT, - "LISTEN": syscall.SYS_LISTEN, - "ACCEPT": syscall.SYS_ACCEPT, - "GETSOCKNAME": syscall.SYS_GETSOCKNAME, - "GETPEERNAME": syscall.SYS_GETPEERNAME, - "SOCKETPAIR": syscall.SYS_SOCKETPAIR, - "SEND": syscall.SYS_SEND, - "SENDTO": syscall.SYS_SENDTO, - "RECV": syscall.SYS_RECV, - "RECVFROM": syscall.SYS_RECVFROM, - "SHUTDOWN": syscall.SYS_SHUTDOWN, - "SETSOCKOPT": syscall.SYS_SETSOCKOPT, - "GETSOCKOPT": syscall.SYS_GETSOCKOPT, - "SENDMSG": syscall.SYS_SENDMSG, - "RECVMSG": syscall.SYS_RECVMSG, - "SEMOP": syscall.SYS_SEMOP, - "SEMGET": syscall.SYS_SEMGET, - "SEMCTL": syscall.SYS_SEMCTL, - "MSGSND": syscall.SYS_MSGSND, - "MSGRCV": syscall.SYS_MSGRCV, - "MSGGET": syscall.SYS_MSGGET, - "MSGCTL": syscall.SYS_MSGCTL, - "SHMAT": syscall.SYS_SHMAT, - "SHMDT": syscall.SYS_SHMDT, - "SHMGET": syscall.SYS_SHMGET, - "SHMCTL": syscall.SYS_SHMCTL, - "ADD_KEY": syscall.SYS_ADD_KEY, - "REQUEST_KEY": syscall.SYS_REQUEST_KEY, - "KEYCTL": syscall.SYS_KEYCTL, - "SEMTIMEDOP": syscall.SYS_SEMTIMEDOP, - "VSERVER": syscall.SYS_VSERVER, - "IOPRIO_SET": syscall.SYS_IOPRIO_SET, - "IOPRIO_GET": syscall.SYS_IOPRIO_GET, - "INOTIFY_INIT": syscall.SYS_INOTIFY_INIT, - "INOTIFY_ADD_WATCH": syscall.SYS_INOTIFY_ADD_WATCH, - "INOTIFY_RM_WATCH": syscall.SYS_INOTIFY_RM_WATCH, - "MBIND": syscall.SYS_MBIND, - "GET_MEMPOLICY": syscall.SYS_GET_MEMPOLICY, - "SET_MEMPOLICY": syscall.SYS_SET_MEMPOLICY, - "OPENAT": syscall.SYS_OPENAT, - "MKDIRAT": syscall.SYS_MKDIRAT, - "MKNODAT": syscall.SYS_MKNODAT, - "FCHOWNAT": syscall.SYS_FCHOWNAT, - "FUTIMESAT": syscall.SYS_FUTIMESAT, - "FSTATAT64": syscall.SYS_FSTATAT64, - "UNLINKAT": syscall.SYS_UNLINKAT, - "RENAMEAT": syscall.SYS_RENAMEAT, - "LINKAT": syscall.SYS_LINKAT, - "SYMLINKAT": syscall.SYS_SYMLINKAT, - "READLINKAT": syscall.SYS_READLINKAT, - "FCHMODAT": syscall.SYS_FCHMODAT, - "FACCESSAT": syscall.SYS_FACCESSAT, - "PSELECT6": syscall.SYS_PSELECT6, - "PPOLL": syscall.SYS_PPOLL, - "UNSHARE": syscall.SYS_UNSHARE, - "SET_ROBUST_LIST": syscall.SYS_SET_ROBUST_LIST, - "GET_ROBUST_LIST": syscall.SYS_GET_ROBUST_LIST, - "SPLICE": syscall.SYS_SPLICE, - "ARM_SYNC_FILE_RANGE": syscall.SYS_ARM_SYNC_FILE_RANGE, - "TEE": syscall.SYS_TEE, - "VMSPLICE": syscall.SYS_VMSPLICE, - "MOVE_PAGES": syscall.SYS_MOVE_PAGES, - "GETCPU": syscall.SYS_GETCPU, - "EPOLL_PWAIT": syscall.SYS_EPOLL_PWAIT, - "KEXEC_LOAD": syscall.SYS_KEXEC_LOAD, - "UTIMENSAT": syscall.SYS_UTIMENSAT, - "SIGNALFD": syscall.SYS_SIGNALFD, - "TIMERFD_CREATE": syscall.SYS_TIMERFD_CREATE, - "EVENTFD": syscall.SYS_EVENTFD, - "FALLOCATE": syscall.SYS_FALLOCATE, - "TIMERFD_SETTIME": syscall.SYS_TIMERFD_SETTIME, - "TIMERFD_GETTIME": syscall.SYS_TIMERFD_GETTIME, - "SIGNALFD4": syscall.SYS_SIGNALFD4, - "EVENTFD2": syscall.SYS_EVENTFD2, - "EPOLL_CREATE1": syscall.SYS_EPOLL_CREATE1, - "DUP3": syscall.SYS_DUP3, - "PIPE2": syscall.SYS_PIPE2, - "INOTIFY_INIT1": syscall.SYS_INOTIFY_INIT1, - "PREADV": syscall.SYS_PREADV, - "PWRITEV": syscall.SYS_PWRITEV, - "RT_TGSIGQUEUEINFO": syscall.SYS_RT_TGSIGQUEUEINFO, - "PERF_EVENT_OPEN": syscall.SYS_PERF_EVENT_OPEN, - "RECVMMSG": syscall.SYS_RECVMMSG, - "ACCEPT4": syscall.SYS_ACCEPT4, - "FANOTIFY_INIT": syscall.SYS_FANOTIFY_INIT, - "FANOTIFY_MARK": syscall.SYS_FANOTIFY_MARK, - "PRLIMIT64": syscall.SYS_PRLIMIT64, - "NAME_TO_HANDLE_AT": syscall.SYS_NAME_TO_HANDLE_AT, - "OPEN_BY_HANDLE_AT": syscall.SYS_OPEN_BY_HANDLE_AT, - "CLOCK_ADJTIME": syscall.SYS_CLOCK_ADJTIME, - "SYNCFS": syscall.SYS_SYNCFS, - "SENDMMSG": syscall.SYS_SENDMMSG, - "SETNS": syscall.SYS_SETNS, - "PROCESS_VM_READV": syscall.SYS_PROCESS_VM_READV, - "PROCESS_VM_WRITEV": syscall.SYS_PROCESS_VM_WRITEV, -} - -var SyscallMapMin = map[string]int{ - "WRITE": syscall.SYS_WRITE, - "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, - "EXIT_GROUP": syscall.SYS_EXIT_GROUP, - "FUTEX": syscall.SYS_FUTEX, -} diff --git a/seccomp/syscall_linux_arm64.go b/seccomp/syscall_linux_arm64.go deleted file mode 100644 index 4c94ef916..000000000 --- a/seccomp/syscall_linux_arm64.go +++ /dev/null @@ -1,294 +0,0 @@ -// +build linux -// +build arm64 - -package seccomp - -import ( - "syscall" -) - -const ( - SECCOMP_RET_KILL = 0x00000000 - SECCOMP_RET_TRAP = 0x00030000 - SECCOMP_RET_ALLOW = 0x7fff0000 - SECCOMP_MODE_FILTER = 0x2 - PR_SET_NO_NEW_PRIVS = 0x26 -) - -var SyscallMap = map[string]uint32{ - "IO_SETUP": syscall.SYS_IO_SETUP, - "IO_DESTROY": syscall.SYS_IO_DESTROY, - "IO_SUBMIT": syscall.SYS_IO_SUBMIT, - "IO_CANCEL": syscall.SYS_IO_CANCEL, - "IO_GETEVENTS": syscall.SYS_IO_GETEVENTS, - "SETXATTR": syscall.SYS_SETXATTR, - "LSETXATTR": syscall.SYS_LSETXATTR, - "FSETXATTR": syscall.SYS_FSETXATTR, - "GETXATTR": syscall.SYS_GETXATTR, - "LGETXATTR": syscall.SYS_LGETXATTR, - "FGETXATTR": syscall.SYS_FGETXATTR, - "LISTXATTR": syscall.SYS_LISTXATTR, - "LLISTXATTR": syscall.SYS_LLISTXATTR, - "FLISTXATTR": syscall.SYS_FLISTXATTR, - "REMOVEXATTR": syscall.SYS_REMOVEXATTR, - "LREMOVEXATTR": syscall.SYS_LREMOVEXATTR, - "FREMOVEXATTR": syscall.SYS_FREMOVEXATTR, - "GETCWD": syscall.SYS_GETCWD, - "LOOKUP_DCOOKIE": syscall.SYS_LOOKUP_DCOOKIE, - "EVENTFD2": syscall.SYS_EVENTFD2, - "EPOLL_CREATE1": syscall.SYS_EPOLL_CREATE1, - "EPOLL_CTL": syscall.SYS_EPOLL_CTL, - "EPOLL_PWAIT": syscall.SYS_EPOLL_PWAIT, - "DUP": syscall.SYS_DUP, - "DUP3": syscall.SYS_DUP3, - "FCNTL": syscall.SYS_FCNTL, - "INOTIFY_INIT1": syscall.SYS_INOTIFY_INIT1, - "INOTIFY_ADD_WATCH": syscall.SYS_INOTIFY_ADD_WATCH, - "INOTIFY_RM_WATCH": syscall.SYS_INOTIFY_RM_WATCH, - "IOCTL": syscall.SYS_IOCTL, - "IOPRIO_SET": syscall.SYS_IOPRIO_SET, - "IOPRIO_GET": syscall.SYS_IOPRIO_GET, - "FLOCK": syscall.SYS_FLOCK, - "MKNODAT": syscall.SYS_MKNODAT, - "MKDIRAT": syscall.SYS_MKDIRAT, - "UNLINKAT": syscall.SYS_UNLINKAT, - "SYMLINKAT": syscall.SYS_SYMLINKAT, - "LINKAT": syscall.SYS_LINKAT, - "RENAMEAT": syscall.SYS_RENAMEAT, - "UMOUNT2": syscall.SYS_UMOUNT2, - "MOUNT": syscall.SYS_MOUNT, - "PIVOT_ROOT": syscall.SYS_PIVOT_ROOT, - "NFSSERVCTL": syscall.SYS_NFSSERVCTL, - "STATFS": syscall.SYS_STATFS, - "FSTATFS": syscall.SYS_FSTATFS, - "TRUNCATE": syscall.SYS_TRUNCATE, - "FTRUNCATE": syscall.SYS_FTRUNCATE, - "FALLOCATE": syscall.SYS_FALLOCATE, - "FACCESSAT": syscall.SYS_FACCESSAT, - "CHDIR": syscall.SYS_CHDIR, - "FCHDIR": syscall.SYS_FCHDIR, - "CHROOT": syscall.SYS_CHROOT, - "FCHMOD": syscall.SYS_FCHMOD, - "FCHMODAT": syscall.SYS_FCHMODAT, - "FCHOWNAT": syscall.SYS_FCHOWNAT, - "FCHOWN": syscall.SYS_FCHOWN, - "OPENAT": syscall.SYS_OPENAT, - "CLOSE": syscall.SYS_CLOSE, - "VHANGUP": syscall.SYS_VHANGUP, - "PIPE2": syscall.SYS_PIPE2, - "QUOTACTL": syscall.SYS_QUOTACTL, - "GETDENTS64": syscall.SYS_GETDENTS64, - "LSEEK": syscall.SYS_LSEEK, - "READ": syscall.SYS_READ, - "WRITE": syscall.SYS_WRITE, - "READV": syscall.SYS_READV, - "WRITEV": syscall.SYS_WRITEV, - "PREAD64": syscall.SYS_PREAD64, - "PWRITE64": syscall.SYS_PWRITE64, - "PREADV": syscall.SYS_PREADV, - "PWRITEV": syscall.SYS_PWRITEV, - "SENDFILE": syscall.SYS_SENDFILE, - "PSELECT6": syscall.SYS_PSELECT6, - "PPOLL": syscall.SYS_PPOLL, - "SIGNALFD4": syscall.SYS_SIGNALFD4, - "VMSPLICE": syscall.SYS_VMSPLICE, - "SPLICE": syscall.SYS_SPLICE, - "TEE": syscall.SYS_TEE, - "READLINKAT": syscall.SYS_READLINKAT, - "FSTATAT": syscall.SYS_FSTATAT, - "FSTAT": syscall.SYS_FSTAT, - "SYNC": syscall.SYS_SYNC, - "FSYNC": syscall.SYS_FSYNC, - "FDATASYNC": syscall.SYS_FDATASYNC, - "SYNC_FILE_RANGE2": syscall.SYS_SYNC_FILE_RANGE2, - "SYNC_FILE_RANGE": syscall.SYS_SYNC_FILE_RANGE, - "TIMERFD_CREATE": syscall.SYS_TIMERFD_CREATE, - "TIMERFD_SETTIME": syscall.SYS_TIMERFD_SETTIME, - "TIMERFD_GETTIME": syscall.SYS_TIMERFD_GETTIME, - "UTIMENSAT": syscall.SYS_UTIMENSAT, - "ACCT": syscall.SYS_ACCT, - "CAPGET": syscall.SYS_CAPGET, - "CAPSET": syscall.SYS_CAPSET, - "PERSONALITY": syscall.SYS_PERSONALITY, - "EXIT": syscall.SYS_EXIT, - "EXIT_GROUP": syscall.SYS_EXIT_GROUP, - "WAITID": syscall.SYS_WAITID, - "SET_TID_ADDRESS": syscall.SYS_SET_TID_ADDRESS, - "UNSHARE": syscall.SYS_UNSHARE, - "FUTEX": syscall.SYS_FUTEX, - "SET_ROBUST_LIST": syscall.SYS_SET_ROBUST_LIST, - "GET_ROBUST_LIST": syscall.SYS_GET_ROBUST_LIST, - "NANOSLEEP": syscall.SYS_NANOSLEEP, - "GETITIMER": syscall.SYS_GETITIMER, - "SETITIMER": syscall.SYS_SETITIMER, - "KEXEC_LOAD": syscall.SYS_KEXEC_LOAD, - "INIT_MODULE": syscall.SYS_INIT_MODULE, - "DELETE_MODULE": syscall.SYS_DELETE_MODULE, - "TIMER_CREATE": syscall.SYS_TIMER_CREATE, - "TIMER_GETTIME": syscall.SYS_TIMER_GETTIME, - "TIMER_GETOVERRUN": syscall.SYS_TIMER_GETOVERRUN, - "TIMER_SETTIME": syscall.SYS_TIMER_SETTIME, - "TIMER_DELETE": syscall.SYS_TIMER_DELETE, - "CLOCK_SETTIME": syscall.SYS_CLOCK_SETTIME, - "CLOCK_GETTIME": syscall.SYS_CLOCK_GETTIME, - "CLOCK_GETRES": syscall.SYS_CLOCK_GETRES, - "CLOCK_NANOSLEEP": syscall.SYS_CLOCK_NANOSLEEP, - "SYSLOG": syscall.SYS_SYSLOG, - "PTRACE": syscall.SYS_PTRACE, - "SCHED_SETPARAM": syscall.SYS_SCHED_SETPARAM, - "SCHED_SETSCHEDULER": syscall.SYS_SCHED_SETSCHEDULER, - "SCHED_GETSCHEDULER": syscall.SYS_SCHED_GETSCHEDULER, - "SCHED_GETPARAM": syscall.SYS_SCHED_GETPARAM, - "SCHED_SETAFFINITY": syscall.SYS_SCHED_SETAFFINITY, - "SCHED_GETAFFINITY": syscall.SYS_SCHED_GETAFFINITY, - "SCHED_YIELD": syscall.SYS_SCHED_YIELD, - "SCHED_GET_PRIORITY_MAX": syscall.SYS_SCHED_GET_PRIORITY_MAX, - "SCHED_GET_PRIORITY_MIN": syscall.SYS_SCHED_GET_PRIORITY_MIN, - "SCHED_RR_GET_INTERVAL": syscall.SYS_SCHED_RR_GET_INTERVAL, - "RESTART_SYSCALL": syscall.SYS_RESTART_SYSCALL, - "KILL": syscall.SYS_KILL, - "TKILL": syscall.SYS_TKILL, - "TGKILL": syscall.SYS_TGKILL, - "SIGALTSTACK": syscall.SYS_SIGALTSTACK, - "RT_SIGSUSPEND": syscall.SYS_RT_SIGSUSPEND, - "RT_SIGACTION": syscall.SYS_RT_SIGACTION, - "RT_SIGPROCMASK": syscall.SYS_RT_SIGPROCMASK, - "RT_SIGPENDING": syscall.SYS_RT_SIGPENDING, - "RT_SIGTIMEDWAIT": syscall.SYS_RT_SIGTIMEDWAIT, - "RT_SIGQUEUEINFO": syscall.SYS_RT_SIGQUEUEINFO, - "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, - "SETPRIORITY": syscall.SYS_SETPRIORITY, - "GETPRIORITY": syscall.SYS_GETPRIORITY, - "REBOOT": syscall.SYS_REBOOT, - "SETREGID": syscall.SYS_SETREGID, - "SETGID": syscall.SYS_SETGID, - "SETREUID": syscall.SYS_SETREUID, - "SETUID": syscall.SYS_SETUID, - "SETRESUID": syscall.SYS_SETRESUID, - "GETRESUID": syscall.SYS_GETRESUID, - "SETRESGID": syscall.SYS_SETRESGID, - "GETRESGID": syscall.SYS_GETRESGID, - "SETFSUID": syscall.SYS_SETFSUID, - "SETFSGID": syscall.SYS_SETFSGID, - "TIMES": syscall.SYS_TIMES, - "SETPGID": syscall.SYS_SETPGID, - "GETPGID": syscall.SYS_GETPGID, - "GETSID": syscall.SYS_GETSID, - "SETSID": syscall.SYS_SETSID, - "GETGROUPS": syscall.SYS_GETGROUPS, - "SETGROUPS": syscall.SYS_SETGROUPS, - "UNAME": syscall.SYS_UNAME, - "SETHOSTNAME": syscall.SYS_SETHOSTNAME, - "SETDOMAINNAME": syscall.SYS_SETDOMAINNAME, - "GETRLIMIT": syscall.SYS_GETRLIMIT, - "SETRLIMIT": syscall.SYS_SETRLIMIT, - "GETRUSAGE": syscall.SYS_GETRUSAGE, - "UMASK": syscall.SYS_UMASK, - "PRCTL": syscall.SYS_PRCTL, - "GETCPU": syscall.SYS_GETCPU, - "GETTIMEOFDAY": syscall.SYS_GETTIMEOFDAY, - "SETTIMEOFDAY": syscall.SYS_SETTIMEOFDAY, - "ADJTIMEX": syscall.SYS_ADJTIMEX, - "GETPID": syscall.SYS_GETPID, - "GETPPID": syscall.SYS_GETPPID, - "GETUID": syscall.SYS_GETUID, - "GETEUID": syscall.SYS_GETEUID, - "GETGID": syscall.SYS_GETGID, - "GETEGID": syscall.SYS_GETEGID, - "GETTID": syscall.SYS_GETTID, - "SYSINFO": syscall.SYS_SYSINFO, - "MQ_OPEN": syscall.SYS_MQ_OPEN, - "MQ_UNLINK": syscall.SYS_MQ_UNLINK, - "MQ_TIMEDSEND": syscall.SYS_MQ_TIMEDSEND, - "MQ_TIMEDRECEIVE": syscall.SYS_MQ_TIMEDRECEIVE, - "MQ_NOTIFY": syscall.SYS_MQ_NOTIFY, - "MQ_GETSETATTR": syscall.SYS_MQ_GETSETATTR, - "MSGGET": syscall.SYS_MSGGET, - "MSGCTL": syscall.SYS_MSGCTL, - "MSGRCV": syscall.SYS_MSGRCV, - "MSGSND": syscall.SYS_MSGSND, - "SEMGET": syscall.SYS_SEMGET, - "SEMCTL": syscall.SYS_SEMCTL, - "SEMTIMEDOP": syscall.SYS_SEMTIMEDOP, - "SEMOP": syscall.SYS_SEMOP, - "SHMGET": syscall.SYS_SHMGET, - "SHMCTL": syscall.SYS_SHMCTL, - "SHMAT": syscall.SYS_SHMAT, - "SHMDT": syscall.SYS_SHMDT, - "SOCKET": syscall.SYS_SOCKET, - "SOCKETPAIR": syscall.SYS_SOCKETPAIR, - "BIND": syscall.SYS_BIND, - "LISTEN": syscall.SYS_LISTEN, - "ACCEPT": syscall.SYS_ACCEPT, - "CONNECT": syscall.SYS_CONNECT, - "GETSOCKNAME": syscall.SYS_GETSOCKNAME, - "GETPEERNAME": syscall.SYS_GETPEERNAME, - "SENDTO": syscall.SYS_SENDTO, - "RECVFROM": syscall.SYS_RECVFROM, - "SETSOCKOPT": syscall.SYS_SETSOCKOPT, - "GETSOCKOPT": syscall.SYS_GETSOCKOPT, - "SHUTDOWN": syscall.SYS_SHUTDOWN, - "SENDMSG": syscall.SYS_SENDMSG, - "RECVMSG": syscall.SYS_RECVMSG, - "READAHEAD": syscall.SYS_READAHEAD, - "BRK": syscall.SYS_BRK, - "MUNMAP": syscall.SYS_MUNMAP, - "MREMAP": syscall.SYS_MREMAP, - "ADD_KEY": syscall.SYS_ADD_KEY, - "REQUEST_KEY": syscall.SYS_REQUEST_KEY, - "KEYCTL": syscall.SYS_KEYCTL, - "CLONE": syscall.SYS_CLONE, - "EXECVE": syscall.SYS_EXECVE, - "MMAP": syscall.SYS_MMAP, - "FADVISE64": syscall.SYS_FADVISE64, - "SWAPON": syscall.SYS_SWAPON, - "SWAPOFF": syscall.SYS_SWAPOFF, - "MPROTECT": syscall.SYS_MPROTECT, - "MSYNC": syscall.SYS_MSYNC, - "MLOCK": syscall.SYS_MLOCK, - "MUNLOCK": syscall.SYS_MUNLOCK, - "MLOCKALL": syscall.SYS_MLOCKALL, - "MUNLOCKALL": syscall.SYS_MUNLOCKALL, - "MINCORE": syscall.SYS_MINCORE, - "MADVISE": syscall.SYS_MADVISE, - "REMAP_FILE_PAGES": syscall.SYS_REMAP_FILE_PAGES, - "MBIND": syscall.SYS_MBIND, - "GET_MEMPOLICY": syscall.SYS_GET_MEMPOLICY, - "SET_MEMPOLICY": syscall.SYS_SET_MEMPOLICY, - "MIGRATE_PAGES": syscall.SYS_MIGRATE_PAGES, - "MOVE_PAGES": syscall.SYS_MOVE_PAGES, - "RT_TGSIGQUEUEINFO": syscall.SYS_RT_TGSIGQUEUEINFO, - "PERF_EVENT_OPEN": syscall.SYS_PERF_EVENT_OPEN, - "ACCEPT4": syscall.SYS_ACCEPT4, - "RECVMMSG": syscall.SYS_RECVMMSG, - "ARCH_SPECIFIC_SYSCALL": syscall.SYS_ARCH_SPECIFIC_SYSCALL, - "WAIT4": syscall.SYS_WAIT4, - "PRLIMIT64": syscall.SYS_PRLIMIT64, - "FANOTIFY_INIT": syscall.SYS_FANOTIFY_INIT, - "FANOTIFY_MARK": syscall.SYS_FANOTIFY_MARK, - "NAME_TO_HANDLE_AT": syscall.SYS_NAME_TO_HANDLE_AT, - "OPEN_BY_HANDLE_AT": syscall.SYS_OPEN_BY_HANDLE_AT, - "CLOCK_ADJTIME": syscall.SYS_CLOCK_ADJTIME, - "SYNCFS": syscall.SYS_SYNCFS, - "SETNS": syscall.SYS_SETNS, - "SENDMMSG": syscall.SYS_SENDMMSG, - "PROCESS_VM_READV": syscall.SYS_PROCESS_VM_READV, - "PROCESS_VM_WRITEV": syscall.SYS_PROCESS_VM_WRITEV, - "KCMP": syscall.SYS_KCMP, - "FINIT_MODULE": syscall.SYS_FINIT_MODULE, - "SCHED_SETATTR": syscall.SYS_SCHED_SETATTR, - "SCHED_GETATTR": syscall.SYS_SCHED_GETATTR, - "RENAMEAT2": syscall.SYS_RENAMEAT2, - "SECCOMP": syscall.SYS_SECCOMP, - "GETRANDOM": syscall.SYS_GETRANDOM, - "MEMFD_CREATE": syscall.SYS_MEMFD_CREATE, - "BPF": syscall.SYS_BPF, - "EXECVEAT": syscall.SYS_EXECVEAT, -} - -var