summaryrefslogtreecommitdiffstats
path: root/plugin/rpcplugin/sandbox/seccomp_linux_amd64.go
blob: 7338ebbe0a29c947d2369d108344dbe7e4dfc21f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
// See License.txt for license information.

package sandbox

import (
	"golang.org/x/sys/unix"
)

const NATIVE_AUDIT_ARCH = AUDIT_ARCH_X86_64

var AllowedSyscalls = []SeccompSyscall{
	{Syscall: unix.SYS_ACCEPT},
	{Syscall: unix.SYS_ACCEPT4},
	{Syscall: unix.SYS_ACCESS},
	{Syscall: unix.SYS_ADJTIMEX},
	{Syscall: unix.SYS_ALARM},
	{Syscall: unix.SYS_ARCH_PRCTL},
	{Syscall: unix.SYS_BIND},
	{Syscall: unix.SYS_BRK},
	{Syscall: unix.SYS_CAPGET},
	{Syscall: unix.SYS_CAPSET},
	{Syscall: unix.SYS_CHDIR},
	{Syscall: unix.SYS_CHMOD},
	{Syscall: unix.SYS_CHOWN},
	{Syscall: unix.SYS_CLOCK_GETRES},
	{Syscall: unix.SYS_CLOCK_GETTIME},
	{Syscall: unix.SYS_CLOCK_NANOSLEEP},
	{
		Syscall: unix.SYS_CLONE,
		Any: []SeccompConditions{{
			All: []SeccompCondition{SeccompArgHasNoBits{
				Arg:  0,
				Mask: unix.CLONE_NEWCGROUP | unix.CLONE_NEWIPC | unix.CLONE_NEWNET | unix.CLONE_NEWNS | unix.CLONE_NEWPID | unix.CLONE_NEWUSER | unix.CLONE_NEWUTS,
			}},
		}},
	},
	{Syscall: unix.SYS_CLOSE},
	{Syscall: unix.SYS_CONNECT},
	{Syscall: unix.SYS_COPY_FILE_RANGE},
	{Syscall: unix.SYS_CREAT},
	{Syscall: unix.SYS_DUP},
	{Syscall: unix.SYS_DUP2},
	{Syscall: unix.SYS_DUP3},
	{Syscall: unix.SYS_EPOLL_CREATE},
	{Syscall: unix.SYS_EPOLL_CREATE1},
	{Syscall: unix.SYS_EPOLL_CTL},
	{Syscall: unix.SYS_EPOLL_CTL_OLD},
	{Syscall: unix.SYS_EPOLL_PWAIT},
	{Syscall: unix.SYS_EPOLL_WAIT},
	{Syscall: unix.SYS_EPOLL_WAIT_OLD},
	{Syscall: unix.SYS_EVENTFD},
	{Syscall: unix.SYS_EVENTFD2},
	{Syscall: unix.SYS_EXECVE},
	{Syscall: unix.SYS_EXECVEAT},
	{Syscall: unix.SYS_EXIT},
	{Syscall: unix.SYS_EXIT_GROUP},
	{Syscall: unix.SYS_FACCESSAT},
	{Syscall: unix.SYS_FADVISE64},
	{Syscall: unix.SYS_FALLOCATE},
	{Syscall: unix.SYS_FANOTIFY_MARK},
	{Syscall: unix.SYS_FCHDIR},
	{Syscall: unix.SYS_FCHMOD},
	{Syscall: unix.SYS_FCHMODAT},
	{Syscall: unix.SYS_FCHOWN},
	{Syscall: unix.SYS_FCHOWNAT},
	{Syscall: unix.SYS_FCNTL},
	{Syscall: unix.SYS_FDATASYNC},
	{Syscall: unix.SYS_FGETXATTR},
	{Syscall: unix.SYS_FLISTXATTR},
	{Syscall: unix.SYS_FLOCK},
	{Syscall: unix.SYS_FORK},
	{Syscall: unix.SYS_FREMOVEXATTR},
	{Syscall: unix.SYS_FSETXATTR},
	{Syscall: unix.SYS_FSTAT},
	{Syscall: unix.SYS_FSTATFS},
	{Syscall: unix.SYS_FSYNC},
	{Syscall: unix.SYS_FTRUNCATE},
	{Syscall: unix.SYS_FUTEX},
	{Syscall: unix.SYS_FUTIMESAT},
	{Syscall: unix.SYS_GETCPU},
	{Syscall: unix.SYS_GETCWD},
	{Syscall: unix.SYS_GETDENTS},
	{Syscall: unix.SYS_GETDENTS64},
	{Syscall: unix.SYS_GETEGID},
	{Syscall: unix.SYS_GETEUID},
	{Syscall: unix.SYS_GETGID},
	{Syscall: unix.SYS_GETGROUPS},
	{Syscall: unix.SYS_GETITIMER},
	{Syscall: unix.SYS_GETPEERNAME},
	{Syscall: unix.SYS_GETPGID},
	{Syscall: unix.SYS_GETPGRP},
	{Syscall: unix.SYS_GETPID},
	{Syscall: unix.SYS_GETPPID},
	{Syscall: unix.SYS_GETPRIORITY},
	{Syscall: unix.SYS_GETRANDOM},
	{Syscall: unix.SYS_GETRESGID},
	{Syscall: unix.SYS_GETRESUID},
	{Syscall: unix.SYS_GETRLIMIT},
	{Syscall: unix.SYS_GET_ROBUST_LIST},
