From f5c8a71698d0a7a16c68be220e49fe64bfee7f5c Mon Sep 17 00:00:00 2001
From: Chris <ccbrown112@gmail.com>
Date: Mon, 15 Jan 2018 11:21:06 -0600
Subject: ABC-22: Plugin sandboxing for linux/amd64 (#8068)

* plugin sandboxing

* remove unused type

* better symlink handling, better remounting, better test, whitespace
fixes, and comment on the remounting

* fix test compile error

* big simplification for getting mount flags

* mask statfs flags to the ones we're interested in
---
 plugin/rpcplugin/sandbox/seccomp_linux_amd64.go | 301 ++++++++++++++++++++++++
 1 file changed, 301 insertions(+)
 create mode 100644 plugin/rpcplugin/sandbox/seccomp_linux_amd64.go

(limited to 'plugin/rpcplugin/sandbox/seccomp_linux_amd64.go')

diff --git a/plugin/rpcplugin/sandbox/seccomp_linux_amd64.go b/plugin/rpcplugin/sandbox/seccomp_linux_amd64.go
new file mode 100644
index 000000000..7338ebbe0
--- /dev/null
+++ b/plugin/rpcplugin/sandbox/seccomp_linux_amd64.go
@@ -0,0 +1,301 @@
+// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package sandbox
+
+import (
+	"golang.org/x/sys/unix"
+)
+
+const NATIVE_AUDIT_ARCH = AUDIT_ARCH_X86_64
+
+var AllowedSyscalls = []SeccompSyscall{
+	{Syscall: unix.SYS_ACCEPT},
+	{Syscall: unix.SYS_ACCEPT4},
+	{Syscall: unix.SYS_ACCESS},
+	{Syscall: unix.SYS_ADJTIMEX},
+	{Syscall: unix.SYS_ALARM},
+	{Syscall: unix.SYS_ARCH_PRCTL},
+	{Syscall: unix.SYS_BIND},
+	{Syscall: unix.SYS_BRK},
+	{Syscall: unix.SYS_CAPGET},
+	{Syscall: unix.SYS_CAPSET},
+	{Syscall: unix.SYS_CHDIR},
+	{Syscall: unix.SYS_CHMOD},
+	{Syscall: unix.SYS_CHOWN},
+	{Syscall: unix.SYS_CLOCK_GETRES},
+	{Syscall: unix.SYS_CLOCK_GETTIME},
+	{Syscall: unix.SYS_CLOCK_NANOSLEEP},
+	{
+		Syscall: unix.SYS_CLONE,
+		Any: []SeccompConditions{{
+			All: []SeccompCondition{SeccompArgHasNoBits{
+				Arg:  0,
+				Mask: unix.CLONE_NEWCGROUP | unix.CLONE_NEWIPC | unix.CLONE_NEWNET | unix.CLONE_NEWNS | unix.CLONE_NEWPID | unix.CLONE_NEWUSER | unix.CLONE_NEWUTS,
+			}},
+		}},
+	},
+	{Syscall: unix.SYS_CLOSE},
+	{Syscall: unix.SYS_CONNECT},
+	{Syscall: unix.SYS_COPY_FILE_RANGE},
+	{Syscall: unix.SYS_CREAT},
+	{Syscall: unix.SYS_DUP},
+	{Syscall: unix.SYS_DUP2},
+	{Syscall: unix.SYS_DUP3},
+	{Syscall: unix.SYS_EPOLL_CREATE},
+	{Syscall: unix.SYS_EPOLL_CREATE1},
+	{Syscall: unix.SYS_EPOLL_CTL},
+	{Syscall: unix.SYS_EPOLL_CTL_OLD},
+	{Syscall: unix.SYS_EPOLL_PWAIT},
+	{Syscall: unix.SYS_EPOLL_WAIT},
+	{Syscall: unix.SYS_EPOLL_WAIT_OLD},
+	{Syscall: unix.SYS_EVENTFD},
+	{Syscall: unix.SYS_EVENTFD2},
+	{Syscall: unix.SYS_EXECVE},
+	{Syscall: unix.SYS_EXECVEAT},
+	{Syscall: unix.SYS_EXIT},
+	{Syscall: unix.SYS_EXIT_GROUP},
+	{Syscall: unix.SYS_FACCESSAT},
+	{Syscall: unix.SYS_FADVISE64},