SyscallMapMin = map[string]int{ - "WRITE": syscall.SYS_WRITE, - "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, - "EXIT_GROUP": syscall.SYS_EXIT_GROUP, - "FUTEX": syscall.SYS_FUTEX, -} diff --git a/seccomp/syscall_linux_ppc64.go b/seccomp/syscall_linux_ppc64.go deleted file mode 100644 index 43af1bb22..000000000 --- a/seccomp/syscall_linux_ppc64.go +++ /dev/null @@ -1,370 +0,0 @@ -// +build linux -// +build ppc64 - -package seccomp - -import ( - "syscall" -) - -const ( - SECCOMP_RET_KILL = 0x00000000 - SECCOMP_RET_TRAP = 0x00030000 - SECCOMP_RET_ALLOW = 0x7fff0000 - SECCOMP_MODE_FILTER = 0x2 - PR_SET_NO_NEW_PRIVS = 0x26 -) - -var SyscallMap = map[string]uint32{ - "RESTART_SYSCALL": syscall.SYS_RESTART_SYSCALL, - "EXIT": syscall.SYS_EXIT, - "FORK": syscall.SYS_FORK, - "READ": syscall.SYS_READ, - "WRITE": syscall.SYS_WRITE, - "OPEN": syscall.SYS_OPEN, - "CLOSE": syscall.SYS_CLOSE, - "WAITPID": syscall.SYS_WAITPID, - "CREAT": syscall.SYS_CREAT, - "LINK": syscall.SYS_LINK, - "UNLINK": syscall.SYS_UNLINK, - "EXECVE": syscall.SYS_EXECVE, - "CHDIR": syscall.SYS_CHDIR, - "TIME": syscall.SYS_TIME, - "MKNOD": syscall.SYS_MKNOD, - "CHMOD": syscall.SYS_CHMOD, - "LCHOWN": syscall.SYS_LCHOWN, - "BREAK": syscall.SYS_BREAK, - "OLDSTAT": syscall.SYS_OLDSTAT, - "LSEEK": syscall.SYS_LSEEK, - "GETPID": syscall.SYS_GETPID, - "MOUNT": syscall.SYS_MOUNT, - "UMOUNT": syscall.SYS_UMOUNT, - "SETUID": syscall.SYS_SETUID, - "GETUID": syscall.SYS_GETUID, - "STIME": syscall.SYS_STIME, - "PTRACE": syscall.SYS_PTRACE, - "ALARM": syscall.SYS_ALARM, - "OLDFSTAT": syscall.SYS_OLDFSTAT, - "PAUSE": syscall.SYS_PAUSE, - "UTIME": syscall.SYS_UTIME, - "STTY": syscall.SYS_STTY, - "GTTY": syscall.SYS_GTTY, - "ACCESS": syscall.SYS_ACCESS, - "NICE": syscall.SYS_NICE, - "FTIME": syscall.SYS_FTIME, - "SYNC": syscall.SYS_SYNC, - "KILL": syscall.SYS_KILL, - "RENAME": syscall.SYS_RENAME, - "MKDIR": syscall.SYS_MKDIR, - "RMDIR": syscall.SYS_RMDIR, - "DUP": syscall.SYS_DUP, - "PIPE": syscall.SYS_PIPE, - "TIMES": syscall.SYS_TIMES, - "PROF": syscall.SYS_PROF, - "BRK": syscall.SYS_BRK, - "SETGID": syscall.SYS_SETGID, - "GETGID": syscall.SYS_GETGID, - "SIGNAL": syscall.SYS_SIGNAL, - "GETEUID": syscall.SYS_GETEUID, - "GETEGID": syscall.SYS_GETEGID, - "ACCT": syscall.SYS_ACCT, - "UMOUNT2": syscall.SYS_UMOUNT2, - "LOCK": syscall.SYS_LOCK, - "IOCTL": syscall.SYS_IOCTL, - "FCNTL": syscall.SYS_FCNTL, - "MPX": syscall.SYS_MPX, - "SETPGID": syscall.SYS_SETPGID, - "ULIMIT": syscall.SYS_ULIMIT, - "OLDOLDUNAME": syscall.SYS_OLDOLDUNAME, - "UMASK": syscall.SYS_UMASK, - "CHROOT": syscall.SYS_CHROOT, - "USTAT": syscall.SYS_USTAT, - "DUP2": syscall.SYS_DUP2, - "GETPPID": syscall.SYS_GETPPID, - "GETPGRP": syscall.SYS_GETPGRP, - "SETSID": syscall.SYS_SETSID, - "SIGACTION": syscall.SYS_SIGACTION, - "SGETMASK": syscall.SYS_SGETMASK, - "SSETMASK": syscall.SYS_SSETMASK, - "SETREUID": syscall.SYS_SETREUID, - "SETREGID": syscall.SYS_SETREGID, - "SIGSUSPEND": syscall.SYS_SIGSUSPEND, - "SIGPENDING": syscall.SYS_SIGPENDING, - "SETHOSTNAME": syscall.SYS_SETHOSTNAME, - "SETRLIMIT": syscall.SYS_SETRLIMIT, - "GETRLIMIT": syscall.SYS_GETRLIMIT, - "GETRUSAGE": syscall.SYS_GETRUSAGE, - "GETTIMEOFDAY": syscall.SYS_GETTIMEOFDAY, - "SETTIMEOFDAY": syscall.SYS_SETTIMEOFDAY, - "GETGROUPS": syscall.SYS_GETGROUPS, - "SETGROUPS": syscall.SYS_SETGROUPS, - "SELECT": syscall.SYS_SELECT, - "SYMLINK": syscall.SYS_SYMLINK, - "OLDLSTAT": syscall.SYS_OLDLSTAT, - "READLINK": syscall.SYS_READLINK, - "USELIB": syscall.SYS_USELIB, - "SWAPON": syscall.SYS_SWAPON, - "REBOOT": syscall.SYS_REBOOT, - "READDIR": syscall.SYS_READDIR, - "MMAP": syscall.SYS_MMAP, - "MUNMAP": syscall.SYS_MUNMAP, - "TRUNCATE": syscall.SYS_TRUNCATE, - "FTRUNCATE": syscall.SYS_FTRUNCATE, - "FCHMOD": syscall.SYS_FCHMOD, - "FCHOWN": syscall.SYS_FCHOWN, - "GETPRIORITY": syscall.SYS_GETPRIORITY, - "SETPRIORITY": syscall.SYS_SETPRIORITY, - "PROFIL": syscall.SYS_PROFIL, - "STATFS": syscall.SYS_STATFS, - "FSTATFS": syscall.SYS_FSTATFS, - "IOPERM": syscall.SYS_IOPERM, - "SOCKETCALL": syscall.SYS_SOCKETCALL, - "SYSLOG": syscall.SYS_SYSLOG, - "SETITIMER": syscall.SYS_SETITIMER, - "GETITIMER": syscall.SYS_GETITIMER, - "STAT": syscall.SYS_STAT, - "LSTAT": syscall.SYS_LSTAT, - "FSTAT": syscall.SYS_FSTAT, - "OLDUNAME": syscall.SYS_OLDUNAME, - "IOPL": syscall.SYS_IOPL, - "VHANGUP": syscall.SYS_VHANGUP, - "IDLE": syscall.SYS_IDLE, - "VM86": syscall.SYS_VM86, - "WAIT4": syscall.SYS_WAIT4, - "SWAPOFF": syscall.SYS_SWAPOFF, - "SYSINFO": syscall.SYS_SYSINFO, - "IPC": syscall.SYS_IPC, - "FSYNC": syscall.SYS_FSYNC, - "SIGRETURN": syscall.SYS_SIGRETURN, - "CLONE": syscall.SYS_CLONE, - "SETDOMAINNAME": syscall.SYS_SETDOMAINNAME, - "UNAME": syscall.SYS_UNAME, - "MODIFY_LDT": syscall.SYS_MODIFY_LDT, - "ADJTIMEX": syscall.SYS_ADJTIMEX, - "MPROTECT": syscall.SYS_MPROTECT, - "SIGPROCMASK": syscall.SYS_SIGPROCMASK, - "CREATE_MODULE": syscall.SYS_CREATE_MODULE, - "INIT_MODULE": syscall.SYS_INIT_MODULE, - "DELETE_MODULE": syscall.SYS_DELETE_MODULE, - "GET_KERNEL_SYMS": syscall.SYS_GET_KERNEL_SYMS, - "QUOTACTL": syscall.SYS_QUOTACTL, - "GETPGID": syscall.SYS_GETPGID, - "FCHDIR": syscall.SYS_FCHDIR, - "BDFLUSH": syscall.SYS_BDFLUSH, - "SYSFS": syscall.SYS_SYSFS, - "PERSONALITY": syscall.SYS_PERSONALITY, - "AFS_SYSCALL": syscall.SYS_AFS_SYSCALL, - "SETFSUID": syscall.SYS_SETFSUID, - "SETFSGID": syscall.SYS_SETFSGID, - "_LLSEEK": syscall.SYS__LLSEEK, - "GETDENTS": syscall.SYS_GETDENTS, - "_NEWSELECT": syscall.SYS__NEWSELECT, - "FLOCK": syscall.SYS_FLOCK, - "MSYNC": syscall.SYS_MSYNC, - "READV": syscall.SYS_READV, - "WRITEV": syscall.SYS_WRITEV, - "GETSID": syscall.SYS_GETSID, - "FDATASYNC": syscall.SYS_FDATASYNC, - "_SYSCTL": syscall.SYS__SYSCTL, - "MLOCK": syscall.SYS_MLOCK, - "MUNLOCK": syscall.SYS_MUNLOCK, - "MLOCKALL": syscall.SYS_MLOCKALL, - "MUNLOCKALL": syscall.SYS_MUNLOCKALL, - "SCHED_SETPARAM": syscall.SYS_SCHED_SETPARAM, - "SCHED_GETPARAM": syscall.SYS_SCHED_GETPARAM, - "SCHED_SETSCHEDULER": syscall.SYS_SCHED_SETSCHEDULER, - "SCHED_GETSCHEDULER": syscall.SYS_SCHED_GETSCHEDULER, - "SCHED_YIELD": syscall.SYS_SCHED_YIELD, - "SCHED_GET_PRIORITY_MAX": syscall.SYS_SCHED_GET_PRIORITY_MAX, - "SCHED_GET_PRIORITY_MIN": syscall.SYS_SCHED_GET_PRIORITY_MIN, - "SCHED_RR_GET_INTERVAL": syscall.SYS_SCHED_RR_GET_INTERVAL, - "NANOSLEEP": syscall.SYS_NANOSLEEP, - "MREMAP": syscall.SYS_MREMAP, - "SETRESUID": syscall.SYS_SETRESUID, - "GETRESUID": syscall.SYS_GETRESUID, - "QUERY_MODULE": syscall.SYS_QUERY_MODULE, - "POLL": syscall.SYS_POLL, - "NFSSERVCTL": syscall.SYS_NFSSERVCTL, - "SETRESGID": syscall.SYS_SETRESGID, - "GETRESGID": syscall.SYS_GETRESGID, - "PRCTL": syscall.SYS_PRCTL, - "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, - "RT_SIGACTION": syscall.SYS_RT_SIGACTION, - "RT_SIGPROCMASK": syscall.SYS_RT_SIGPROCMASK, - "RT_SIGPENDING": syscall.SYS_RT_SIGPENDING, - "RT_SIGTIMEDWAIT": syscall.SYS_RT_SIGTIMEDWAIT, - "RT_SIGQUEUEINFO": syscall.SYS_RT_SIGQUEUEINFO, - "RT_SIGSUSPEND": syscall.SYS_RT_SIGSUSPEND, - "PREAD64": syscall.SYS_PREAD64, - "PWRITE64": syscall.SYS_PWRITE64, - "CHOWN": syscall.SYS_CHOWN, - "GETCWD": syscall.SYS_GETCWD, - "CAPGET": syscall.SYS_CAPGET, - "CAPSET": syscall.SYS_CAPSET, - "SIGALTSTACK": syscall.SYS_SIGALTSTACK, - "SENDFILE": syscall.SYS_SENDFILE, - "GETPMSG": syscall.SYS_GETPMSG, - "PUTPMSG": syscall.SYS_PUTPMSG, - "VFORK": syscall.SYS_VFORK, - "UGETRLIMIT": syscall.SYS_UGETRLIMIT, - "READAHEAD": syscall.SYS_READAHEAD, - "PCICONFIG_READ": syscall.SYS_PCICONFIG_READ, - "PCICONFIG_WRITE": syscall.SYS_PCICONFIG_WRITE, - "PCICONFIG_IOBASE": syscall.SYS_PCICONFIG_IOBASE, - "MULTIPLEXER": syscall.SYS_MULTIPLEXER, - "GETDENTS64": syscall.SYS_GETDENTS64, - "PIVOT_ROOT": syscall.SYS_PIVOT_ROOT, - "MADVISE": syscall.SYS_MADVISE, - "MINCORE": syscall.SYS_MINCORE, - "GETTID": syscall.SYS_GETTID, - "TKILL": syscall.SYS_TKILL, - "SETXATTR": syscall.SYS_SETXATTR, - "LSETXATTR": syscall.SYS_LSETXATTR, - "FSETXATTR": syscall.SYS_FSETXATTR, - "GETXATTR": syscall.SYS_GETXATTR, - "LGETXATTR": syscall.SYS_LGETXATTR, - "FGETXATTR": syscall.SYS_FGETXATTR, - "LISTXATTR": syscall.SYS_LISTXATTR, - "LLISTXATTR": syscall.SYS_LLISTXATTR, - "FLISTXATTR": syscall.SYS_FLISTXATTR, - "REMOVEXATTR": syscall.SYS_REMOVEXATTR, - "LREMOVEXATTR": syscall.SYS_LREMOVEXATTR, - "FREMOVEXATTR": syscall.SYS_FREMOVEXATTR, - "FUTEX": syscall.SYS_FUTEX, - "SCHED_SETAFFINITY": syscall.SYS_SCHED_SETAFFINITY, - "SCHED_GETAFFINITY": syscall.SYS_SCHED_GETAFFINITY, - "TUXCALL": syscall.SYS_TUXCALL, - "IO_SETUP": syscall.SYS_IO_SETUP, - "IO_DESTROY": syscall.SYS_IO_DESTROY, - "IO_GETEVENTS": syscall.SYS_IO_GETEVENTS, - "IO_SUBMIT": syscall.SYS_IO_SUBMIT, - "IO_CANCEL": syscall.SYS_IO_CANCEL, - "SET_TID_ADDRESS": syscall.SYS_SET_TID_ADDRESS, - "FADVISE64": syscall.SYS_FADVISE64, - "EXIT_GROUP": syscall.SYS_EXIT_GROUP, - "LOOKUP_DCOOKIE": syscall.SYS_LOOKUP_DCOOKIE, - "EPOLL_CREATE": syscall.SYS_EPOLL_CREATE, - "EPOLL_CTL": syscall.SYS_EPOLL_CTL, - "EPOLL_WAIT": syscall.SYS_EPOLL_WAIT, - "REMAP_FILE_PAGES": syscall.SYS_REMAP_FILE_PAGES, - "TIMER_CREATE": syscall.SYS_TIMER_CREATE, - "TIMER_SETTIME": syscall.SYS_TIMER_SETTIME, - "TIMER_GETTIME": syscall.SYS_TIMER_GETTIME, - "TIMER_GETOVERRUN": syscall.SYS_TIMER_GETOVERRUN, - "TIMER_DELETE": syscall.SYS_TIMER_DELETE, - "CLOCK_SETTIME": syscall.SYS_CLOCK_SETTIME, - "CLOCK_GETTIME": syscall.SYS_CLOCK_GETTIME, - "CLOCK_GETRES": syscall.SYS_CLOCK_GETRES, - "CLOCK_NANOSLEEP": syscall.SYS_CLOCK_NANOSLEEP, - "SWAPCONTEXT": syscall.SYS_SWAPCONTEXT, - "TGKILL": syscall.SYS_TGKILL, - "UTIMES": syscall.SYS_UTIMES, - "STATFS64": syscall.SYS_STATFS64, - "FSTATFS64": syscall.SYS_FSTATFS64, - "RTAS": syscall.SYS_RTAS, - "SYS_DEBUG_SETCONTEXT": syscall.SYS_SYS_DEBUG_SETCONTEXT, - "MIGRATE_PAGES": syscall.SYS_MIGRATE_PAGES, - "MBIND": syscall.SYS_MBIND, - "GET_MEMPOLICY": syscall.SYS_GET_MEMPOLICY, - "SET_MEMPOLICY": syscall.SYS_SET_MEMPOLICY, - "MQ_OPEN": syscall.SYS_MQ_OPEN, - "MQ_UNLINK": syscall.SYS_MQ_UNLINK, - "MQ_TIMEDSEND": syscall.SYS_MQ_TIMEDSEND, - "MQ_TIMEDRECEIVE": syscall.SYS_MQ_TIMEDRECEIVE, - "MQ_NOTIFY": syscall.SYS_MQ_NOTIFY, - "MQ_GETSETATTR": syscall.SYS_MQ_GETSETATTR, - "KEXEC_LOAD": syscall.SYS_KEXEC_LOAD, - "ADD_KEY": syscall.SYS_ADD_KEY, - "REQUEST_KEY": syscall.SYS_REQUEST_KEY, - "KEYCTL": syscall.SYS_KEYCTL, - "WAITID": syscall.SYS_WAITID, - "IOPRIO_SET": syscall.SYS_IOPRIO_SET, - "IOPRIO_GET": syscall.SYS_IOPRIO_GET, - "INOTIFY_INIT": syscall.SYS_INOTIFY_INIT, - "INOTIFY_ADD_WATCH": syscall.SYS_INOTIFY_ADD_WATCH, - "INOTIFY_RM_WATCH": syscall.SYS_INOTIFY_RM_WATCH, - "SPU_RUN": syscall.SYS_SPU_RUN, - "SPU_CREATE": syscall.SYS_SPU_CREATE, - "PSELECT6": syscall.SYS_PSELECT6, - "PPOLL": syscall.SYS_PPOLL, - "UNSHARE": syscall.SYS_UNSHARE, - "SPLICE": syscall.SYS_SPLICE, - "TEE": syscall.SYS_TEE, - "VMSPLICE": syscall.SYS_VMSPLICE, - "OPENAT": syscall.SYS_OPENAT, - "MKDIRAT": syscall.SYS_MKDIRAT, - "MKNODAT": syscall.SYS_MKNODAT, - "FCHOWNAT": syscall.SYS_FCHOWNAT, - "FUTIMESAT": syscall.SYS_FUTIMESAT, - "NEWFSTATAT": syscall.SYS_NEWFSTATAT, - "UNLINKAT": syscall.SYS_UNLINKAT, - "RENAMEAT": syscall.SYS_RENAMEAT, - "LINKAT": syscall.SYS_LINKAT, - "SYMLINKAT": syscall.SYS_SYMLINKAT, - "READLINKAT": syscall.SYS_READLINKAT, - "FCHMODAT": syscall.SYS_FCHMODAT, - "FACCESSAT": syscall.SYS_FACCESSAT, - "GET_ROBUST_LIST": syscall.SYS_GET_ROBUST_LIST, - "SET_ROBUST_LIST": syscall.SYS_SET_ROBUST_LIST, - "MOVE_PAGES": syscall.SYS_MOVE_PAGES, - "GETCPU": syscall.SYS_GETCPU, - "EPOLL_PWAIT": syscall.SYS_EPOLL_PWAIT, - "UTIMENSAT": syscall.SYS_UTIMENSAT, - "SIGNALFD": syscall.SYS_SIGNALFD, - "TIMERFD_CREATE": syscall.SYS_TIMERFD_CREATE, - "EVENTFD": syscall.SYS_EVENTFD, - "SYNC_FILE_RANGE2": syscall.SYS_SYNC_FILE_RANGE2, - "FALLOCATE": syscall.SYS_FALLOCATE, - "SUBPAGE_PROT": syscall.SYS_SUBPAGE_PROT, - "TIMERFD_SETTIME": syscall.SYS_TIMERFD_SETTIME, - "TIMERFD_GETTIME": syscall.SYS_TIMERFD_GETTIME, - "SIGNALFD4": syscall.SYS_SIGNALFD4, - "EVENTFD2": syscall.SYS_EVENTFD2, - "EPOLL_CREATE1": syscall.SYS_EPOLL_CREATE1, - "DUP3": syscall.SYS_DUP3, - "PIPE2": syscall.SYS_PIPE2, - "INOTIFY_INIT1": syscall.SYS_INOTIFY_INIT1, - "PERF_EVENT_OPEN": syscall.SYS_PERF_EVENT_OPEN, - "PREADV": syscall.SYS_PREADV, - "PWRITEV": syscall.SYS_PWRITEV, - "RT_TGSIGQUEUEINFO": syscall.SYS_RT_TGSIGQUEUEINFO, - "FANOTIFY_INIT": syscall.SYS_FANOTIFY_INIT, - "FANOTIFY_MARK": syscall.SYS_FANOTIFY_MARK, - "PRLIMIT64": syscall.SYS_PRLIMIT64, - "SOCKET": syscall.SYS_SOCKET, - "BIND": syscall.SYS_BIND, - "CONNECT": syscall.SYS_CONNECT, - "LISTEN": syscall.SYS_LISTEN, - "ACCEPT": syscall.SYS_ACCEPT, - "GETSOCKNAME": syscall.SYS_GETSOCKNAME, - "GETPEERNAME": syscall.SYS_GETPEERNAME, - "SOCKETPAIR": syscall.SYS_SOCKETPAIR, - "SEND": syscall.SYS_SEND, - "SENDTO": syscall.SYS_SENDTO, - "RECV": syscall.SYS_RECV, - "RECVFROM": syscall.SYS_RECVFROM, - "SHUTDOWN": syscall.SYS_SHUTDOWN, - "SETSOCKOPT": syscall.SYS_SETSOCKOPT, - "GETSOCKOPT": syscall.SYS_GETSOCKOPT, - "SENDMSG": syscall.SYS_SENDMSG, - "RECVMSG": syscall.SYS_RECVMSG, - "RECVMMSG": syscall.SYS_RECVMMSG, - "ACCEPT4": syscall.SYS_ACCEPT4, - "NAME_TO_HANDLE_AT": syscall.SYS_NAME_TO_HANDLE_AT, - "OPEN_BY_HANDLE_AT": syscall.SYS_OPEN_BY_HANDLE_AT, - "CLOCK_ADJTIME": syscall.SYS_CLOCK_ADJTIME, - "SYNCFS": syscall.SYS_SYNCFS, - "SENDMMSG": syscall.SYS_SENDMMSG, - "SETNS": syscall.SYS_SETNS, - "PROCESS_VM_READV": syscall.SYS_PROCESS_VM_READV, - "PROCESS_VM_WRITEV": syscall.SYS_PROCESS_VM_WRITEV, - "FINIT_MODULE": syscall.SYS_FINIT_MODULE, - "KCMP": syscall.SYS_KCMP, -} - -var