diff options
Diffstat (limited to 'plugin/rpcplugin/sandbox/seccomp_linux_amd64.go')
| -rw-r--r-- | plugin/rpcplugin/sandbox/seccomp_linux_amd64.go | 301 |
1 files changed, 301 insertions, 0 deletions
diff --git a/plugin/rpcplugin/sandbox/seccomp_linux_amd64.go b/plugin/rpcplugin/sandbox/seccomp_linux_amd64.go new file mode 100644 index 000000000..7338ebbe0 --- /dev/null +++ b/plugin/rpcplugin/sandbox/seccomp_linux_amd64.go @@ -0,0 +1,301 @@ +// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package sandbox + +import ( + "golang.org/x/sys/unix" +) + +const NATIVE_AUDIT_ARCH = AUDIT_ARCH_X86_64 + +var AllowedSyscalls = []SeccompSyscall{ + {Syscall: unix.SYS_ACCEPT}, + {Syscall: unix.SYS_ACCEPT4}, + {Syscall: unix.SYS_ACCESS}, + {Syscall: unix.SYS_ADJTIMEX}, + {Syscall: unix.SYS_ALARM}, + {Syscall: unix.SYS_ARCH_PRCTL}, + {Syscall: unix.SYS_BIND}, + {Syscall: unix.SYS_BRK}, + {Syscall: unix.SYS_CAPGET}, + {Syscall: unix.SYS_CAPSET}, + {Syscall: unix.SYS_CHDIR}, + {Syscall: unix.SYS_CHMOD}, + {Syscall: unix.SYS_CHOWN}, + {Syscall: unix.SYS_CLOCK_GETRES}, + {Syscall: unix.SYS_CLOCK_GETTIME}, + {Syscall: unix.SYS_CLOCK_NANOSLEEP}, + { + Syscall: unix.SYS_CLONE, + Any: []SeccompConditions{{ + All: []SeccompCondition{SeccompArgHasNoBits{ + Arg: 0, + Mask: unix.CLONE_NEWCGROUP | unix.CLONE_NEWIPC | unix.CLONE_NEWNET | unix.CLONE_NEWNS | unix.CLONE_NEWPID | unix.CLONE_NEWUSER | unix.CLONE_NEWUTS, + }}, + }}, + }, + {Syscall: unix.SYS_CLOSE}, + {Syscall: unix.SYS_CONNECT}, + {Syscall: unix.SYS_COPY_FILE_RANGE}, + {Syscall: unix.SYS_CREAT}, + {Syscall: unix.SYS_DUP}, + {Syscall: unix.SYS_DUP2}, + {Syscall: unix.SYS_DUP3}, + {Syscall: unix.SYS_EPOLL_CREATE}, + {Syscall: unix.SYS_EPOLL_CREATE1}, + {Syscall: unix.SYS_EPOLL_CTL}, + {Syscall: unix.SYS_EPOLL_CTL_OLD}, + {Syscall: unix.SYS_EPOLL_PWAIT}, + {Syscall: unix.SYS_EPOLL_WAIT}, + {Syscall: unix.SYS_EPOLL_WAIT_OLD}, + {Syscall: unix.SYS_EVENTFD}, + {Syscall: unix.SYS_EVENTFD2}, + {Syscall: unix.SYS_EXECVE}, + {Syscall: unix.SYS_EXECVEAT}, + {Syscall: unix.SYS_EXIT}, + {Syscall: unix.SYS_EXIT_GROUP}, + {Syscall: unix.SYS_FACCESSAT}, + {Syscall: unix.SYS_FADVISE64}, + {Syscall: unix.SYS_FALLOCATE}, + {Syscall: unix.SYS_FANOTIFY_MARK}, + {Syscall: unix.SYS_FCHDIR}, + {Syscall: unix.SYS_FCHMOD}, + {Syscall: unix.SYS_FCHMODAT}, + {Syscall: unix.SYS_FCHOWN}, + {Syscall: unix.SYS_FCHOWNAT}, + {Syscall: unix.SYS_FCNTL}, + {Syscall: unix.SYS_FDATASYNC}, + {Syscall: unix.SYS_FGETXATTR}, + {Syscall: unix.SYS_FLISTXATTR}, + {Syscall: unix.SYS_FLOCK}, + {Syscall: unix.SYS_FORK}, + {Syscall: unix.SYS_FREMOVEXATTR}, + {Syscall: unix.SYS_FSETXATTR}, + {Syscall: unix.SYS_FSTAT}, + {Syscall: unix.SYS_FSTATFS}, + {Syscall: unix.SYS_FSYNC}, + {Syscall: unix.SYS_FTRUNCATE}, + {Syscall: unix.SYS_FUTEX}, + {Syscall: unix.SYS_FUTIMESAT}, + {Syscall: unix.SYS_GETCPU}, + {Syscall: unix.SYS_GETCWD}, + {Syscall: unix.SYS_GETDENTS}, + {Syscall: unix.SYS_GETDENTS64}, + {Syscall: unix.SYS_GETEGID}, + {Syscall: unix.SYS_GETEUID}, + {Syscall: unix.SYS_GETGID}, + {Syscall: unix.SYS_GETGROUPS}, + {Syscall: unix.SYS_GETITIMER}, + {Syscall: unix.SYS_GETPEERNAME}, + {Syscall: unix.SYS_GETPGID}, + {Syscall: unix.SYS_GETPGRP}, + {Syscall: unix.SYS_GETPID}, + {Syscall: unix.SYS_GETPPID}, + {Syscall: unix.SYS_GETPRIORITY}, + {Syscall: unix.SYS_GETRANDOM}, + {Syscall: unix.SYS_GETRESGID}, + {Syscall: unix.SYS_GETRESUID}, + {Syscall: unix.SYS_GETRLIMIT}, + {Syscall: unix.SYS_GET_ROBUST_LIST}, + {Syscall: unix.SYS_GETRUSAGE}, + {Syscall: unix.SYS_GETSID}, + {Syscall: unix.SYS_GETSOCKNAME}, + {Syscall: unix.SYS_GETSOCKOPT}, + {Syscall: unix.SYS_GET_THREAD_AREA}, + {Syscall: unix.SYS_GETTID}, + {Syscall: unix.SYS_GETTIMEOFDAY}, + {Syscall: unix.SYS_GETUID}, + {Syscall: unix.SYS_GETXATTR}, + {Syscall: unix.SYS_INOTIFY_ADD_WATCH}, + {Syscall: unix.SYS_INOTIFY_INIT}, + {Syscall: unix.SYS_INOTIFY_INIT1}, + {Syscall: unix.SYS_INOTIFY_RM_WATCH}, + {Syscall: unix.SYS_IO_CANCEL}, + {Syscall: unix.SYS_IOCTL}, + {Syscall: unix.SYS_IO_DESTROY}, + {Syscall: unix.SYS_IO_GETEVENTS}, + {Syscall: unix.SYS_IOPRIO_GET}, + {Syscall: unix.SYS_IOPRIO_SET}, + {Syscall: unix.SYS_IO_SETUP}, + {Syscall: unix.SYS_IO_SUBMIT}, + {Syscall: unix.SYS_KILL}, + {Syscall: unix.SYS_LCHOWN}, + {Syscall: unix.SYS_LGETXATTR}, + {Syscall: unix.SYS_LINK}, + {Syscall: unix.SYS_LINKAT}, + {Syscall: unix.SYS_LISTEN}, + {Syscall: unix.SYS_LISTXATTR}, + {Syscall: unix.SYS_LLISTXATTR}, + {Syscall: unix.SYS_LREMOVEXATTR}, + {Syscall: unix.SYS_LSEEK}, + {Syscall: unix.SYS_LSETXATTR}, + {Syscall: unix.SYS_LSTAT}, + {Syscall: unix.SYS_MADVISE}, + {Syscall: unix.SYS_MEMFD_CREATE}, + {Syscall: unix.SYS_MINCORE}, + {Syscall: unix.SYS_MKDIR}, + {Syscall: unix.SYS_MKDIRAT}, + {Syscall: unix.SYS_MKNOD}, + {Syscall: unix.SYS_MKNODAT}, + {Syscall: unix.SYS_MLOCK}, + {Syscall: unix.SYS_MLOCK2}, + {Syscall: unix.SYS_MLOCKALL}, + {Syscall: unix.SYS_MMAP}, + {Syscall: unix.SYS_MODIFY_LDT}, + {Syscall: unix.SYS_MPROTECT}, + {Syscall: unix.SYS_MQ_GETSETATTR}, + {Syscall: unix.SYS_MQ_NOTIFY}, + {Syscall: unix.SYS_MQ_OPEN}, + {Syscall: unix.SYS_MQ_TIMEDRECEIVE}, + {Syscall: unix.SYS_MQ_TIMEDSEND}, + {Syscall: unix.SYS_MQ_UNLINK}, + {Syscall: unix.SYS_MREMAP}, + {Syscall: unix.SYS_MSGCTL}, + {Syscall: unix.SYS_MSGGET}, + {Syscall: unix.SYS_MSGRCV}, + {Syscall: unix.SYS_MSGSND}, + {Syscall: unix.SYS_MSYNC}, + {Syscall: unix.SYS_MUNLOCK}, + {Syscall: unix.SYS_MUNLOCKALL}, + {Syscall: unix.SYS_MUNMAP}, + {Syscall: unix.SYS_NANOSLEEP}, + {Syscall: unix.SYS_NEWFSTATAT}, + {Syscall: unix.SYS_OPEN}, + {Syscall: unix.SYS_OPENAT}, + {Syscall: unix.SYS_PAUSE}, + { + Syscall: unix.SYS_PERSONALITY, + Any: []SeccompConditions{ + {All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0}}}, + {All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 8}}}, + {All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0x20000}}}, + {All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0x20008}}}, + {All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0xffffffff}}}, + }, + }, + {Syscall: unix.SYS_PIPE}, + {Syscall: unix.SYS_PIPE2}, + {Syscall: unix.SYS_POLL}, + {Syscall: unix.SYS_PPOLL}, + {Syscall: unix.SYS_PRCTL}, + {Syscall: unix.SYS_PREAD64}, + {Syscall: unix.SYS_PREADV}, + {Syscall: unix.SYS_PREADV2}, + {Syscall: unix.SYS_PRLIMIT64}, + {Syscall: unix.SYS_PSELECT6}, + {Syscall: unix.SYS_PWRITE64}, + {Syscall: unix.SYS_PWRITEV}, + {Syscall: unix.SYS_PWRITEV2}, + {Syscall: unix.SYS_READ}, + {Syscall: unix.SYS_READAHEAD}, + {Syscall: unix.SYS_READLINK}, + {Syscall: unix.SYS_READLINKAT}, + {Syscall: unix.SYS_READV}, + {Syscall: unix.SYS_RECVFROM}, + {Syscall: unix.SYS_RECVMMSG}, + {Syscall: unix.SYS_RECVMSG}, + {Syscall: unix.SYS_REMAP_FILE_PAGES}, + {Syscall: unix.SYS_REMOVEXATTR}, + {Syscall: unix.SYS_RENAME}, + {Syscall: unix.SYS_RENAMEAT}, + {Syscall: unix.SYS_RENAMEAT2}, + {Syscall: unix.SYS_RESTART_SYSCALL}, + {Syscall: unix.SYS_RMDIR}, + {Syscall: unix.SYS_RT_SIGACTION}, + {Syscall: unix.SYS_RT_SIGPENDING}, + {Syscall: unix.SYS_RT_SIGPROCMASK}, + {Syscall: unix.SYS_RT_SIGQUEUEINFO}, + {Syscall: unix.SYS_RT_SIGRETURN}, + {Syscall: unix.SYS_RT_SIGSUSPEND}, + {Syscall: unix.SYS_RT_SIGTIMEDWAIT}, + {Syscall: unix.SYS_RT_TGSIGQUEUEINFO}, + {Syscall: unix.SYS_SCHED_GETAFFINITY}, + {Syscall: unix.SYS_SCHED_GETATTR}, + {Syscall: unix.SYS_SCHED_GETPARAM}, + {Syscall: unix.SYS_SCHED_GET_PRIORITY_MAX}, + {Syscall: unix.SYS_SCHED_GET_PRIORITY_MIN}, + {Syscall: unix.SYS_SCHED_GETSCHEDULER}, + {Syscall: unix.SYS_SCHED_RR_GET_INTERVAL}, + {Syscall: unix.SYS_SCHED_SETAFFINITY}, + {Syscall: unix.SYS_SCHED_SETATTR}, + {Syscall: unix.SYS_SCHED_SETPARAM}, + {Syscall: unix.SYS_SCHED_SETSCHEDULER}, + {Syscall: unix.SYS_SCHED_YIELD}, + {Syscall: unix.SYS_SECCOMP}, + {Syscall: unix.SYS_SELECT}, + {Syscall: unix.SYS_SEMCTL}, + {Syscall: unix.SYS_SEMGET}, + {Syscall: unix.SYS_SEMOP}, + {Syscall: unix.SYS_SEMTIMEDOP}, + {Syscall: unix.SYS_SENDFILE}, + {Syscall: unix.SYS_SENDMMSG}, + {Syscall: unix.SYS_SENDMSG}, + {Syscall: unix.SYS_SENDTO}, + {Syscall: unix.SYS_SETFSGID}, + {Syscall: unix.SYS_SETFSUID}, + {Syscall: unix.SYS_SETGID}, + {Syscall: unix.SYS_SETGROUPS}, + {Syscall: unix.SYS_SETITIMER}, + {Syscall: unix.SYS_SETPGID}, + {Syscall: unix.SYS_SETPRIORITY}, + {Syscall: unix.SYS_SETREGID}, + {Syscall: unix.SYS_SETRESGID}, + {Syscall: unix.SYS_SETRESUID}, + {Syscall: unix.SYS_SETREUID}, + {Syscall: unix.SYS_SETRLIMIT}, + {Syscall: unix.SYS_SET_ROBUST_LIST}, + {Syscall: unix.SYS_SETSID}, + {Syscall: unix.SYS_SETSOCKOPT}, + {Syscall: unix.SYS_SET_THREAD_AREA}, + {Syscall: unix.SYS_SET_TID_ADDRESS}, + {Syscall: unix.SYS_SETUID}, + {Syscall: unix.SYS_SETXATTR}, + {Syscall: unix.SYS_SHMAT}, + {Syscall: unix.SYS_SHMCTL}, + {Syscall: unix.SYS_SHMDT}, + {Syscall: unix.SYS_SHMGET}, + {Syscall: unix.SYS_SHUTDOWN}, + {Syscall: unix.SYS_SIGALTSTACK}, + {Syscall: unix.SYS_SIGNALFD}, + {Syscall: unix.SYS_SIGNALFD4}, + {Syscall: unix.SYS_SOCKET}, + {Syscall: unix.SYS_SOCKETPAIR}, + {Syscall: unix.SYS_SPLICE}, + {Syscall: unix.SYS_STAT}, + {Syscall: unix.SYS_STATFS}, + {Syscall: unix.SYS_SYMLINK}, + {Syscall: unix.SYS_SYMLINKAT}, + {Syscall: unix.SYS_SYNC}, + {Syscall: unix.SYS_SYNC_FILE_RANGE}, + {Syscall: unix.SYS_SYNCFS}, + {Syscall: unix.SYS_SYSINFO}, + {Syscall: unix.SYS_SYSLOG}, + {Syscall: unix.SYS_TEE}, + {Syscall: unix.SYS_TGKILL}, + {Syscall: unix.SYS_TIME}, + {Syscall: unix.SYS_TIMER_CREATE}, + {Syscall: unix.SYS_TIMER_DELETE}, + {Syscall: unix.SYS_TIMERFD_CREATE}, + {Syscall: unix.SYS_TIMERFD_GETTIME}, + {Syscall: unix.SYS_TIMERFD_SETTIME}, + {Syscall: unix.SYS_TIMER_GETOVERRUN}, + {Syscall: unix.SYS_TIMER_GETTIME}, + {Syscall: unix.SYS_TIMER_SETTIME}, + {Syscall: unix.SYS_TIMES}, + {Syscall: unix.SYS_TKILL}, + {Syscall: unix.SYS_TRUNCATE}, + {Syscall: unix.SYS_UMASK}, + {Syscall: unix.SYS_UNAME}, + {Syscall: unix.SYS_UNLINK}, + {Syscall: unix.SYS_UNLINKAT}, + {Syscall: unix.SYS_UTIME}, + {Syscall: unix.SYS_UTIMENSAT}, + {Syscall: unix.SYS_UTIMES}, + {Syscall: unix.SYS_VFORK}, + {Syscall: unix.SYS_VMSPLICE}, + {Syscall: unix.SYS_WAIT4}, + {Syscall: unix.SYS_WAITID}, + {Syscall: unix.SYS_WRITE}, + {Syscall: unix.SYS_WRITEV}, +} |