+	{Syscall: unix.SYS_FALLOCATE},
+	{Syscall: unix.SYS_FANOTIFY_MARK},
+	{Syscall: unix.SYS_FCHDIR},
+	{Syscall: unix.SYS_FCHMOD},
+	{Syscall: unix.SYS_FCHMODAT},
+	{Syscall: unix.SYS_FCHOWN},
+	{Syscall: unix.SYS_FCHOWNAT},
+	{Syscall: unix.SYS_FCNTL},
+	{Syscall: unix.SYS_FDATASYNC},
+	{Syscall: unix.SYS_FGETXATTR},
+	{Syscall: unix.SYS_FLISTXATTR},
+	{Syscall: unix.SYS_FLOCK},
+	{Syscall: unix.SYS_FORK},
+	{Syscall: unix.SYS_FREMOVEXATTR},
+	{Syscall: unix.SYS_FSETXATTR},
+	{Syscall: unix.SYS_FSTAT},
+	{Syscall: unix.SYS_FSTATFS},
+	{Syscall: unix.SYS_FSYNC},
+	{Syscall: unix.SYS_FTRUNCATE},
+	{Syscall: unix.SYS_FUTEX},
+	{Syscall: unix.SYS_FUTIMESAT},
+	{Syscall: unix.SYS_GETCPU},
+	{Syscall: unix.SYS_GETCWD},
+	{Syscall: unix.SYS_GETDENTS},
+	{Syscall: unix.SYS_GETDENTS64},
+	{Syscall: unix.SYS_GETEGID},
+	{Syscall: unix.SYS_GETEUID},
+	{Syscall: unix.SYS_GETGID},
+	{Syscall: unix.SYS_GETGROUPS},
+	{Syscall: unix.SYS_GETITIMER},
+	{Syscall: unix.SYS_GETPEERNAME},
+	{Syscall: unix.SYS_GETPGID},
+	{Syscall: unix.SYS_GETPGRP},
+	{Syscall: unix.SYS_GETPID},
+	{Syscall: unix.SYS_GETPPID},
+	{Syscall: unix.SYS_GETPRIORITY},
+	{Syscall: unix.SYS_GETRANDOM},
+	{Syscall: unix.SYS_GETRESGID},
+	{Syscall: unix.SYS_GETRESUID},
+	{Syscall: unix.SYS_GETRLIMIT},
+	{Syscall: unix.SYS_GET_ROBUST_LIST},
+	{Syscall: unix.SYS_GETRUSAGE},
+	{Syscall: unix.SYS_GETSID},
+	{Syscall: unix.SYS_GETSOCKNAME},
+	{Syscall: unix.SYS_GETSOCKOPT},
+	{Syscall: unix.SYS_GET_THREAD_AREA},
+	{Syscall: unix.SYS_GETTID},
+	{Syscall: unix.SYS_GETTIMEOFDAY},
+	{Syscall: unix.SYS_GETUID},
+	{Syscall: unix.SYS_GETXATTR},
+	{Syscall: unix.SYS_INOTIFY_ADD_WATCH},
+	{Syscall: unix.SYS_INOTIFY_INIT},
+	{Syscall: unix.SYS_INOTIFY_INIT1},
+	{Syscall: unix.SYS_INOTIFY_RM_WATCH},
+	{Syscall: unix.SYS_IO_CANCEL},
+	{Syscall: unix.SYS_IOCTL},
+	{Syscall: unix.SYS_IO_DESTROY},
+	{Syscall: unix.SYS_IO_GETEVENTS},
+	{Syscall: unix.SYS_IOPRIO_GET},
+	{Syscall: unix.SYS_IOPRIO_SET},
+	{Syscall: unix.SYS_IO_SETUP},
+	{Syscall: unix.SYS_IO_SUBMIT},
+	{Syscall: unix.SYS_KILL},
+	{Syscall: unix.SYS_LCHOWN},
+	{Syscall: unix.SYS_LGETXATTR},
+	{Syscall: unix.SYS_LINK},
+	{Syscall: unix.SYS_LINKAT},
+	{Syscall: unix.SYS_LISTEN},
+	{Syscall: unix.SYS_LISTXATTR},
+	{Syscall: unix.SYS_LLISTXATTR},
+	{Syscall: unix.SYS_LREMOVEXATTR},
+	{Syscall: unix.SYS_LSEEK},
+	{Syscall: unix.SYS_LSETXATTR},
+	{Syscall: unix.SYS_LSTAT},
+	{Syscall: unix.SYS_MADVISE},
+	{Syscall: unix.SYS_MEMFD_CREATE},
+	{Syscall: unix.SYS_MINCORE},
+	{Syscall: unix.SYS_MKDIR},
+	{Syscall: unix.SYS_MKDIRAT},
+	{Syscall: unix.SYS_MKNOD},
+	{Syscall: unix.SYS_MKNODAT},
+	{Syscall: unix.SYS_MLOCK},