SyscallMapMin = map[string]int{ - "WRITE": syscall.SYS_WRITE, - "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, - "EXIT_GROUP": syscall.SYS_EXIT_GROUP, - "FUTEX": syscall.SYS_FUTEX, -} From 4a99434e8ba98a53ed9d1835833c1d49f5bbdaf4 Mon Sep 17 00:00:00 2001 From: yangshukui Date: Mon, 25 May 2015 05:04:49 -0400 Subject: [PATCH 3/4] add the generated go file Signed-off-by: Yang Shukui --- Makefile | 1 + hack/seccomp.pl | 2 + hack/seccomp.sh | 3 +- seccomp/seccompsyscall.go | 390 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 395 insertions(+), 1 deletion(-) create mode 100644 seccomp/seccompsyscall.go diff --git a/Makefile b/Makefile index ac9570133..6c435b196 100644 --- a/Makefile +++ b/Makefile @@ -18,6 +18,7 @@ direct-test-short: go test $(TEST_TAGS) -cover -test.short -v $(GO_PACKAGES) direct-build: + chmod 755 hack/seccomp.sh hack/seccomp.sh go build -v $(GO_PACKAGES) diff --git a/hack/seccomp.pl b/hack/seccomp.pl index eed74152a..dc0f6646f 100755 --- a/hack/seccomp.pl +++ b/hack/seccomp.pl @@ -28,6 +28,8 @@ close $out; exit 0; } +print "//"; +system("uname -m"); print "package seccomp\r\n\r\n"; print "var syscallMap = map[string] int {\n"; while(<$in>) { diff --git a/hack/seccomp.sh b/hack/seccomp.sh index 3b35d500f..40fa02c5c 100755 --- a/hack/seccomp.sh +++ b/hack/seccomp.sh @@ -1,3 +1,4 @@ #/bin/bash -cat seccomp/seccomp_main.go | sed '1,5d' > ~/seccomp_main.go + +chmod 755 hack/seccomp.pl hack/seccomp.pl < hack/syscall.sample > seccomp/seccompsyscall.go diff --git a/seccomp/seccompsyscall.go b/seccomp/seccompsyscall.go new file mode 100644 index 000000000..d7674d1a2 --- /dev/null +++ b/seccomp/seccompsyscall.go @@ -0,0 +1,390 @@ +//x86_64 +package seccomp + +var syscallMap = map[string] int { + "access" : 21, + "chdir" : 80, + "chmod" : 90, + "chown" : 92, + "chown32" : -1, + "close" : 3, + "creat" : 85, + "dup" : 32, + "dup2" : 33, + "dup3" : 292, + "epoll_create" : 213, + "epoll_create1" : 291, + "epoll_ctl" : 233, + "epoll_ctl_old" : 214, + "epoll_pwait" : 281, + "epoll_wait" : 232, + "epoll_wait_old" : 215, + "eventfd" : 284, + "eventfd2" : 290, + "faccessat" : 269, + "fadvise64" : 221, + "fadvise64_64" : -1, + "fallocate" : 285, + "fanotify_init" : 300, + "fanotify_mark" : 301, + "ioctl" : 16, + "fchdir" : 81, + "fchmod" : 91, + "fchmodat" : 268, + "fchown" : 93, + "fchown32" : -1, + "fchownat" : 260, + "fcntl" : 72, + "fcntl64" : -1, + "fdatasync" : 75, + "fgetxattr" : 193, + "flistxattr" : 196, + "flock" : 73, + "fremovexattr" : 199, + "fsetxattr" : 190, + "fstat" : 5, + "fstat64" : -1, + "fstatat64" : -1, + "fstatfs" : 138, + "fstatfs64" : -1, + "fsync" : 74, + "ftruncate" : 77, + "ftruncate64" : -1, + "getcwd" : 79, + "getdents" : 78, + "getdents64" : 217, + "getxattr" : 191, + "inotify_add_watch" : 254, + "inotify_init" : 253, + "inotify_init1" : 294, + "inotify_rm_watch" : 255, + "io_cancel" : 210, + "io_destroy" : 207, + "io_getevents" : 208, + "io_setup" : 206, + "io_submit" : 209, + "lchown" : 94, + "lchown32" : -1, + "lgetxattr" : 192, + "link" : 86, + "linkat" : 265, + "listxattr" : 194, + "llistxattr" : 195, + "llseek" : -1, + "_llseek" : -1, + "lremovexattr" : 198, + "lseek" : 8, + "lsetxattr" : 189, + "lstat" : 6, + "lstat64" : -1, + "mkdir" : 83, + "mkdirat" : 258, + "mknod" : 133, + "mknodat" : 259, + "newfstatat" : 262, + "_newselect" : -1, + "oldfstat" : -1, + "oldlstat" : -1, + "oldolduname" : -1, + "oldstat" : -1, + "olduname" : -1, + "oldwait4" : -1, + "open" : 2, + "openat" : 257, + "pipe" : 22, + "pipe2" : 293, + "poll" : 7, + "ppoll" : 271, + "pread64" : 17, + "preadv" : 295, + "futimesat" : 261, + "pselect6" : 270, + "pwrite64" : 18, + "pwritev" : 296, + "read" : 0, + "readahead" : 187, + "readdir" : -1, + "readlink" : 89, + "readlinkat" : 267, + "readv" : 19, + "removexattr" : 197, + "rename" : 82, + "renameat" : 264, + "rmdir" : 84, + "select" : 23, + "sendfile" : 40, + "sendfile64" : -1, + "setxattr" : 188, + "splice" : 275, + "stat" : 4, + "stat64" : -1, + "statfs" : 137, + "statfs64" : -1, + "symlink" : 88, + "symlinkat" : 266, + "sync" : 162, + "sync_file_range" : 277, + "sync_file_range2" : -1, + "syncfs" : 306, + "tee" : 276, + "truncate" : 76, + "truncate64" : -1, + "umask" : 95, + "unlink" : 87, + "unlinkat" : 263, + "ustat" : 136, + "utime" : 132, + "utimensat" : 280, + "utimes" : 235, + "write" : 1, + "writev" : 20, + "accept" : 43, + "accept4" : 288, + "bind" : 49, + "connect" : 42, + "getpeername" : 52, + "getsockname" : 51, + "getsockopt" : 55, + "listen" : 50, + "recv" : -1, + "recvfrom" : 45, + "recvmmsg" : 299, + "recvmsg" : 47, + "send" : -1, + "sendmmsg" : 307, + "sendmsg" : 46, + "sendto" : 44, + "setsockopt" : 54, + "shutdown" : 48, + "socket" : 41, + "socketcall" : -1, + "socketpair" : 53, + "sethostname" : 170, + "pause" : 34, + "rt_sigaction" : 13, + "rt_sigpending" : 127, + "rt_sigprocmask" : 14, + "rt_sigqueueinfo" : 129, + "rt_sigreturn" : 15, + "rt_sigsuspend" : 130, + "rt_sigtimedwait" : 128, + "rt_tgsigqueueinfo" : 297, + "sigaction" : -1, + "sigaltstack" : 131, + "signal" : -1, + "signalfd" : 282, + "signalfd4" : 289, + "sigpending" : -1, + "sigprocmask" : -1, + "sigreturn" : -1, + "sigsuspend" : -1, + "alarm" : 37, + "brk" : 12, + "clock_adjtime" : 305, + "clock_getres" : 229, + "clock_gettime" : 228, + "clock_nanosleep" : 230, + "clock_settime" : 227, + "gettimeofday" : 96, + "nanosleep" : 35, + "nice" : -1, + "sysinfo" : 99, + "syslog" : 103, + "time" : 201, + "timer_create" : 222, + "timer_delete" : 226, + "timerfd_create" : 283, + "timerfd_gettime" : 287, + "timerfd_settime" : 286, + "timer_getoverrun" : 225, + "timer_gettime" : 224, + "timer_settime" : 223, + "times" : 100, + "uname" : 63, + "madvise" : 28, + "mbind" : 237, + "mincore" : 27, + "mlock" : 149, + "mlockall" : 151, + "mmap" : 9, + "mmap2" : -1, + "mprotect" : 10, + "mremap" : 25, + "msync" : 26, + "munlock" : 150, + "munlockall" : 152, + "munmap" : 11, + "remap_file_pages" : 216, + "set_mempolicy" : 238, + "vmsplice" : 278, + "capget" : 125, + "capset" : 126, + "clone" : 56, + "execve" : 59, + "exit" : 60, + "exit_group" : 231, + "fork" : 57, + "getcpu" : 309, + "getpgid" : 121, + "getpgrp" : 111, + "getpid" : 39, + "getppid" : 110, + "getpriority" : 140, + "getresgid" : 120, + "getresgid32" : -1, + "getresuid" : 118, + "getresuid32" : -1, + "getrlimit" : 97, + "getrusage" : 98, + "getsid" : 124, + "getuid" : 102, + "getuid32" : -1, + "getegid" : 108, + "getegid32" : -1, + "geteuid" : 107, + "geteuid32" : -1, + "getgid" : 104, + "getgid32" : -1, + "getgroups" : 115, + "getgroups32" : -1, + "getitimer" : 36, + "get_mempolicy" : 239, + "kill" : 62, + "prctl" : 157, + "prlimit64" : 302, + "sched_getaffinity" : 204, + "sched_getparam" : 143, + "sched_get_priority_max" : 146, + "sched_get_priority_min" : 147, + "sched_getscheduler" : 145, + "sched_rr_get_interval" : 148, + "sched_setaffinity" : 203, + "sched_setparam" : 142, + "sched_setscheduler" : 144, + "sched_yield" : 24, + "setfsgid" : 123, + "setfsgid32" : -1, + "setfsuid" : 122, + "setfsuid32" : -1, + "setgid" : 106, + "setgid32" : -1, + "setgroups" : 116, + "setgroups32" : -1, + "setitimer" : 38, + "setpgid" : 109, + "setpriority" : 141, + "setregid" : 114, + "setregid32" : -1, + "setresgid" : 119, + "setresgid32" : -1, + "setresuid" : 117, + "setresuid32" : -1, + "setreuid" : 113, + "setreuid32" : -1, + "setrlimit" : 160, + "setsid" : 112, + "setuid" : 105, + "setuid32" : -1, + "ugetrlimit" : -1, + "vfork" : 58, + "wait4" : 61, + "waitid" : 247, + "waitpid" : -1, + "ipc" : -1, + "mq_getsetattr" : 245, + "mq_notify" : 244, + "mq_open" : 240, + "mq_timedreceive" : 243, + "mq_timedsend" : 242, + "mq_unlink" : 241, + "msgctl" : 71, + "msgget" : 68, + "msgrcv" : 70, + "msgsnd" : 69, + "semctl" : 66, + "semget" : 64, + "semop" : 65, + "semtimedop" : 220, + "shmat" : 30, + "shmctl" : 31, + "shmdt" : 67, + "shmget" : 29, + "arch_prctl" : 158, + "get_robust_list" : 274, + "get_thread_area" : 211, + "gettid" : 186, + "futex" : 202, + "restart_syscall" : 219, + "set_robust_list" : 273, + "set_thread_area" : 205, + "set_tid_address" : 218, + "tgkill" : 234, + "tkill" : 200, + "acct" : 163, + "adjtimex" : 159, + "bdflush" : -1, + "chroot" : 161, + "create_module" : 174, + "delete_module" : 176, + "get_kernel_syms" : 177, + "idle" : -1, + "init_module" : 175, + "ioperm" : 173, + "iopl" : 172, + "ioprio_get" : 252, + "ioprio_set" : 251, + "kexec_load" : 246, + "lookup_dcookie" : 212, + "migrate_pages" : 256, + "modify_ldt" : 154, + "mount" : 165, + "move_pages" : 279, + "name_to_handle_at" : 303, + "nfsservctl" : 180, + "open_by_handle_at" : 304, + "perf_event_open" : 298, + "pivot_root" : 155, + "process_vm_readv" : 310, + "process_vm_writev" : 311, + "ptrace" : 101, + "query_module" : 178, + "quotactl" : 179, + "reboot" : 169, + "setdomainname" : 171, + "setns" : 308, + "settimeofday" : 164, + "sgetmask" : -1, + "ssetmask" : -1, + "stime" : -1, + "swapoff" : 168, + "swapon" : 167, + "_sysctl" : 156, + "sysfs" : 139, + "sys_setaltroot" : -1, + "umount" : -1, + "umount2" : 166, + "unshare" : 272, + "uselib" : 134, + "vhangup" : 153, + "vm86" : -1, + "vm86old" : -1, + "add_key" : 248, + "keyctl" : 250, + "request_key" : 249, + "afs_syscall" : 183, + "break" : -1, + "ftime" : -1, + "getpmsg" : 181, + "gtty" : -1, + "lock" : -1, + "madvise1" : -1, + "mpx" : -1, + "prof" : -1, + "profil" : -1, + "putpmsg" : 182, + "security" : 185, + "stty" : -1, + "tuxcall" : 184, + "ulimit" : -1, + "vserver" : 236, +} From 5edcda910e1ea71312aa1319a66b1b4237acee09 Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Fri, 29 May 2015 15:24:18 -0700 Subject: [PATCH 4/4] Improve seccomp API Signed-off-by: Michael Crosby Conflicts: configs/config.go container_linux.go seccomp/seccomp.go seccomp/seccomp.test --- Makefile | 2 - configs/config.go | 40 ++- configs/namespaces_syscall.go | 17 +- configs/namespaces_unix.go | 13 +- container_linux.go | 7 - hack/seccomp.pl | 58 ---- hack/seccomp.sh | 4 - hack/syscall.sample | 405 ------------------------- init_linux.go | 58 +++- integration/exec_test.go | 118 +------- integration/template_test.go | 4 - integration/utils_test.go | 6 +- nsinit/config.go | 53 ++-- nsinit/security.go | 272 +++++++++++++++++ seccomp/bpf.go | 32 ++ seccomp/context.go | 144 +++++++++ seccomp/filter.go | 116 ++++++++ seccomp/jump_amd64.go | 68 +++++ seccomp/seccomp.go | 536 +++++----------------------------- seccomp/seccomp.test | 107 ------- seccomp/seccomp386.go | 117 -------- seccomp/seccomp_test.go | 58 ---- seccomp/seccompsyscall.go | 390 ------------------------- system/setns_linux.go | 8 +- 24 files changed, 853 insertions(+), 1780 deletions(-) delete mode 100755 hack/seccomp.pl delete mode 100755 hack/seccomp.sh delete mode 100644 hack/syscall.sample create mode 100644 nsinit/security.go create mode 100644 seccomp/bpf.go create mode 100644 seccomp/context.go create mode 100644 seccomp/filter.go create mode 100644 seccomp/jump_amd64.go delete mode 100644 seccomp/seccomp.test delete mode 100644 seccomp/seccomp386.go delete mode 100644 seccomp/seccomp_test.go delete mode 100644 seccomp/seccompsyscall.go diff --git a/Makefile b/Makefile index 6c435b196..1a2e23e04 100644 --- a/Makefile +++ b/Makefile @@ -18,8 +18,6 @@ direct-test-short: go test $(TEST_TAGS) -cover -test.short -v $(GO_PACKAGES) direct-build: - chmod 755 hack/seccomp.sh - hack/seccomp.sh go build -v $(GO_PACKAGES) direct-install: diff --git a/configs/config.go b/configs/config.go index e75e5701a..7275b6421 100644 --- a/configs/config.go +++ b/configs/config.go @@ -13,8 +13,38 @@ type IDMap struct { Size int `json:"size"` } -type SeccompConf struct { - SysCalls []int `json:"syscalls"` +type Seccomp struct { + Syscalls []*Syscall `json:"syscalls"` +} + +type Action int + +const ( + Kill Action = iota - 3 + Trap + Allow +) + +type Operator int + +const ( + EqualTo Operator = iota + NotEqualTo + GreatherThan + LessThan + MaskEqualTo +) + +type Arg struct { + Index int `json:"index"` + Value uint32 `json:"value"` + Op Operator `json:"op"` +} + +type Syscall struct { + Value int `json:"value"` + Action Action `json:"action"` + Args []*Arg `json:"args"` } // TODO Windows. Many of these fields should be factored out into those parts @@ -109,6 +139,8 @@ type Config struct { // sysctl -w my.property.name value in Linux. SystemProperties map[string]string `json:"system_properties"` - // SysCalls specify the system calls to keep when executing the process inside the container - Seccomps SeccompConf `json:"seccomp"` + // Seccomp allows actions to be taken whenever a syscall is made within the container. + // By default, all syscalls are allowed with actions to allow, trap, kill, or return an errno + // can be specified on a per syscall basis. + Seccomp *Seccomp `json:"seccomp"` } diff --git a/configs/namespaces_syscall.go b/configs/namespaces_syscall.go index d3bd38934..c962999ef 100644 --- a/configs/namespaces_syscall.go +++ b/configs/namespaces_syscall.go @@ -4,22 +4,17 @@ package configs import "syscall" -var ( - CLONE_SECCOMP = 0x10000 //diffrent from other flag, hard code -) - func (n *Namespace) Syscall() int { return namespaceInfo[n.Type] } var namespaceInfo = map[NamespaceType]int{ - NEWNET: syscall.CLONE_NEWNET, - NEWNS: syscall.CLONE_NEWNS, - NEWUSER: syscall.CLONE_NEWUSER, - NEWIPC: syscall.CLONE_NEWIPC, - NEWUTS: syscall.CLONE_NEWUTS, - NEWPID: syscall.CLONE_NEWPID, - NEWSECCOMP: CLONE_SECCOMP, + NEWNET: syscall.CLONE_NEWNET, + NEWNS: syscall.CLONE_NEWNS, + NEWUSER: syscall.CLONE_NEWUSER, + NEWIPC: syscall.CLONE_NEWIPC, + NEWUTS: syscall.CLONE_NEWUTS, + NEWPID: syscall.CLONE_NEWPID, } // CloneFlags parses the container's Namespaces options to set the correct diff --git a/configs/namespaces_unix.go b/configs/namespaces_unix.go index 61dd74b89..7bc908546 100644 --- a/configs/namespaces_unix.go +++ b/configs/namespaces_unix.go @@ -5,13 +5,12 @@ package configs import "fmt" const ( - NEWNET NamespaceType = "NEWNET" - NEWPID NamespaceType = "NEWPID" - NEWNS NamespaceType = "NEWNS" - NEWUTS NamespaceType = "NEWUTS" - NEWIPC NamespaceType = "NEWIPC" - NEWUSER NamespaceType = "NEWUSER" - NEWSECCOMP NamespaceType = "NEWSECCOMP" + NEWNET NamespaceType = "NEWNET" + NEWPID NamespaceType = "NEWPID" + NEWNS NamespaceType = "NEWNS" + NEWUTS NamespaceType = "NEWUTS" + NEWIPC NamespaceType = "NEWIPC" + NEWUSER NamespaceType = "NEWUSER" ) func NamespaceTypes() []NamespaceType { diff --git a/container_linux.go b/container_linux.go index b833c9e54..215f35d38 100644 --- a/container_linux.go +++ b/container_linux.go @@ -169,13 +169,6 @@ func (c *linuxContainer) newInitProcess(p *Process, cmd *exec.Cmd, parentPipe, c cmd.SysProcAttr.Credential = &syscall.Credential{} } } - if cloneFlags&uintptr(configs.CLONE_SECCOMP) != 0 { - //os don't surport for CLONE_SECCOMP, remote it - c.config.Namespaces.Remove(configs.NEWSECCOMP) - cloneFlags = c.config.Namespaces.CloneFlags() - } else { - c.config.Seccomps.SysCalls = []int{} - } cmd.Env = append(cmd.Env, t) cmd.SysProcAttr.Cloneflags = cloneFlags return &initProcess{ diff --git a/hack/seccomp.pl b/hack/seccomp.pl deleted file mode 100755 index dc0f6646f..000000000 --- a/hack/seccomp.pl +++ /dev/null @@ -1,58 +0,0 @@ -#!/usr/bin/perl - -# ./seccomp.pl < syscall.sample > seccompsyscall.go - -use strict; -use warnings; - -my $pid = open(my $in, "-|") // die "Couldn't fork1 ($!)\n"; - -if($pid == 0) { - $pid = open(my $out, "|-") // die "Couldn't fork2 ($!)\n"; - if($pid == 0) { - exec "cpp" or die "Couldn't exec cpp ($!)\n"; - exit 1; - } - - print $out "#include \n"; - while(<>) { - if(/^\w/) { - my $name="$_"; - chomp($name); - - print $out $name; - print $out " = "; - print $out "__NR_$_"; - } - } - close $out; - exit 0; -} -print "//"; -system("uname -m"); -print "package seccomp\r\n\r\n"; -print "var syscallMap = map[string] int {\n"; -while(<$in>) { - my $line=$_; - - if($line =~ /^[\da-z_]/) - { - my @personal=split(/=/); - $personal[0] =~ s/[ ]//; - $personal[1] =~ s/[\r\n]//; - print " \""; - print $personal[0]; - print "\""; - print " : "; - if (($personal[1] !~ /[0-9]/) || length($personal[1]) > 4) - { - print "-1,\r\n"; - }else{ - print $personal[1]; - print ",\r\n"; - } - } -} - -print "}\r\n"; - diff --git a/hack/seccomp.sh b/hack/seccomp.sh deleted file mode 100755 index 40fa02c5c..000000000 --- a/hack/seccomp.sh +++ /dev/null @@ -1,4 +0,0 @@ -#/bin/bash - -chmod 755 hack/seccomp.pl -hack/seccomp.pl < hack/syscall.sample > seccomp/seccompsyscall.go diff --git a/hack/syscall.sample b/hack/syscall.sample deleted file mode 100644 index b1f61d5d7..000000000 --- a/hack/syscall.sample +++ /dev/null @@ -1,405 +0,0 @@ -access -chdir -chmod -chown -chown32 -close -creat -dup -dup2 -dup3 -epoll_create -epoll_create1 -epoll_ctl -epoll_ctl_old -epoll_pwait -epoll_wait -epoll_wait_old -eventfd -eventfd2 -faccessat -fadvise64 -fadvise64_64 -fallocate -fanotify_init -fanotify_mark -ioctl -fchdir -fchmod -fchmodat -fchown -fchown32 -fchownat -fcntl -fcntl64 -fdatasync -fgetxattr -flistxattr -flock -fremovexattr -fsetxattr -fstat -fstat64 -fstatat64 -fstatfs -fstatfs64 -fsync -ftruncate -ftruncate64 -getcwd -getdents -getdents64 -getxattr -inotify_add_watch -inotify_init -inotify_init1 -inotify_rm_watch -io_cancel -io_destroy -io_getevents -io_setup -io_submit -lchown -lchown32 -lgetxattr -link -linkat -listxattr -llistxattr -llseek -_llseek -lremovexattr -lseek -lsetxattr -lstat -lstat64 -mkdir -mkdirat -mknod -mknodat -newfstatat -_newselect -oldfstat -oldlstat -oldolduname -oldstat -olduname -oldwait4 -open -openat -pipe -pipe2 -poll -ppoll -pread64 -preadv -futimesat -pselect6 -pwrite64 -pwritev -read -readahead -readdir -readlink -readlinkat -readv -removexattr -rename -renameat -rmdir -select -sendfile -sendfile64 -setxattr -splice -stat -stat64 -statfs -statfs64 -symlink -symlinkat -sync -sync_file_range -sync_file_range2 -syncfs -tee -truncate -truncate64 -umask -unlink -unlinkat -ustat -utime -utimensat -utimes -write -writev - -// Network related -accept -accept4 -bind -connect -getpeername -getsockname -getsockopt -listen -recv -recvfrom -recvmmsg -recvmsg -send -sendmmsg -sendmsg -sendto -setsockopt -shutdown -socket -socketcall -socketpair -sethostname - -// Signal related -pause -rt_sigaction -rt_sigpending -rt_sigprocmask -rt_sigqueueinfo -rt_sigreturn -rt_sigsuspend -rt_sigtimedwait -rt_tgsigqueueinfo -sigaction -sigaltstack -signal -signalfd -signalfd4 -sigpending -sigprocmask -sigreturn -sigsuspend - -// Other needed POSIX -alarm -brk -clock_adjtime -clock_getres -clock_gettime -clock_nanosleep -clock_settime -gettimeofday -nanosleep -nice -sysinfo -syslog -time -timer_create -timer_delete -timerfd_create -timerfd_gettime -timerfd_settime -timer_getoverrun -timer_gettime -timer_settime -times -uname - -// Memory control -madvise -mbind -mincore -mlock -mlockall -mmap -mmap2 -mprotect -mremap -msync -munlock -munlockall -munmap -remap_file_pages -set_mempolicy -vmsplice - -// Process control -capget -capset -clone -execve -exit -exit_group -fork -getcpu -getpgid -getpgrp -getpid -getppid -getpriority -getresgid -getresgid32 -getresuid -getresuid32 -getrlimit -getrusage -getsid -getuid -getuid32 -getegid -getegid32 -geteuid -geteuid32 -getgid -getgid32 -getgroups -getgroups32 -getitimer -get_mempolicy -kill -prctl -prlimit64 -sched_getaffinity -sched_getparam -sched_get_priority_max -sched_get_priority_min -sched_getscheduler -sched_rr_get_interval -sched_setaffinity -sched_setparam -sched_setscheduler -sched_yield -setfsgid -setfsgid32 -setfsuid -setfsuid32 -setgid -setgid32 -setgroups -setgroups32 -setitimer -setpgid -setpriority -setregid -setregid32 -setresgid -setresgid32 -setresuid -setresuid32 -setreuid -setreuid32 -setrlimit -setsid -setuid -setuid32 -ugetrlimit -vfork -wait4 -waitid -waitpid - -// IPC -ipc -mq_getsetattr -mq_notify -mq_open -mq_timedreceive -mq_timedsend -mq_unlink -msgctl -msgget -msgrcv -msgsnd -semctl -semget -semop -semtimedop -shmat -shmctl -shmdt -shmget - -// Linux specific, mostly needed for thread-related stuff -arch_prctl -get_robust_list -get_thread_area -gettid -futex -restart_syscall -set_robust_list -set_thread_area -set_tid_address -tgkill -tkill - -// Admin syscalls, these are blocked -acct -adjtimex -bdflush -chroot -create_module -delete_module -get_kernel_syms -idle -init_module -ioperm -iopl -ioprio_get -ioprio_set -kexec_load -lookup_dcookie -migrate_pages -modify_ldt -mount -move_pages -name_to_handle_at -nfsservctl -open_by_handle_at -perf_event_open -pivot_root -process_vm_readv -process_vm_writev -ptrace -query_module -quotactl -reboot -setdomainname -setns -settimeofday -sgetmask -ssetmask -stime -swapoff -swapon -_sysctl -sysfs -sys_setaltroot -umount -umount2 -unshare -uselib -vhangup -vm86 -vm86old - -// Kernel key management -add_key -keyctl -request_key - -// Unimplemented -afs_syscall -break -ftime -getpmsg -gtty -lock -madvise1 -mpx -prof -profil -putpmsg -security -stty -tuxcall -ulimit -vserver diff --git a/init_linux.go b/init_linux.go index bd97364e5..3eabe3cd6 100644 --- a/init_linux.go +++ b/init_linux.go @@ -262,13 +262,59 @@ func killCgroupProcesses(m cgroups.Manager) error { } func finalizeSeccomp(config *initConfig) error { - if len(config.Config.Seccomps.SysCalls) > 0 { - scmpCtx, _ := seccomp.ScmpInit(seccomp.ScmpActAllow) - for _, key := range config.Config.Seccomps.SysCalls { - seccomp.ScmpAdd(scmpCtx, key, seccomp.ScmpActAllow) + if config.Config.Seccomp == nil { + return nil + } + context := seccomp.New() + for _, s := range config.Config.Seccomp.Syscalls { + ss := &seccomp.Syscall{ + Value: uint32(s.Value), + Action: seccompAction(s.Action), + } + if len(s.Args) > 0 { + ss.Args = seccompArgs(s.Args) } - return seccomp.ScmpLoad(scmpCtx) + context.Add(ss) } + return context.Load() +} - return nil +func seccompAction(a configs.Action) seccomp.Action { + switch a { + case configs.Kill: + return seccomp.Kill + case configs.Trap: + return seccomp.Trap + case configs.Allow: + return seccomp.Allow + } + return seccomp.Error(syscall.Errno(int(a))) +} + +func seccompArgs(args []*configs.Arg) seccomp.Args { + var sa []seccomp.Arg + for _, a := range args { + sa = append(sa, seccomp.Arg{ + Index: uint32(a.Index), + Op: seccompOperator(a.Op), + Value: uint(a.Value), + }) + } + return seccomp.Args{sa} +} + +func seccompOperator(o configs.Operator) seccomp.Operator { + switch o { + case configs.EqualTo: + return seccomp.EqualTo + case configs.NotEqualTo: + return seccomp.NotEqualTo + case configs.GreatherThan: + return seccomp.GreatherThan + case configs.LessThan: + return seccomp.LessThan + case configs.MaskEqualTo: + return seccomp.MaskEqualTo + } + return 0 } diff --git a/integration/exec_test.go b/integration/exec_test.go index f9dcc0037..3b8a83b73 100644 --- a/integration/exec_test.go +++ b/integration/exec_test.go @@ -1,15 +1,10 @@ package integration import ( - "bufio" "bytes" - "errors" - "fmt" - "io" "io/ioutil" "os" "path/filepath" - "runtime" "strconv" "strings" "syscall" @@ -720,119 +715,26 @@ func TestSystemProperties(t *testing.T) { } } -func genSeccompConfigFile(file string, calls []int) error { - callBegin := 0 - callEnd := 0 - if runtime.GOARCH == "386" { - callEnd = 340 - } else if runtime.GOARCH == "amd64" { - callEnd = 302 - } else if runtime.GOARCH == "arm" { - callEnd = 377 - } else if runtime.GOARCH == "arm64" { - callEnd = 281 - } else if runtime.GOARCH == "ppc64" || runtime.GOARCH == "ppc64le" { - callEnd = 354 - } - - conf := fmt.Sprintf("%d\nwhitelist\n", 1) - i := 0 - nr := callBegin - for nr <= callEnd { - j := 0 - for _, key := range calls { - if nr == key { - break - } - j++ - } - if j == len(calls) { - callfilter := fmt.Sprintf("%d\n", nr) - conf += callfilter - i++ - } - nr++ - } - fout, err := os.Create(file) - defer fout.Close() - if err == nil { - fout.WriteString(conf) - } - return nil -} - -func genSeccompSyscall(configFile string, Seccomps *configs.SeccompConf) error { - f, err := os.Open(configFile) - defer f.Close() - if nil == err { - buff := bufio.NewReader(f) - firstl, err := buff.ReadString('\n') - if err != nil || io.EOF == err { - return errors.New("initSeccomp ReadString, firstl") - } - ver := 0 - fmt.Sscanf(firstl, "%d\n", &ver) - if err != nil || 1 != ver { - return errors.New("initSeccomp Sscanf") - } - - secondl, err := buff.ReadString('\n') - if err != nil || io.EOF == err || strings.EqualFold(secondl, "whitelist") { - return errors.New("initSeccomp ReadString, secondl") - } - nr := 0 - for { - line, err := buff.ReadString('\n') - if err != nil || io.EOF == err { - break - } - fmt.Sscanf(line, "%d\n", &nr) - Seccomps.SysCalls = append(Seccomps.SysCalls, nr) - } - return nil - } - return nil -} - -func TestSeccompNotStat(t *testing.T) { +func TestSeccompNoChown(t *testing.T) { if testing.Short() { return } - rootfs, err := newRootfs() if err != nil { t.Fatal(err) } defer remove(rootfs) config := newTemplateConfig(rootfs) - exceptCall := []int{syscall.SYS_STAT} - genSeccompConfigFile("seccomp.conf", exceptCall) - genSeccompSyscall("seccomp.conf", &config.Seccomps) - out, _, err := runContainer(config, "", "/bin/sh", "-c", "ls / -l") + config.Seccomp = &configs.Seccomp{} + config.Seccomp.Syscalls = append(config.Seccomp.Syscalls, &configs.Syscall{ + Value: syscall.SYS_CHOWN, + Action: configs.Action(syscall.EPERM), + }) + buffers, _, err := runContainer(config, "", "/bin/sh", "-c", "chown 1:1 /tmp") if err == nil { - t.Fatal("runontainer[ls without SYS_STAT] should be failed") - } else { - fmt.Println(out) - } -} - -func TestSeccompStat(t *testing.T) { - if testing.Short() { - return + t.Fatal("running chown in a container should fail") } - rootfs, err := newRootfs() - if err != nil { - t.Fatal(err) - } - defer remove(rootfs) - - config := newTemplateConfig(rootfs) - exceptCall := []int{} - genSeccompConfigFile("seccomp.conf", exceptCall) - genSeccompSyscall("seccomp.conf", &config.Seccomps) - out, _, err := runContainer(config, "", "/bin/sh", "-c", "ls / -l") - if err != nil { - t.Fatal(err) + if s := buffers.String(); !strings.Contains(s, "not permitted") { + t.Fatalf("running chown should result in an EPERM but got %q", s) } - fmt.Println(out) } diff --git a/integration/template_test.go b/integration/template_test.go index 02a738e9f..cb991b417 100644 --- a/integration/template_test.go +++ b/integration/template_test.go @@ -44,7 +44,6 @@ func newTemplateConfig(rootfs string) *configs.Config { {Type: configs.NEWIPC}, {Type: configs.NEWPID}, {Type: configs.NEWNET}, - {Type: configs.NEWSECCOMP}, }), Cgroups: &configs.Cgroup{ Name: "test", @@ -115,8 +114,5 @@ func newTemplateConfig(rootfs string) *configs.Config { Soft: uint64(1025), }, }, - Seccomps: configs.SeccompConf{ - SysCalls: make([]int, 0, 512), - }, } } diff --git a/integration/utils_test.go b/integration/utils_test.go index 41b914cac..0f9181332 100644 --- a/integration/utils_test.go +++ b/integration/utils_test.go @@ -122,11 +122,11 @@ func runContainer(config *configs.Config, console string, args ...string) (buffe err = container.Start(process) if err != nil { - return nil, -1, err + return buffers, -1, err } ps, err := process.Wait() if err != nil { - return nil, -1, err + return buffers, -1, err } status := ps.Sys().(syscall.WaitStatus) if status.Exited() { @@ -134,7 +134,7 @@ func runContainer(config *configs.Config, console string, args ...string) (buffe } else if status.Signaled() { exitCode = -int(status.Signal()) } else { - return nil, -1, err + return buffers, -1, err } return } diff --git a/nsinit/config.go b/nsinit/config.go index bf3506c25..7fb28a58c 100644 --- a/nsinit/config.go +++ b/nsinit/config.go @@ -19,32 +19,33 @@ import ( const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NODEV var createFlags = []cli.Flag{ - cli.IntFlag{Name: "parent-death-signal", Usage: "set the signal that will be delivered to the process in case the parent dies"}, + cli.BoolFlag{Name: "cgroup", Usage: "mount the cgroup data for the container"}, cli.BoolFlag{Name: "read-only", Usage: "set the container's rootfs as read-only"}, - cli.StringSliceFlag{Name: "bind", Value: &cli.StringSlice{}, Usage: "add bind mounts to the container"}, - cli.StringSliceFlag{Name: "tmpfs", Value: &cli.StringSlice{}, Usage: "add tmpfs mounts to the container"}, cli.IntFlag{Name: "cpushares", Usage: "set the cpushares for the container"}, cli.IntFlag{Name: "memory-limit", Usage: "set the memory limit for the container"}, cli.IntFlag{Name: "memory-swap", Usage: "set the memory swap limit for the container"}, + cli.IntFlag{Name: "parent-death-signal", Usage: "set the signal that will be delivered to the process in case the parent dies"}, + cli.IntFlag{Name: "userns-root-uid", Usage: "set the user namespace root uid"}, + cli.IntFlag{Name: "veth-mtu", Usage: "veth mtu"}, + cli.StringFlag{Name: "apparmor-profile", Usage: "set the apparmor profile"}, cli.StringFlag{Name: "cpuset-cpus", Usage: "set the cpuset cpus"}, cli.StringFlag{Name: "cpuset-mems", Usage: "set the cpuset mems"}, - cli.StringFlag{Name: "apparmor-profile", Usage: "set the apparmor profile"}, - cli.StringFlag{Name: "process-label", Usage: "set the process label"}, - cli.StringFlag{Name: "mount-label", Usage: "set the mount label"}, - cli.StringFlag{Name: "rootfs", Usage: "set the rootfs"}, - cli.IntFlag{Name: "userns-root-uid", Usage: "set the user namespace root uid"}, cli.StringFlag{Name: "hostname", Value: "nsinit", Usage: "hostname value for the container"}, - cli.StringFlag{Name: "net", Value: "", Usage: "network namespace"}, cli.StringFlag{Name: "ipc", Value: "", Usage: "ipc namespace"}, + cli.StringFlag{Name: "mnt", Value: "", Usage: "mount namespace"}, + cli.StringFlag{Name: "mount-label", Usage: "set the mount label"}, + cli.StringFlag{Name: "net", Value: "", Usage: "network namespace"}, cli.StringFlag{Name: "pid", Value: "", Usage: "pid namespace"}, + cli.StringFlag{Name: "process-label", Usage: "set the process label"}, + cli.StringFlag{Name: "rootfs", Usage: "set the rootfs"}, + cli.StringFlag{Name: "security", Value: "", Usage: "set the security profile (high, medium, low)"}, cli.StringFlag{Name: "uts", Value: "", Usage: "uts namespace"}, - cli.StringFlag{Name: "mnt", Value: "", Usage: "mount namespace"}, - cli.StringFlag{Name: "veth-bridge", Usage: "veth bridge"}, cli.StringFlag{Name: "veth-address", Usage: "veth ip address"}, + cli.StringFlag{Name: "veth-bridge", Usage: "veth bridge"}, cli.StringFlag{Name: "veth-gateway", Usage: "veth gateway address"}, - cli.IntFlag{Name: "veth-mtu", Usage: "veth mtu"}, - cli.BoolFlag{Name: "cgroup", Usage: "mount the cgroup data for the container"}, + cli.StringSliceFlag{Name: "bind", Value: &cli.StringSlice{}, Usage: "add bind mounts to the container"}, cli.StringSliceFlag{Name: "sysctl", Value: &cli.StringSlice{}, Usage: "set system properties in the container"}, + cli.StringSliceFlag{Name: "tmpfs", Value: &cli.StringSlice{}, Usage: "add tmpfs mounts to the container"}, } var configCommand = cli.Command{ @@ -203,6 +204,24 @@ func modify(config *configs.Config, context *cli.Context) { Device: "cgroup", }) } + modifySecurityProfile(context, config) +} + +func modifySecurityProfile(context *cli.Context, config *configs.Config) { + profileName := context.String("security") + if profileName == "" { + return + } + profile := profiles[profileName] + if profile == nil { + logrus.Fatalf("invalid profile name %q", profileName) + } + config.Rlimits = profile.Rlimits + config.Capabilities = profile.Capabilities + config.Seccomp = profile.Seccomp + config.AppArmorProfile = profile.ApparmorProfile + config.MountLabel = profile.MountLabel + config.ProcessLabel = profile.ProcessLabel } func getTemplate() *configs.Config { @@ -290,13 +309,5 @@ func getTemplate() *configs.Config { Flags: defaultMountFlags | syscall.MS_RDONLY, }, }, - Rlimits: []configs.Rlimit{ - { - Type: syscall.RLIMIT_NOFILE, - Hard: 1024, - Soft: 1024, - }, - }, } - } diff --git a/nsinit/security.go b/nsinit/security.go new file mode 100644 index 000000000..7835c4b91 --- /dev/null +++ b/nsinit/security.go @@ -0,0 +1,272 @@ +package main + +import ( + "syscall" + + "github.com/docker/libcontainer/configs" + "github.com/docker/libcontainer/system" +) + +var profiles = map[string]*securityProfile{ + "high": highProfile, + "medium": mediumProfile, + "low": lowProfile, +} + +type securityProfile struct { + Capabilities []string `json:"capabilities"` + ApparmorProfile string `json:"apparmor_profile"` + MountLabel string `json:"mount_label"` + ProcessLabel string `json:"process_label"` + Rlimits []configs.Rlimit `json:"rlimits"` + Seccomp *configs.Seccomp `json:"seccomp"` +} + +// this should be a runtime config that is not able to do things like apt-get or yum install. +var highProfile = &securityProfile{ + Capabilities: []string{ + "NET_BIND_SERVICE", + "KILL", + "AUDIT_WRITE", + }, + Rlimits: []configs.Rlimit{ + { + Type: syscall.RLIMIT_NOFILE, + Hard: 1024, + Soft: 1024, + }, + }, + // http://man7.org/linux/man-pages/man2/syscalls.2.html + Seccomp: &configs.Seccomp{ + Syscalls: []*configs.Syscall{ + { + Value: syscall.SYS_CAPSET, // http://man7.org/linux/man-pages/man2/capset.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_UNSHARE, // http://man7.org/linux/man-pages/man2/unshare.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: int(system.SysSetns()), + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_MOUNT, // http://man7.org/linux/man-pages/man2/mount.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_UMOUNT2, // http://man7.org/linux/man-pages/man2/umount.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_CREATE_MODULE, // http://man7.org/linux/man-pages/man2/create_module.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_DELETE_MODULE, // http://man7.org/linux/man-pages/man2/delete_module.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_CHMOD, // http://man7.org/linux/man-pages/man2/chmod.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_CHOWN, // http://man7.org/linux/man-pages/man2/chown.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_LINK, // http://man7.org/linux/man-pages/man2/link.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_LINKAT, // http://man7.org/linux/man-pages/man2/linkat.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_UNLINK, // http://man7.org/linux/man-pages/man2/unlink.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_UNLINKAT, // http://man7.org/linux/man-pages/man2/unlinkat.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_CHROOT, // http://man7.org/linux/man-pages/man2/chroot.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_KEXEC_LOAD, // http://man7.org/linux/man-pages/man2/kexec_load.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_SETDOMAINNAME, // http://man7.org/linux/man-pages/man2/setdomainname.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_SETHOSTNAME, // http://man7.org/linux/man-pages/man2/sethostname.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_CLONE, // http://man7.org/linux/man-pages/man2/clone.2.html + Action: configs.Action(syscall.EPERM), + Args: []*configs.Arg{ + { + Index: 0, // the glibc wrapper has the flags at arg2 but the raw syscall has flags at arg0 + Value: syscall.CLONE_NEWUSER, + Op: configs.MaskEqualTo, + }, + }, + }, + }, + }, +} + +// This is a medium level profile that should be able to do things like installing from +// apt-get or yum. +var mediumProfile = &securityProfile{ + Capabilities: []string{ + "CHOWN", + "DAC_OVERRIDE", + "FSETID", + "FOWNER", + "SETGID", + "SETUID", + "SETFCAP", + "SETPCAP", + "NET_BIND_SERVICE", + "KILL", + "AUDIT_WRITE", + }, + Rlimits: []configs.Rlimit{ + { + Type: syscall.RLIMIT_NOFILE, + Hard: 1024, + Soft: 1024, + }, + }, + // http://man7.org/linux/man-pages/man2/syscalls.2.html + Seccomp: &configs.Seccomp{ + Syscalls: []*configs.Syscall{ + { + Value: syscall.SYS_UNSHARE, // http://man7.org/linux/man-pages/man2/unshare.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: int(system.SysSetns()), + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_MOUNT, // http://man7.org/linux/man-pages/man2/mount.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_UMOUNT2, // http://man7.org/linux/man-pages/man2/umount.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_CHROOT, // http://man7.org/linux/man-pages/man2/chroot.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_CREATE_MODULE, // http://man7.org/linux/man-pages/man2/create_module.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_DELETE_MODULE, // http://man7.org/linux/man-pages/man2/delete_module.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_KEXEC_LOAD, // http://man7.org/linux/man-pages/man2/kexec_load.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_SETDOMAINNAME, // http://man7.org/linux/man-pages/man2/setdomainname.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_SETHOSTNAME, // http://man7.org/linux/man-pages/man2/sethostname.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_CLONE, // http://man7.org/linux/man-pages/man2/clone.2.html + Action: configs.Action(syscall.EPERM), + Args: []*configs.Arg{ + { + Index: 0, // the glibc wrapper has the flags at arg2 but the raw syscall has flags at arg0 + Value: syscall.CLONE_NEWUSER, + Op: configs.MaskEqualTo, + }, + }, + }, + }, + }, +} + +var lowProfile = &securityProfile{ + Capabilities: []string{ + "CHOWN", + "DAC_OVERRIDE", + "FSETID", + "FOWNER", + "SETGID", + "SETUID", + "SYS_CHROOT", + "SETFCAP", + "SETPCAP", + "NET_BIND_SERVICE", + "KILL", + "AUDIT_WRITE", + }, + Rlimits: []configs.Rlimit{ + { + Type: syscall.RLIMIT_NOFILE, + Hard: 1024, + Soft: 1024, + }, + }, + // http://man7.org/linux/man-pages/man2/syscalls.2.html + Seccomp: &configs.Seccomp{ + Syscalls: []*configs.Syscall{ + { + Value: syscall.SYS_UNSHARE, // http://man7.org/linux/man-pages/man2/unshare.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: int(system.SysSetns()), + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_MOUNT, // http://man7.org/linux/man-pages/man2/mount.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_UMOUNT2, // http://man7.org/linux/man-pages/man2/umount.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_CREATE_MODULE, // http://man7.org/linux/man-pages/man2/create_module.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_DELETE_MODULE, // http://man7.org/linux/man-pages/man2/delete_module.