+	{Syscall: unix.SYS_MLOCK2},
+	{Syscall: unix.SYS_MLOCKALL},
+	{Syscall: unix.SYS_MMAP},
+	{Syscall: unix.SYS_MODIFY_LDT},
+	{Syscall: unix.SYS_MPROTECT},
+	{Syscall: unix.SYS_MQ_GETSETATTR},
+	{Syscall: unix.SYS_MQ_NOTIFY},
+	{Syscall: unix.SYS_MQ_OPEN},
+	{Syscall: unix.SYS_MQ_TIMEDRECEIVE},
+	{Syscall: unix.SYS_MQ_TIMEDSEND},
+	{Syscall: unix.SYS_MQ_UNLINK},
+	{Syscall: unix.SYS_MREMAP},
+	{Syscall: unix.SYS_MSGCTL},
+	{Syscall: unix.SYS_MSGGET},
+	{Syscall: unix.SYS_MSGRCV},
+	{Syscall: unix.SYS_MSGSND},
+	{Syscall: unix.SYS_MSYNC},
+	{Syscall: unix.SYS_MUNLOCK},
+	{Syscall: unix.SYS_MUNLOCKALL},
+	{Syscall: unix.SYS_MUNMAP},
+	{Syscall: unix.SYS_NANOSLEEP},
+	{Syscall: unix.SYS_NEWFSTATAT},
+	{Syscall: unix.SYS_OPEN},
+	{Syscall: unix.SYS_OPENAT},
+	{Syscall: unix.SYS_PAUSE},
+	{
+		Syscall: unix.SYS_PERSONALITY,
+		Any: []SeccompConditions{
+			{All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0}}},
+			{All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 8}}},
+			{All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0x20000}}},
+			{All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0x20008}}},
+			{All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0xffffffff}}},
+		},
+	},
+	{Syscall: unix.SYS_PIPE},
+	{Syscall: unix.SYS_PIPE2},
+	{Syscall: unix.SYS_POLL},
+	{Syscall: unix.SYS_PPOLL},
+	{Syscall: unix.SYS_PRCTL},
+	{Syscall: unix.SYS_PREAD64},
+	{Syscall: unix.SYS_PREADV},
+	{Syscall: unix.SYS_PREADV2},
+	{Syscall: unix.SYS_PRLIMIT64},
+	{Syscall: unix.SYS_PSELECT6},
+	{Syscall: unix.SYS_PWRITE64},
+	{Syscall: unix.SYS_PWRITEV},
+	{Syscall: unix.SYS_PWRITEV2},
+	{Syscall: unix.SYS_READ},
+	{Syscall: unix.SYS_READAHEAD},
+	{Syscall: unix.SYS_READLINK},
+	{Syscall: unix.SYS_READLINKAT},
+	{Syscall: unix.SYS_READV},
+	{Syscall: unix.SYS_RECVFROM},
+	{Syscall: unix.SYS_RECVMMSG},
+	{Syscall: unix.SYS_RECVMSG},
+	{Syscall: unix.SYS_REMAP_FILE_PAGES},
+	{Syscall: unix.SYS_REMOVEXATTR},
+	{Syscall: unix.SYS_RENAME},
+	{Syscall: unix.SYS_RENAMEAT},
+	{Syscall: unix.SYS_RENAMEAT2},
+	{Syscall: unix.SYS_RESTART_SYSCALL},
+	{Syscall: unix.SYS_RMDIR},
+	{Syscall: unix.SYS_RT_SIGACTION},
+	{Syscall: unix.SYS_RT_SIGPENDING},
+	{Syscall: unix.SYS_RT_SIGPROCMASK},
+	{Syscall: unix.SYS_RT_SIGQUEUEINFO},
+	{Syscall: unix.SYS_RT_SIGRETURN},
+	{Syscall: unix.SYS_RT_SIGSUSPEND},
+	{Syscall: unix.SYS_RT_SIGTIMEDWAIT},
+	{Syscall: unix.SYS_RT_TGSIGQUEUEINFO},
+	{Syscall: unix.SYS_SCHED_GETAFFINITY},
+	{Syscall: unix.SYS_SCHED_GETATTR},
+	{Syscall: unix.SYS_SCHED_GETPARAM},
+	{Syscall: unix.SYS_SCHED_GET_PRIORITY_MAX},
+	{Syscall: unix.SYS_SCHED_GET_PRIORITY_MIN},
+	{Syscall: unix.SYS_SCHED_GETSCHEDULER},