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_KEXEC_LOAD, // http://man7.org/linux/man-pages/man2/kexec_load.2.html + Action: configs.Action(syscall.EPERM), + }, + { + Value: syscall.SYS_CLONE, // http://man7.org/linux/man-pages/man2/clone.2.html + Action: configs.Action(syscall.EPERM), + Args: []*configs.Arg{ + { + Index: 0, // the glibc wrapper has the flags at arg2 but the raw syscall has flags at arg0 + Value: syscall.CLONE_NEWUSER, + Op: configs.MaskEqualTo, + }, + }, + }, + }, + }, +} diff --git a/seccomp/bpf.go b/seccomp/bpf.go new file mode 100644 index 000000000..a4b3bdf7a --- /dev/null +++ b/seccomp/bpf.go @@ -0,0 +1,32 @@ +package seccomp + +import "strings" + +type bpfLabel struct { + label string + location uint32 +} + +type bpfLabels []bpfLabel + +// labelIndex returns the index for the label if it exists in the slice. +// if it does not exist in the slice it appends the label lb to the end +// of the slice and returns the index. +func labelIndex(labels *bpfLabels, lb string) uint32 { + var id uint32 + for id = 0; id < uint32(len(*labels)); id++ { + if strings.EqualFold(lb, (*labels)[id].label) { + return id + } + } + *labels = append(*labels, bpfLabel{lb, 0xffffffff}) + return id +} + +func scmpBpfStmt(code uint16, k uint32) sockFilter { + return sockFilter{code, 0, 0, k} +} + +func scmpBpfJump(code uint16, k uint32, jt, jf uint8) sockFilter { + return sockFilter{code, jt, jf, k} +} diff --git a/seccomp/context.go b/seccomp/context.go new file mode 100644 index 000000000..c8d4e7314 --- /dev/null +++ b/seccomp/context.go @@ -0,0 +1,144 @@ +package seccomp + +import ( + "errors" + "syscall" +) + +const labelTemplate = "lb-%d-%d" + +// Action is the type of action that will be taken when a +// syscall is performed. +type Action int + +const ( + Kill Action = iota - 3 // Kill the calling process of the syscall. + Trap // Trap and coredump the calling process of the syscall. + Allow // Allow the syscall to be completed. +) + +// Syscall is the specified syscall, action, and any type of arguments +// to filter on. +type Syscall struct { + // Value is the syscall number. + Value uint32 + // Action is the action to perform when the specified syscall is made. + Action Action + // Args are filters that can be specified on the arguments to the syscall. + Args Args +} + +func (s *Syscall) scmpAction() uint32 { + switch s.Action { + case Allow: + return retAllow + case Trap: + return retTrap + case Kill: + return retKill + } + return actionErrno(uint32(s.Action)) +} + +// Arg represents an argument to the syscall with the argument's index, +// the operator to apply when matching, and the argument's value at that time. +type Arg struct { + Index uint32 // index of args which start from zero + Op Operator // operation, such as EQ/NE/GE/LE + Value uint // the value of arg +} + +type Args [][]Arg + +var ( + ErrUnresolvedLabel = errors.New("seccomp: unresolved label") + ErrDuplicateLabel = errors.New("seccomp: duplicate label use") + ErrUnsupportedOperation = errors.New("seccomp: unsupported operation for argument") +) + +// Error returns an Action that will be used to send the calling +// process the specified errno when the syscall is made. +func Error(code syscall.Errno) Action { + return Action(code) +} + +// New returns a new syscall context for use. +func New() *Context { + return &Context{ + syscalls: make(map[uint32]*Syscall), + } +} + +// Context holds syscalls for the current process to limit the type of +// actions the calling process can make. +type Context struct { + syscalls map[uint32]*Syscall +} + +// Add will add the specified syscall, action, and arguments to the seccomp +// Context. +func (c *Context) Add(s *Syscall) { + c.syscalls[s.Value] = s +} + +// Remove removes the specified syscall configuration from the Context. +func (c *Context) Remove(call uint32) { + delete(c.syscalls, call) +} + +// Load will apply the Context to the calling process makeing any secccomp process changes +// apply after the context is loaded. +func (c *Context) Load() error { + filter, err := c.newFilter() + if err != nil { + return err + } + if err := prctl(prSetNoNewPrivileges, 1, 0, 0, 0); err != nil { + return err + } + prog := newSockFprog(filter) + return prog.set() +} + +func (c *Context) newFilter() ([]sockFilter, error) { + var ( + labels bpfLabels + f = newFilter() + ) + for _, s := range c.syscalls { + f.addSyscall(s, &labels) + } + f.allow() + // process args for the syscalls + for _, s := range c.syscalls { + if err := f.addArguments(s, &labels); err != nil { + return nil, err + } + } + // apply labels for arguments + idx := int32(len(*f) - 1) + for ; idx >= 0; idx-- { + lf := &(*f)[idx] + if lf.code != (syscall.BPF_JMP + syscall.BPF_JA) { + continue + } + rel := int32(lf.jt)<<8 | int32(lf.jf) + if ((jumpJT << 8) | jumpJF) == rel { + if labels[lf.k].location == 0xffffffff { + return nil, ErrUnresolvedLabel + } + lf.k = labels[lf.k].location - uint32(idx+1) + lf.jt = 0 + lf.jf = 0 + } else if ((labelJT << 8) | labelJF) == rel { + if labels[lf.k].location != 0xffffffff { + return nil, ErrDuplicateLabel + } + labels[lf.k].location = uint32(idx) + lf.k = 0 + lf.jt = 0 + lf.jf = 0 + } + } + return *f, nil +} diff --git a/seccomp/filter.go b/seccomp/filter.go new file mode 100644 index 000000000..370cdf087 --- /dev/null +++ b/seccomp/filter.go @@ -0,0 +1,116 @@ +package seccomp + +import ( + "fmt" + "syscall" + "unsafe" +) + +type sockFilter struct { + code uint16 + jt uint8 + jf uint8 + k uint32 +} + +func newFilter() *filter { + var f filter + f = append(f, sockFilter{ + pfLD + syscall.BPF_W + syscall.BPF_ABS, + 0, + 0, + uint32(unsafe.Offsetof(secData.nr)), + }) + return &f +} + +type filter []sockFilter + +func (f *filter) addSyscall(s *Syscall, labels *bpfLabels) { + if len(s.Args) == 0 { + f.call(s.Value, scmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, s.scmpAction())) + } else { + if len(s.Args[0]) > 0 { + lb := fmt.Sprintf(labelTemplate, s.Value, s.Args[0][0].Index) + f.call(s.Value, + scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JA, labelIndex(labels, lb), + jumpJT, jumpJF)) + } + } +} + +func (f *filter) addArguments(s *Syscall, labels *bpfLabels) error { + for i := 0; len(s.Args) > i; i++ { + if len(s.Args[i]) > 0 { + lb := fmt.Sprintf(labelTemplate, s.Value, s.Args[i][0].Index) + f.label(labels, lb) + f.arg(s.Args[i][0].Index) + } + for j := 0; j < len(s.Args[i]); j++ { + var jf sockFilter + if len(s.Args)-1 > i && len(s.Args[i+1]) > 0 { + lbj := fmt.Sprintf(labelTemplate, s.Value, s.Args[i+1][0].Index) + jf = scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JA, + labelIndex(labels, lbj), jumpJT, jumpJF) + } else { + jf = scmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, s.scmpAction()) + } + if err := f.op(s.Args[i][j].Op, s.Args[i][j].Value, jf); err != nil { + return err + } + } + f.allow() + } + return nil +} + +func (f *filter) label(labels *bpfLabels, lb string) { + *f = append(*f, scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JA, labelIndex(labels, lb), labelJT, labelJF)) +} + +func (f *filter) call(nr uint32, jt sockFilter) { + *f = append(*f, scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JEQ+syscall.BPF_K, nr, 0, 1)) + *f = append(*f, jt) +} + +func (f *filter) allow() { + *f = append(*f, scmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, retAllow)) +} + +func (f *filter) deny() { + *f = append(*f, scmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, retTrap)) +} + +func (f *filter) arg(index uint32) { + arg(f, index) +} + +func (f *filter) op(operation Operator, v uint, jf sockFilter) error { + switch operation { + case EqualTo: + jumpEqualTo(f, v, jf) + case NotEqualTo: + jumpNotEqualTo(f, v, jf) + case GreatherThan: + jumpGreaterThan(f, v, jf) + case LessThan: + jumpLessThan(f, v, jf) + case MaskEqualTo: + jumpMaskEqualTo(f, v, jf) + default: + return ErrUnsupportedOperation + } + return nil +} + +func arg(f *filter, idx uint32) { + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_W+syscall.BPF_ABS, endian.low(idx))) + *f = append(*f, scmpBpfStmt(syscall.BPF_ST, 0)) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_W+syscall.BPF_ABS, endian.hi(idx))) + *f = append(*f, scmpBpfStmt(syscall.BPF_ST, 1)) +} + +func jump(f *filter, labels *bpfLabels, lb string) { + *f = append(*f, scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JA, labelIndex(labels, lb), + jumpJT, jumpJF)) +} diff --git a/seccomp/jump_amd64.go b/seccomp/jump_amd64.go new file mode 100644 index 000000000..f0d07716a --- /dev/null +++ b/seccomp/jump_amd64.go @@ -0,0 +1,68 @@ +// +build linux,amd64 + +package seccomp + +// Using BPF filters +// +// ref: http://www.gsp.com/cgi-bin/man.cgi?topic=bpf +import "syscall" + +func jumpGreaterThan(f *filter, v uint, jt sockFilter) { + lo := uint32(uint64(v) % 0x100000000) + hi := uint32(uint64(v) / 0x100000000) + *f = append(*f, scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JGT+syscall.BPF_K, (hi), 4, 0)) + *f = append(*f, scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JEQ+syscall.BPF_K, (hi), 0, 5)) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_MEM, 0)) + *f = append(*f, scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JGE+syscall.BPF_K, (lo), 0, 2)) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_MEM, 1)) + *f = append(*f, jt) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_MEM, 1)) +} + +func jumpEqualTo(f *filter, v uint, jt sockFilter) { + lo := uint32(uint64(v) % 0x100000000) + hi := uint32(uint64(v) / 0x100000000) + *f = append(*f, scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JEQ+syscall.BPF_K, (hi), 0, 5)) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_MEM, 0)) + *f = append(*f, scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JEQ+syscall.BPF_K, (lo), 0, 2)) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_MEM, 1)) + *f = append(*f, jt) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_MEM, 1)) +} + +func jumpLessThan(f *filter, v uint, jt sockFilter) { + lo := uint32(uint64(v) % 0x100000000) + hi := uint32(uint64(v) / 0x100000000) + *f = append(*f, scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JGT+syscall.BPF_K, (hi), 6, 0)) + *f = append(*f, scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JEQ+syscall.BPF_K, (hi), 0, 3)) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_MEM, 0)) + *f = append(*f, scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JGT+syscall.BPF_K, (lo), 2, 0)) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_MEM, 1)) + *f = append(*f, jt) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_MEM, 1)) +} + +func jumpNotEqualTo(f *filter, v uint, jt sockFilter) { + lo := uint32(uint64(v) % 0x100000000) + hi := uint32(uint64(v) / 0x100000000) + *f = append(*f, scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JEQ+syscall.BPF_K, hi, 5, 0)) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_MEM, 0)) + *f = append(*f, scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JEQ+syscall.BPF_K, lo, 2, 0)) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_MEM, 1)) + *f = append(*f, jt) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_MEM, 1)) +} + +// this checks for a value inside a mask. The evalusation is equal to doing +// CLONE_NEWUSER & syscallMask == CLONE_NEWUSER +func jumpMaskEqualTo(f *filter, v uint, jt sockFilter) { + lo := uint32(uint64(v) % 0x100000000) + hi := uint32(uint64(v) / 0x100000000) + *f = append(*f, scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JEQ+syscall.BPF_K, hi, 0, 6)) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_MEM, 0)) + *f = append(*f, scmpBpfStmt(syscall.BPF_ALU+syscall.BPF_AND, uint32(v))) + *f = append(*f, scmpBpfJump(syscall.BPF_JMP+syscall.BPF_JEQ+syscall.BPF_K, lo, 0, 2)) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_MEM, 1)) + *f = append(*f, jt) + *f = append(*f, scmpBpfStmt(syscall.BPF_LD+syscall.BPF_MEM, 1)) +} diff --git a/seccomp/seccomp.go b/seccomp/seccomp.go index 91a6fb79d..78d7d8533 100644 --- a/seccomp/seccomp.go +++ b/seccomp/seccomp.go @@ -1,518 +1,122 @@ +// Package seccomp provides native seccomp ( https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt ) support for go. package seccomp import ( - "errors" - "fmt" - "os" - "os/signal" - "runtime" - "strings" "syscall" "unsafe" ) -const ( - EQ = 0 - NE = 1 - GE = 2 - LE = 3 -) - -const ( - ALLOW = 0 - DENY = 1 - JUMP = 2 -) +// Operator that is used for argument comparison. +type Operator int const ( - JUMP_JT = 0xff - JUMP_JF = 0xff - LABEL_JT = 0xfe - LABEL_JF = 0xfe + EqualTo Operator = iota + NotEqualTo + GreatherThan + LessThan + MaskEqualTo ) const ( - pseudoCall = 30 + jumpJT = 0xff + jumpJF = 0xff + labelJT = 0xfe + labelJF = 0xfe ) const ( - ScmpActAllow = 0x0 - - PF_LD = 0x0 - BPF_RET = syscall.BPF_RET - BPF_K = syscall.BPF_K - BPF_ABS = syscall.BPF_ABS - BPF_JMP = syscall.BPF_JMP - BPF_JEQ = syscall.BPF_JEQ - BPF_W = syscall.BPF_W - BPF_LD = syscall.BPF_LD - BPF_JA = syscall.BPF_JA - BPF_MEM = syscall.BPF_MEM - BPF_ST = syscall.BPF_ST - BPF_JGT = syscall.BPF_JGT - BPF_JGE = syscall.BPF_JGE - BPF_JSET = syscall.BPF_JSET - - SECCOMP_RET_KILL = 0x00000000 - SECCOMP_RET_TRAP = 0x00030000 - SECCOMP_RET_ALLOW = 0x7fff0000 - SECCOMP_MODE_FILTER = 0x2 - PR_SET_NO_NEW_PRIVS = 0x26 + pfLD = 0x0 + retKill = 0x00000000 + retTrap = 0x00030000 + retAllow = 0x7fff0000 + modeFilter = 0x2 + prSetNoNewPrivileges = 0x26 ) -type seccompData struct { - nr int32 - arch uint32 - insPointer uint64 - args [6]uint64 +func actionErrno(errno uint32) uint32 { + return 0x00050000 | (errno & 0x0000ffff) } -type sockFilter struct { - code uint16 - jt uint8 - jf uint8 - k uint32 -} - -type sockFprog struct { - len uint16 - filt []sockFilter -} - -type FilterArgs struct { - Args []Filter -} - -type Action struct { - action int - args []FilterArgs -} - -type Filter struct { - Arg uint32 //index of args which start from zero - Op int //operation, such ass EQ/NE/GE/LE - V uint //the value of arg -} - -type bpfLabel struct { - label string - location uint32 -} - -type bpfLabels struct { - count uint32 - labels []bpfLabel -} - -type ScmpCtx struct { - CallMap map[int]*Action - filter []sockFilter - label bpfLabels -} - -type argOFunc func(uint32) uint32 -type argFunc func(*ScmpCtx, uint32) -type jFunc func(*ScmpCtx, uint, sockFilter) -type addFunc func(ctx *ScmpCtx, call int, action int, args ...FilterArgs) error - -var secData seccompData = seccompData{0, 0, 0, [6]uint64{0, 0, 0, 0, 0, 0}} -var hiArg argOFunc -var loArg argOFunc -var arg argFunc -var jEq jFunc -var jNe jFunc -var jGe jFunc -var jLe jFunc -var secAdd addFunc = nil - -var op [4]jFunc - var ( - sysCallMin = 0 - sysCallMax = 0 + secData = struct { + nr int32 + arch uint32 + insPointer uint64 + args [6]uint64 + }{0, 0, 0, [6]uint64{0, 0, 0, 0, 0, 0}} ) -var sigSec bool = false -func arg32(ctx *ScmpCtx, idx uint32) { - ctx.filter = append(ctx.filter, - scmpBpfStmt(BPF_LD+BPF_W+BPF_ABS, loArg(idx))) -} - -func jEq32(ctx *ScmpCtx, v uint, jt sockFilter) { - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, uint32(v), 0, 1)) - ctx.filter = append(ctx.filter, jt) -} - -func jNe32(ctx *ScmpCtx, v uint, jt sockFilter) { - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, uint32(v), 1, 0)) - ctx.filter = append(ctx.filter, jt) -} - -func jGe32(ctx *ScmpCtx, v uint, jt sockFilter) { - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JGE+BPF_K, uint32(v), 0, 1)) - ctx.filter = append(ctx.filter, jt) -} - -func jLe32(ctx *ScmpCtx, v uint, jt sockFilter) { - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JGT+BPF_K, uint32(v), 1, 0)) - ctx.filter = append(ctx.filter, jt) -} - -func arg64(ctx *ScmpCtx, idx uint32) { - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_W+BPF_ABS, loArg(idx))) - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_ST, 0)) - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_W+BPF_ABS, hiArg(idx))) - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_ST, 1)) -} - -func jNe64(ctx *ScmpCtx, v uint, jt sockFilter) { - lo := uint32(uint64(v) % 0x100000000) - hi := uint32(uint64(v) / 0x100000000) - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, (hi), 5, 0)) - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 0)) - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, (lo), 2, 0)) - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) - ctx.filter = append(ctx.filter, jt) - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) -} - -func jGe64(ctx *ScmpCtx, v uint, jt sockFilter) { - lo := uint32(uint64(v) % 0x100000000) - hi := uint32(uint64(v) / 0x100000000) - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JGT+BPF_K, (hi), 4, 0)) - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, (hi), 0, 5)) - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 0)) - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JGE+BPF_K, (lo), 0, 2)) - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) - ctx.filter = append(ctx.filter, jt) - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) -} - -func jEq64(ctx *ScmpCtx, v uint, jt sockFilter) { - lo := uint32(uint64(v) % 0x100000000) - hi := uint32(uint64(v) / 0x100000000) - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, (hi), 0, 5)) - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 0)) - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, (lo), 0, 2)) - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) - ctx.filter = append(ctx.filter, jt) - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) -} - -func jLe64(ctx *ScmpCtx, v uint, jt sockFilter) { - lo := uint32(uint64(v) % 0x100000000) - hi := uint32(uint64(v) / 0x100000000) - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JGT+BPF_K, (hi), 6, 0)) - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, (hi), 0, 3)) - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 0)) - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JGT+BPF_K, (lo), 2, 0)) - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) - ctx.filter = append(ctx.filter, jt) - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_LD+BPF_MEM, 1)) -} - -func allow(ctx *ScmpCtx) { - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)) -} - -func deny(ctx *ScmpCtx) { - ctx.filter = append(ctx.filter, scmpBpfStmt(BPF_RET+BPF_K, SECCOMP_RET_TRAP)) -} - -func jump(ctx *ScmpCtx, lb string) { - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JA, findLabel(&ctx.label, lb), - JUMP_JT, JUMP_JF)) -} +var isLittle = func() bool { + var ( + x = 0x1234 + p = unsafe.Pointer(&x) + p2 = (*[unsafe.Sizeof(0)]byte)(p) + ) + if p2[0] == 0 { + return false + } + return true +}() -func label(ctx *ScmpCtx, lb string) { - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JA, findLabel(&ctx.label, lb), - LABEL_JT, LABEL_JF)) -} +var endian endianSupport -func secCall(ctx *ScmpCtx, nr int, jt sockFilter) { - ctx.filter = append(ctx.filter, scmpBpfJump(BPF_JMP+BPF_JEQ+BPF_K, uint32(nr), 0, 1)) - ctx.filter = append(ctx.filter, jt) +type endianSupport struct { } -func findLabel(labels *bpfLabels, lb string) uint32 { - var id uint32 - for id = 0; id < labels.count; id++ { - if true == strings.EqualFold(lb, labels.labels[id].label) { - return id - } +func (e endianSupport) hi(i uint32) uint32 { + if isLittle { + return e.little(i) } - tlabel := bpfLabel{lb, 0xffffffff} - labels.labels = append(labels.labels, tlabel) - labels.count += 1 - return id + return e.big(i) } -func hiArgLittle(idx uint32) uint32 { - if idx < 0 || idx >= 6 { - return 0 +func (e endianSupport) low(i uint32) uint32 { + if isLittle { + return e.big(i) } - - hi := uint32(unsafe.Offsetof(secData.args)) + uint32(unsafe.Alignof(secData.args[0]))*idx + uint32(unsafe.Sizeof(secData.arch)) - return uint32(hi) + return e.little(i) } -func hiArgBig(idx uint32) uint32 { +func (endianSupport) big(idx uint32) uint32 { if idx >= 6 { return 0 } - hi := uint32(unsafe.Offsetof(secData.args)) + 8*idx - return uint32(hi) -} - -func isLittle() bool { - litEndian := true - x := 0x1234 - p := unsafe.Pointer(&x) - p2 := (*[unsafe.Sizeof(0)]byte)(p) - if p2[0] == 0 { - litEndian = false - } - return litEndian + return uint32(unsafe.Offsetof(secData.args)) + 8*idx } -func scmpBpfStmt(code uint16, k uint32) sockFilter { - return sockFilter{code, 0, 0, k} -} - -func scmpBpfJump(code uint16, k uint32, jt, jf uint8) sockFilter { - return sockFilter{code, jt, jf, k} -} - -func prctl(option int, arg2, arg3, arg4, arg5 uintptr) (err error) { - _, _, e1 := syscall.Syscall6(syscall.SYS_PRCTL, uintptr(option), arg2, arg3, arg4, arg5, 0) - if e1 != 0 { - err = e1 +func (endianSupport) little(idx uint32) uint32 { + if idx < 0 || idx >= 6 { + return 0 } - return nil + return uint32(unsafe.Offsetof(secData.args)) + + uint32(unsafe.Alignof(secData.args[0]))*idx + uint32(unsafe.Sizeof(secData.arch)) } -func scmpfilter(prog *sockFprog) (err error) { - _, _, e1 := syscall.Syscall(syscall.SYS_PRCTL, uintptr(syscall.PR_SET_SECCOMP), - uintptr(SECCOMP_MODE_FILTER), uintptr(unsafe.Pointer(prog))) - if e1 != 0 { - err = e1 +func prctl(option int, arg2, arg3, arg4, arg5 uintptr) error { + _, _, err := syscall.Syscall6(syscall.SYS_PRCTL, uintptr(option), arg2, arg3, arg4, arg5, 0) + if err != 0 { + return err } return nil } -func CombineArgs(args1 []FilterArgs, args2 []FilterArgs) []FilterArgs { - ilen1 := len(args1) - if ilen1 > len(args2) { - ilen1 = len(args2) +func newSockFprog(filter []sockFilter) *sockFprog { + return &sockFprog{ + len: uint16(len(filter)), + filt: filter, } - for i1 := 0; i1 < ilen1; i1++ { - jlen1 := len(args1[i1].Args) - jlen2 := len(args2[i1].Args) - for j2 := 0; j2 < jlen2; j2++ { - num := 0 - for j1 := 0; j1 < jlen1; j1++ { - if args1[i1].Args[j1] == args2[i1].Args[j2] { - break - } - num = num + 1 - } - if num == jlen1 { - args1[i1].Args = append(args1[i1].Args, args2[i1].Args[j2]) - } - } - } - if ilen1 < len(args2) { - args1 = append(args1, args2[ilen1:]...) - } - return args1 -} - -func Sys(call string) int { - number, exists := syscallMap[call] - if exists { - return number - } - return -1 -} - -func ScmpInit(action int) (*ScmpCtx, error) { - ctx := ScmpCtx{ - CallMap: make(map[int]*Action), - filter: make([]sockFilter, 0, 128), - label: bpfLabels{ - count: 0, - labels: make([]bpfLabel, 0, 128), - }, - } - - ctx.filter = append(ctx.filter, - sockFilter{PF_LD + BPF_W + BPF_ABS, 0, 0, uint32(unsafe.Offsetof(secData.nr))}) - return &ctx, nil } -func ScmpDel(ctx *ScmpCtx, call int) error { - _, exists := ctx.CallMap[call] - if exists { - delete(ctx.CallMap, call) - return nil - } - - return errors.New("syscall not exist") -} - -func ScmpAdd(ctx *ScmpCtx, call int, action int, args ...FilterArgs) error { - if call < 0 { - return errors.New("syscall error, call < 0") - } - - if call <= sysCallMax { - _, exists := ctx.CallMap[call] - if exists { - return errors.New("syscall exist") - } - ctx.CallMap[call] = &Action{action, args} - return nil - } else { - if nil != secAdd { - return secAdd(ctx, call, action, args...) - } - } - - return errors.New("syscall not surport") +type sockFprog struct { + len uint16 + filt []sockFilter } -func ScmpLoad(ctx *ScmpCtx) error { - for call, act := range ctx.CallMap { - if len(act.args) == 0 { - secCall(ctx, call, scmpBpfStmt(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)) - } else { - if len(act.args[0].Args) > 0 { - lb := fmt.Sprintf("lb-%d-%d", call, act.args[0].Args[0].Arg) - secCall(ctx, call, - scmpBpfJump(BPF_JMP+BPF_JA, findLabel(&ctx.label, lb), - JUMP_JT, JUMP_JF)) - } - } - } - deny(ctx) - - for call, act := range ctx.CallMap { - for i := 0; i < len(act.args); i++ { - if len(act.args[i].Args) > 0 { - lb := fmt.Sprintf("lb-%d-%d", call, act.args[i].Args[0].Arg) - label(ctx, lb) - arg(ctx, act.args[i].Args[0].Arg) - } - - for j := 0; j < len(act.args[i].Args); j++ { - var jf sockFilter - if len(act.args)-1 > i && len(act.args[i+1].Args) > 0 { - lbj := fmt.Sprintf("lb-%d-%d", call, act.args[i+1].Args[0].Arg) - jf = scmpBpfJump(BPF_JMP+BPF_JA, - findLabel(&ctx.label, lbj), JUMP_JT, JUMP_JF) - } else { - jf = scmpBpfStmt(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) - } - op[act.args[i].Args[j].Op](ctx, act.args[i].Args[j].V, jf) - } - - deny(ctx) - } - } - - idx := int32(len(ctx.filter) - 1) - for ; idx >= 0; idx-- { - filter := &ctx.filter[idx] - if filter.code != (BPF_JMP + BPF_JA) { - continue - } - - rel := int32(filter.jt)<<8 | int32(filter.jf) - if ((JUMP_JT << 8) | JUMP_JF) == rel { - if ctx.label.labels[filter.k].location == 0xffffffff { - return errors.New("Unresolved label") - } - filter.k = ctx.label.labels[filter.k].location - uint32(idx+1) - filter.jt = 0 - filter.jf = 0 - } else if ((LABEL_JT << 8) | LABEL_JF) == rel { - if ctx.label.labels[filter.k].location != 0xffffffff { - return errors.New("Duplicate label use") - } - ctx.label.labels[filter.k].location = uint32(idx) - filter.k = 0 - filter.jt = 0 - filter.jf = 0 - } - } - prog := sockFprog{ - len: uint16(len(ctx.filter)), - filt: ctx.filter, - } - - if nil != prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) { - fmt.Println("prctl PR_SET_NO_NEW_PRIVS error") - return errors.New("prctl PR_SET_NO_NEW_PRIVS error") - } - - if nil != scmpfilter(&prog) { - fmt.Println("scmpfilter error") - return errors.New("scmpfilter error") +func (s *sockFprog) set() error { + _, _, err := syscall.Syscall(syscall.SYS_PRCTL, uintptr(syscall.PR_SET_SECCOMP), + uintptr(modeFilter), uintptr(unsafe.Pointer(s))) + if err != 0 { + return err } return nil } - -func sigSeccomp() { - sigSec = true -} - -func ScmpError() bool { - ret := sigSec - sigSec = false - return ret -} - -func init() { - if runtime.GOARCH == "386" { - sysCallMax = 340 - } else if runtime.GOARCH == "amd64" { - sysCallMax = 302 - } else if runtime.GOARCH == "arm" { - sysCallMax = 377 - } else if runtime.GOARCH == "arm64" { - sysCallMax = 281 - } else if runtime.GOARCH == "ppc64" { - sysCallMax = 354 - } else if runtime.GOARCH == "ppc64le" { - sysCallMax = 354 - } - if isLittle() { - hiArg = hiArgLittle - loArg = hiArgBig - } else { - hiArg = hiArgBig - loArg = hiArgLittle - } - - var length int - if 8 == int(unsafe.Sizeof(length)) { - arg = arg64 - jEq = jEq64 - jNe = jNe64 - jGe = jGe64 - jLe = jLe64 - } else { - arg = arg32 - jEq = jEq32 - jNe = jNe32 - jGe = jGe32 - jLe = jLe32 - } - op[EQ] = jEq - op[NE] = jNe - op[GE] = jGe - op[LE] = jLe - chSignal := make(chan os.Signal) - signal.Notify(chSignal, syscall.SIGSYS) - go sigSeccomp() -} diff --git a/seccomp/seccomp.test b/seccomp/seccomp.test deleted file mode 100644 index 25a5554ff..000000000 --- a/seccomp/seccomp.test +++ /dev/null @@ -1,107 +0,0 @@ - -package main - -import ( - "fmt" - "flag" - "os" - "syscall" - - sec "seccomp" -) - -const ( - STDIN_FILENO = 0 - STDOUT_FILENO = 1 - BUFLEN = 8 -) - -func writeOk(args []string) { - scmpCtx, _ := sec.ScmpInit(sec.ScmpActAllow) - - sec.ScmpAdd(scmpCtx, sec.Sys("exit"), sec.ScmpActAllow) - sec.ScmpAdd(scmpCtx, sec.Sys("exit_group"), sec.ScmpActAllow) - - //the first arg is STDOUT_FILENO, the third arg must be <= BUFLEN - sec.ScmpAdd(scmpCtx, sec.Sys("write"), sec.ScmpActAllow, - sec.FilterArgs{[]sec.Filter{{0, sec.EQ, STDOUT_FILENO}}}, - sec.FilterArgs{[]sec.Filter{{2, sec.LE, BUFLEN}}}, - ) - - sec.ScmpLoad(scmpCtx) - fmt.Printf("8888888\n") //ok -} - -func writeErr(args []string) { - scmpCtx, _ := sec.ScmpInit(sec.ScmpActAllow) - - sec.ScmpAdd(scmpCtx, sec.Sys("exit"), sec.ScmpActAllow) - sec.ScmpAdd(scmpCtx, sec.Sys("exit_group"), sec.ScmpActAllow) - - sec.ScmpAdd(scmpCtx, sec.Sys("write"), sec.ScmpActAllow, - sec.FilterArgs{[]sec.Filter{{0, sec.EQ, STDOUT_FILENO}}}, - sec.FilterArgs{[]sec.Filter{{2, sec.LE, BUFLEN}}}, - ) - - sec.ScmpLoad(scmpCtx) - - // bad system call - fmt.Printf("99999999\n") -} - -func socketOk(args []string) { - scmpCtx, _ := sec.ScmpInit(sec.ScmpActAllow) - - //for 386, the next line is same as - //sec.ScmpAdd(scmpCtx, sec.Sys("socketcall"), sec.ScmpActAllow, - // sec.FilterArgs{[]sec.Filter{{0, sec.EQ, 1}}}, - //) - //SYS_SOCKET = 1 - sec.ScmpAdd(scmpCtx, sec.Sys("socket"), sec.ScmpActAllow) - - sec.ScmpAdd(scmpCtx, sec.Sys("exit"), sec.ScmpActAllow) - sec.ScmpAdd(scmpCtx, sec.Sys("exit_group"), sec.ScmpActAllow) - - sec.ScmpAdd(scmpCtx, sec.Sys("write"), sec.ScmpActAllow, - sec.FilterArgs{[]sec.Filter{{0, sec.EQ, STDOUT_FILENO}}}, - sec.FilterArgs{[]sec.Filter{{2, sec.LE, BUFLEN}}}, - ) - - sec.ScmpLoad(scmpCtx) - - syscall.Socket(syscall.AF_INET, syscall.SOCK_STREAM, syscall.IPPROTO_IP) - fmt.Printf("Sock ok\n") -} - -func socketErr(args []string) { - scmpCtx, _ := sec.ScmpInit(sec.ScmpActAllow) - - sec.ScmpAdd(scmpCtx, sec.Sys("exit"), sec.ScmpActAllow) - sec.ScmpAdd(scmpCtx, sec.Sys("exit_group"), sec.ScmpActAllow) - - sec.ScmpLoad(scmpCtx) - - // bad