+	{Syscall: unix.SYS_SCHED_RR_GET_INTERVAL},
+	{Syscall: unix.SYS_SCHED_SETAFFINITY},
+	{Syscall: unix.SYS_SCHED_SETATTR},
+	{Syscall: unix.SYS_SCHED_SETPARAM},
+	{Syscall: unix.SYS_SCHED_SETSCHEDULER},
+	{Syscall: unix.SYS_SCHED_YIELD},
+	{Syscall: unix.SYS_SECCOMP},
+	{Syscall: unix.SYS_SELECT},
+	{Syscall: unix.SYS_SEMCTL},
+	{Syscall: unix.SYS_SEMGET},
+	{Syscall: unix.SYS_SEMOP},
+	{Syscall: unix.SYS_SEMTIMEDOP},
+	{Syscall: unix.SYS_SENDFILE},
+	{Syscall: unix.SYS_SENDMMSG},
+	{Syscall: unix.SYS_SENDMSG},
+	{Syscall: unix.SYS_SENDTO},
+	{Syscall: unix.SYS_SETFSGID},
+	{Syscall: unix.SYS_SETFSUID},
+	{Syscall: unix.SYS_SETGID},
+	{Syscall: unix.SYS_SETGROUPS},
+	{Syscall: unix.SYS_SETITIMER},
+	{Syscall: unix.SYS_SETPGID},
+	{Syscall: unix.SYS_SETPRIORITY},
+	{Syscall: unix.SYS_SETREGID},
+	{Syscall: unix.SYS_SETRESGID},
+	{Syscall: unix.SYS_SETRESUID},
+	{Syscall: unix.SYS_SETREUID},
+	{Syscall: unix.SYS_SETRLIMIT},
+	{Syscall: unix.SYS_SET_ROBUST_LIST},
+	{Syscall: unix.SYS_SETSID},
+	{Syscall: unix.SYS_SETSOCKOPT},
+	{Syscall: unix.SYS_SET_THREAD_AREA},
+	{Syscall: unix.SYS_SET_TID_ADDRESS},
+	{Syscall: unix.SYS_SETUID},
+	{Syscall: unix.SYS_SETXATTR},
+	{Syscall: unix.SYS_SHMAT},
+	{Syscall: unix.SYS_SHMCTL},
+	{Syscall: unix.SYS_SHMDT},
+	{Syscall: unix.SYS_SHMGET},
+	{Syscall: unix.SYS_SHUTDOWN},
+	{Syscall: unix.SYS_SIGALTSTACK},
+	{Syscall: unix.SYS_SIGNALFD},
+	{Syscall: unix.SYS_SIGNALFD4},
+	{Syscall: unix.SYS_SOCKET},
+	{Syscall: unix.SYS_SOCKETPAIR},
+	{Syscall: unix.SYS_SPLICE},
+	{Syscall: unix.SYS_STAT},
+	{Syscall: unix.SYS_STATFS},
+	{Syscall: unix.SYS_SYMLINK},
+	{Syscall: unix.SYS_SYMLINKAT},
+	{Syscall: unix.SYS_SYNC},
+	{Syscall: unix.SYS_SYNC_FILE_RANGE},
+	{Syscall: unix.SYS_SYNCFS},
+	{Syscall: unix.SYS_SYSINFO},
+	{Syscall: unix.SYS_SYSLOG},
+	{Syscall: unix.SYS_TEE},
+	{Syscall: unix.SYS_TGKILL},
+	{Syscall: unix.SYS_TIME},
+	{Syscall: unix.SYS_TIMER_CREATE},
+	{Syscall: unix.SYS_TIMER_DELETE},
+	{Syscall: unix.SYS_TIMERFD_CREATE},
+	{Syscall: unix.SYS_TIMERFD_GETTIME},
+	{Syscall: unix.SYS_TIMERFD_SETTIME},
+	{Syscall: unix.SYS_TIMER_GETOVERRUN},
+	{Syscall: unix.SYS_TIMER_GETTIME},
+	{Syscall: unix.SYS_TIMER_SETTIME},
+	{Syscall: unix.SYS_TIMES},
+	{Syscall: unix.SYS_TKILL},
+	{Syscall: unix.SYS_TRUNCATE},
+	{Syscall: unix.SYS_UMASK},
+	{Syscall: unix.SYS_UNAME},
+	{Syscall: unix.SYS_UNLINK},
+	{Syscall: unix.SYS_UNLINKAT},
+	{Syscall: unix.SYS_UTIME},
+	{Syscall: unix.SYS_UTIMENSAT},
+	{Syscall: unix.SYS_UTIMES},
+	{Syscall: unix.SYS_VFORK},
+	{Syscall: unix.SYS_VMSPLICE},
+	{Syscall: unix.SYS_WAIT4},
+	{Syscall: unix.SYS_WAITID},
+	{Syscall: unix.SYS_WRITE},
+	{Syscall: unix.SYS_WRITEV},
+}
-- 
cgit v1.2.3-1-g7c22