system call - syscall.Socket(syscall.AF_INET, syscall.SOCK_STREAM, syscall.IPPROTO_IP) -} - - - -func main() { - flag.Parse() - - if 1 == flag.NArg() { - idx := 0 - args := os.Args[(idx + 1):] - if flag.Arg(idx) == "writeOk" { - writeOk(args) - } else if flag.Arg(idx) == "writeErr" { - writeErr(args) - } else if flag.Arg(idx) == "socketOk" { - socketOk(args) - } else if flag.Arg(idx) == "socketErr" { - socketErr(args) - } - } -} - diff --git a/seccomp/seccomp386.go b/seccomp/seccomp386.go deleted file mode 100644 index db696e6f1..000000000 --- a/seccomp/seccomp386.go +++ /dev/null @@ -1,117 +0,0 @@ -// +build linux -// +build 386 - -package seccomp - -import ( - "errors" -) - -var ( - syscallInterval = 100 - ipcNr = syscallInterval + 0 - socketcallNr = syscallInterval + ipcNr - callipc = 0 - callsocket = 0 -) - -func scmpAdd386(ctx *ScmpCtx, call int, action int, args ...FilterArgs) error { - var syscallNo int - pseCall := call - sysCallMax - if (pseCall >= ipcNr) && (pseCall < ipcNr+syscallInterval) { - syscallNo, _ = syscallMap["ipc"] - pseCall = (pseCall - ipcNr) % ipcNr - - } else if (pseCall >= socketcallNr) && (pseCall < socketcallNr+syscallInterval) { - syscallNo, _ = syscallMap["socketcall"] - pseCall = (pseCall - socketcallNr) % socketcallNr - } else { - return errors.New("scmpAdd386, syscall error") - } - act, exists := ctx.CallMap[syscallNo] - if !exists { - newArg := make([]FilterArgs, len(args)+1) - newArg[0].Args = make([]Filter, 1) - newArg[0].Args[0].Op = EQ - newArg[0].Args[0].Arg = 0 - newArg[0].Args[0].V = uint(pseCall) - for i := 0; i < len(args); i++ { - alen := len(args[i].Args) - if alen > 0 { - newArg[i+1].Args = make([]Filter, alen) - for j := 0; j < alen; i++ { - newArg[i+1].Args[j].Op = args[i].Args[j].Op - newArg[i+1].Args[j].Arg = args[i].Args[j].Arg - newArg[i+1].Args[j].V = args[i].Args[j].V - } - } - } - ctx.CallMap[syscallNo] = &Action{action, newArg} - } else { - newArg := make([]FilterArgs, len(args)) - for i := 0; i < len(args); i++ { - alen := len(args[i].Args) - if alen > 0 { - newArg[i].Args = make([]Filter, alen) - for j := 0; j < alen; i++ { - newArg[i].Args[j].Op = args[i].Args[j].Op - newArg[i].Args[j].Arg = args[i].Args[j].Arg - newArg[i].Args[j].V = args[i].Args[j].V - } - } - } - act.args = CombineArgs(act.args, newArg) - } - - return nil -} - -func resetCallipc(call string, num int) { - syscallMap[call] = num + callipc -} - -func resetCallsocket(call string, num int) { - syscallMap[call] = num + callsocket -} - -func init() { - sysCallMax = 340 - callipc = ipcNr + sysCallMax - callsocket = socketcallNr + sysCallMax - secAdd = scmpAdd386 - - resetCallipc("semop", 1) - resetCallipc("semget", 2) - resetCallipc("semctl", 3) - resetCallipc("semtimedop", 4) - resetCallipc("msgsnd", 11) - resetCallipc("msgrcv", 12) - resetCallipc("msgget", 13) - resetCallipc("msgctl", 14) - resetCallipc("shmat", 21) - resetCallipc("shmdt", 22) - resetCallipc("shmget", 23) - resetCallipc("shmctl", 24) - - resetCallsocket("socket", 1) - resetCallsocket("bind", 2) - resetCallsocket("connect", 3) - resetCallsocket("listen", 4) - resetCallsocket("accept", 5) - resetCallsocket("getsockname", 6) - resetCallsocket("getpeername", 7) - resetCallsocket("socketpair", 8) - resetCallsocket("send", 9) - resetCallsocket("recv", 10) - resetCallsocket("sendto", 11) - resetCallsocket("recvfrom", 12) - resetCallsocket("shutdown", 13) - resetCallsocket("setsockopt", 14) - resetCallsocket("getsockopt", 15) - resetCallsocket("sendmsg", 16) - resetCallsocket("recvmsg", 17) - resetCallsocket("accept4", 18) - resetCallsocket("recvmmsg", 19) - resetCallsocket("sendmmsg", 20) - -} diff --git a/seccomp/seccomp_test.go b/seccomp/seccomp_test.go deleted file mode 100644 index f0db718f9..000000000 --- a/seccomp/seccomp_test.go +++ /dev/null @@ -1,58 +0,0 @@ -package seccomp - -import ( - "fmt" - "os/exec" - "testing" -) - -var osec = "/go/src/seccomp_main.go" - -func secMain(t *testing.T, args []string) { - if len(args) < 1 { - return - } - - cmd := args[0] - path := "go" - argv := []string{"run", osec} - argv = append(argv, args[0:]...) - - c := exec.Command(path, argv...) - _, err := c.Output() - fmt.Printf("do %s, err is [%v]\n", cmd, err) - if err != nil { - if "writeOk" == cmd || "socketOk" == cmd { - t.Fatal(err) - } - } else { - if "writeErr" == cmd || "socketErr" == cmd { - t.Fatal(err) - } - } -} - -func commandGC(file string) { - c := exec.Command("rm", "-rf", file) - d, _ := c.Output() - fmt.Println(string(d)) -} - -func cp(src, dst string) { - c := exec.Command("cp", "-ra", src, dst) - d, _ := c.Output() - fmt.Println(string(d)) -} - -func TestSeccomp(t *testing.T) { - //hard code - cp("../seccomp", "/go/src/") - cp("./seccomp.test", osec) - defer commandGC("/go/src/seccomp") - defer commandGC(osec) - - secMain(t, []string{"writeOk"}) - secMain(t, []string{"writeErr"}) - secMain(t, []string{"socketOk"}) - secMain(t, []string{"socketErr"}) -} diff --git a/seccomp/seccompsyscall.go b/seccomp/seccompsyscall.go deleted file mode 100644 index d7674d1a2..000000000 --- a/seccomp/seccompsyscall.go +++ /dev/null @@ -1,390 +0,0 @@ -//x86_64 -package seccomp - -var syscallMap = map[string] int { - "access" : 21, - "chdir" : 80, - "chmod" : 90, - "chown" : 92, - "chown32" : -1, - "close" : 3, - "creat" : 85, - "dup" : 32, - "dup2" : 33, - "dup3" : 292, - "epoll_create" : 213, - "epoll_create1" : 291, - "epoll_ctl" : 233, - "epoll_ctl_old" : 214, - "epoll_pwait" : 281, - "epoll_wait" : 232, - "epoll_wait_old" : 215, - "eventfd" : 284, - "eventfd2" : 290, - "faccessat" : 269, - "fadvise64" : 221, - "fadvise64_64" : -1, - "fallocate" : 285, - "fanotify_init" : 300, - "fanotify_mark" : 301, - "ioctl" : 16, - "fchdir" : 81, - "fchmod" : 91, - "fchmodat" : 268, - "fchown" : 93, - "fchown32" : -1, - "fchownat" : 260, - "fcntl" : 72, - "fcntl64" : -1, - "fdatasync" : 75, - "fgetxattr" : 193, - "flistxattr" : 196, - "flock" : 73, - "fremovexattr" : 199, - "fsetxattr" : 190, - "fstat" : 5, - "fstat64" : -1, - "fstatat64" : -1, - "fstatfs" : 138, - "fstatfs64" : -1, - "fsync" : 74, - "ftruncate" : 77, - "ftruncate64" : -1, - "getcwd" : 79, - "getdents" : 78, - "getdents64" : 217, - "getxattr" : 191, - "inotify_add_watch" : 254, - "inotify_init" : 253, - "inotify_init1" : 294, - "inotify_rm_watch" : 255, - "io_cancel" : 210, - "io_destroy" : 207, - "io_getevents" : 208, - "io_setup" : 206, - "io_submit" : 209, - "lchown" : 94, - "lchown32" : -1, - "lgetxattr" : 192, - "link" : 86, - "linkat" : 265, - "listxattr" : 194, - "llistxattr" : 195, - "llseek" : -1, - "_llseek" : -1, - "lremovexattr" : 198, - "lseek" : 8, - "lsetxattr" : 189, - "lstat" : 6, - "lstat64" : -1, - "mkdir" : 83, - "mkdirat" : 258, - "mknod" : 133, - "mknodat" : 259, - "newfstatat" : 262, - "_newselect" : -1, - "oldfstat" : -1, - "oldlstat" : -1, - "oldolduname" : -1, - "oldstat" : -1, - "olduname" : -1, - "oldwait4" : -1, - "open" : 2, - "openat" : 257, - "pipe" : 22, - "pipe2" : 293, - "poll" : 7, - "ppoll" : 271, - "pread64" : 17, - "preadv" : 295, - "futimesat" : 261, - "pselect6" : 270, - "pwrite64" : 18, - "pwritev" : 296, - "read" : 0, - "readahead" : 187, - "readdir" : -1, - "readlink" : 89, - "readlinkat" : 267, - "readv" : 19, - "removexattr" : 197, - "rename" : 82, - "renameat" : 264, - "rmdir" : 84, - "select" : 23, - "sendfile" : 40, - "sendfile64" : -1, - "setxattr" : 188, - "splice" : 275, - "stat" : 4, - "stat64" : -1, - "statfs" : 137, - "statfs64" : -1, - "symlink" : 88, - "symlinkat" : 266, - "sync" : 162, - "sync_file_range" : 277, - "sync_file_range2" : -1, - "syncfs" : 306, - "tee" : 276, - "truncate" : 76, - "truncate64" : -1, - "umask" : 95, - "unlink" : 87, - "unlinkat" : 263, - "ustat" : 136, - "utime" : 132, - "utimensat" : 280, - "utimes" : 235, - "write" : 1, - "writev" : 20, - "accept" : 43, - "accept4" : 288, - "bind" : 49, - "connect" : 42, - "getpeername" : 52, - "getsockname" : 51, - "getsockopt" : 55, - "listen" : 50, - "recv" : -1, - "recvfrom" : 45, - "recvmmsg" : 299, - "recvmsg" : 47, - "send" : -1, - "sendmmsg" : 307, - "sendmsg" : 46, - "sendto" : 44, - "setsockopt" : 54, - "shutdown" : 48, - "socket" : 41, - "socketcall" : -1, - "socketpair" : 53, - "sethostname" : 170, - "pause" : 34, - "rt_sigaction" : 13, - "rt_sigpending" : 127, - "rt_sigprocmask" : 14, - "rt_sigqueueinfo" : 129, - "rt_sigreturn" : 15, - "rt_sigsuspend" : 130, - "rt_sigtimedwait" : 128, - "rt_tgsigqueueinfo" : 297, - "sigaction" : -1, - "sigaltstack" : 131, - "signal" : -1, - "signalfd" : 282, - "signalfd4" : 289, - "sigpending" : -1, - "sigprocmask" : -1, - "sigreturn" : -1, - "sigsuspend" : -1, - "alarm" : 37, - "brk" : 12, - "clock_adjtime" : 305, - "clock_getres" : 229, - "clock_gettime" : 228, - "clock_nanosleep" : 230, - "clock_settime" : 227, - "gettimeofday" : 96, - "nanosleep" : 35, - "nice" : -1, - "sysinfo" : 99, - "syslog" : 103, - "time" : 201, - "timer_create" : 222, - "timer_delete" : 226, - "timerfd_create" : 283, - "timerfd_gettime" : 287, - "timerfd_settime" : 286, - "timer_getoverrun" : 225, - "timer_gettime" : 224, - "timer_settime" : 223, - "times" : 100, - "uname" : 63, - "madvise" : 28, - "mbind" : 237, - "mincore" : 27, - "mlock" : 149, - "mlockall" : 151, - "mmap" : 9, - "mmap2" : -1, - "mprotect" : 10, - "mremap" : 25, - "msync" : 26, - "munlock" : 150, - "munlockall" : 152, - "munmap" : 11, - "remap_file_pages" : 216, - "set_mempolicy" : 238, - "vmsplice" : 278, - "capget" : 125, - "capset" : 126, - "clone" : 56, - "execve" : 59, - "exit" : 60, - "exit_group" : 231, - "fork" : 57, - "getcpu" : 309, - "getpgid" : 121, - "getpgrp" : 111, - "getpid" : 39, - "getppid" : 110, - "getpriority" : 140, - "getresgid" : 120, - "getresgid32" : -1, - "getresuid" : 118, - "getresuid32" : -1, - "getrlimit" : 97, - "getrusage" : 98, - "getsid" : 124, - "getuid" : 102, - "getuid32" : -1, - "getegid" : 108, - "getegid32" : -1, - "geteuid" : 107, - "geteuid32" : -1, - "getgid" : 104, - "getgid32" : -1, - "getgroups" : 115, - "getgroups32" : -1, - "getitimer" : 36, - "get_mempolicy" : 239, - "kill" : 62, - "prctl" : 157, - "prlimit64" : 302, - "sched_getaffinity" : 204, - "sched_getparam" : 143, - "sched_get_priority_max" : 146, - "sched_get_priority_min" : 147, - "sched_getscheduler" : 145, - "sched_rr_get_interval" : 148, - "sched_setaffinity" : 203, - "sched_setparam" : 142, - "sched_setscheduler" : 144, - "sched_yield" : 24, - "setfsgid" : 123, - "setfsgid32" : -1, - "setfsuid" : 122, - "setfsuid32" : -1, - "setgid" : 106, - "setgid32" : -1, - "setgroups" : 116, - "setgroups32" : -1, - "setitimer" : 38, - "setpgid" : 109, - "setpriority" : 141, - "setregid" : 114, - "setregid32" : -1, - "setresgid" : 119, - "setresgid32" : -1, - "setresuid" : 117, - "setresuid32" : -1, - "setreuid" : 113, - "setreuid32" : -1, - "setrlimit" : 160, - "setsid" : 112, - "setuid" : 105, - "setuid32" : -1, - "ugetrlimit" : -1, - "vfork" : 58, - "wait4" : 61, - "waitid" : 247, - "waitpid" : -1, - "ipc" : -1, - "mq_getsetattr" : 245, - "mq_notify" : 244, - "mq_open" : 240, - "mq_timedreceive" : 243, - "mq_timedsend" : 242, - "mq_unlink" : 241, - "msgctl" : 71, - "msgget" : 68, - "msgrcv" : 70, - "msgsnd" : 69, - "semctl" : 66, - "semget" : 64, - "semop" : 65, - "semtimedop" : 220, - "shmat" : 30, - "shmctl" : 31, - "shmdt" : 67, - "shmget" : 29, - "arch_prctl" : 158, - "get_robust_list" : 274, - "get_thread_area" : 211, - "gettid" : 186, - "futex" : 202, - "restart_syscall" : 219, - "set_robust_list" : 273, - "set_thread_area" : 205, - "set_tid_address" : 218, - "tgkill" : 234, - "tkill" : 200, - "acct" : 163, - "adjtimex" : 159, - "bdflush" : -1, - "chroot" : 161, - "create_module" : 174, - "delete_module" : 176, - "get_kernel_syms" : 177, - "idle" : -1, - "init_module" : 175, - "ioperm" : 173, - "iopl" : 172, - "ioprio_get" : 252, - "ioprio_set" : 251, - "kexec_load" : 246, - "lookup_dcookie" : 212, - "migrate_pages" : 256, - "modify_ldt" : 154, - "mount" : 165, - "move_pages" : 279, - "name_to_handle_at" : 303, - "nfsservctl" : 180, - "open_by_handle_at" : 304, - "perf_event_open" : 298, - "pivot_root" : 155, - "process_vm_readv" : 310, - "process_vm_writev" : 311, - "ptrace" : 101, - "query_module" : 178, - "quotactl" : 179, - "reboot" : 169, - "setdomainname" : 171, - "setns" : 308, - "settimeofday" : 164, - "sgetmask" : -1, - "ssetmask" : -1, - "stime" : -1, - "swapoff" : 168, - "swapon" : 167, - "_sysctl" : 156, - "sysfs" : 139, - "sys_setaltroot" : -1, - "umount" : -1, - "umount2" : 166, - "unshare" : 272, - "uselib" : 134, - "vhangup" : 153, - "vm86" : -1, - "vm86old" : -1, - "add_key" : 248, - "keyctl" : 250, - "request_key" : 249, - "afs_syscall" : 183, - "break" : -1, - "ftime" : -1, - "getpmsg" : 181, - "gtty" : -1, - "lock" : -1, - "madvise1" : -1, - "mpx" : -1, - "prof" : -1, - "profil" : -1, - "putpmsg" : 182, - "security" : 185, - "stty" : -1, - "tuxcall" : 184, - "ulimit" : -1, - "vserver" : 236, -} diff --git a/system/setns_linux.go b/system/setns_linux.go index a3c4cbb27..615ff4c82 100644 --- a/system/setns_linux.go +++ b/system/setns_linux.go @@ -21,16 +21,20 @@ var setNsMap = map[string]uintptr{ "linux/s390x": 339, } +var sysSetns = setNsMap[fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH)] + +func SysSetns() uint32 { + return uint32(sysSetns) +} + func Setns(fd uintptr, flags uintptr) error { ns, exists := setNsMap[fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH)] if !exists { return fmt.Errorf("unsupported platform %s/%s", runtime.GOOS, runtime.GOARCH) } - _, _, err := syscall.RawSyscall(ns, fd, flags, 0) if err != 0 { return err } - return nil }