	{Syscall: unix.SYS_GETRUSAGE},
	{Syscall: unix.SYS_GETSID},
	{Syscall: unix.SYS_GETSOCKNAME},
	{Syscall: unix.SYS_GETSOCKOPT},
	{Syscall: unix.SYS_GET_THREAD_AREA},
	{Syscall: unix.SYS_GETTID},
	{Syscall: unix.SYS_GETTIMEOFDAY},
	{Syscall: unix.SYS_GETUID},
	{Syscall: unix.SYS_GETXATTR},
	{Syscall: unix.SYS_INOTIFY_ADD_WATCH},
	{Syscall: unix.SYS_INOTIFY_INIT},
	{Syscall: unix.SYS_INOTIFY_INIT1},
	{Syscall: unix.SYS_INOTIFY_RM_WATCH},
	{Syscall: unix.SYS_IO_CANCEL},
	{Syscall: unix.SYS_IOCTL},
	{Syscall: unix.SYS_IO_DESTROY},
	{Syscall: unix.SYS_IO_GETEVENTS},
	{Syscall: unix.SYS_IOPRIO_GET},
	{Syscall: unix.SYS_IOPRIO_SET},
	{Syscall: unix.SYS_IO_SETUP},
	{Syscall: unix.SYS_IO_SUBMIT},
	{Syscall: unix.SYS_KILL},
	{Syscall: unix.SYS_LCHOWN},
	{Syscall: unix.SYS_LGETXATTR},
	{Syscall: unix.SYS_LINK},
	{Syscall: unix.SYS_LINKAT},
	{Syscall: unix.SYS_LISTEN},
	{Syscall: unix.SYS_LISTXATTR},
	{Syscall: unix.SYS_LLISTXATTR},
	{Syscall: unix.SYS_LREMOVEXATTR},
	{Syscall: unix.SYS_LSEEK},
	{Syscall: unix.SYS_LSETXATTR},
	{Syscall: unix.SYS_LSTAT},
	{Syscall: unix.SYS_MADVISE},
	{Syscall: unix.SYS_MEMFD_CREATE},
	{Syscall: unix.SYS_MINCORE},
	{Syscall: unix.SYS_MKDIR},
	{Syscall: unix.SYS_MKDIRAT},
	{Syscall: unix.SYS_MKNOD},
	{Syscall: unix.SYS_MKNODAT},
	{Syscall: unix.SYS_MLOCK},
	{Syscall: unix.SYS_MLOCK2},
	{Syscall: unix.SYS_MLOCKALL},
	{Syscall: unix.SYS_MMAP},
	{Syscall: unix.SYS_MODIFY_LDT},
	{Syscall: unix.SYS_MPROTECT},
	{Syscall: unix.SYS_MQ_GETSETATTR},
	{Syscall: unix.SYS_MQ_NOTIFY},
	{Syscall: unix.SYS_MQ_OPEN},
	{Syscall: unix.SYS_MQ_TIMEDRECEIVE},
	{Syscall: unix.SYS_MQ_TIMEDSEND},
	{Syscall: unix.SYS_MQ_UNLINK},
	{Syscall: unix.SYS_MREMAP},
	{Syscall: unix.SYS_MSGCTL},
	{Syscall: unix.SYS_MSGGET},
	{Syscall: unix.SYS_MSGRCV},
	{Syscall: unix.SYS_MSGSND},
	{Syscall: unix.SYS_MSYNC},
	{Syscall: unix.SYS_MUNLOCK},
	{Syscall: unix.SYS_MUNLOCKALL},
	{Syscall: unix.SYS_MUNMAP},
	{Syscall: unix.SYS_NANOSLEEP},
	{Syscall: unix.SYS_NEWFSTATAT},
	{Syscall: unix.SYS_OPEN},
	{Syscall: unix.SYS_OPENAT},
	{Syscall: unix.SYS_PAUSE},
	{
		Syscall: unix.SYS_PERSONALITY,
		Any: []SeccompConditions{
			{All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0}}},
			{All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 8}}},
			{All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0x20000}}},
			{All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0x20008}}},
			{All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0xffffffff}}},
		},
	},
	{Syscall: unix.SYS_PIPE},
	{Syscall: unix.SYS_PIPE2},
	{Syscall: unix.SYS_POLL},
	{Syscall: unix.SYS_PPOLL},
	{Syscall: unix.SYS_PRCTL},
	{Syscall: unix.SYS_PREAD64},
	{Syscall: unix.SYS_PREADV},
	{Syscall: unix.SYS_PREADV2},
	{Syscall: unix.SYS_PRLIMIT64},
	{Syscall: unix.SYS_PSELECT6},
	{Syscall: unix.SYS_PWRITE64},
	{Syscall: unix.SYS_PWRITEV},
	{Syscall: unix.SYS_PWRITEV2},
	{Syscall: unix.SYS_READ},
	{Syscall: unix.SYS_READAHEAD},
	{Syscall: unix.SYS_READLINK},
	{Syscall: unix.SYS_READLINKAT},
	{Syscall: unix.SYS_READV},
	{Syscall: unix.SYS_RECVFROM},
	{Syscall: unix.SYS_RECVMMSG},
	{Syscall: unix.SYS_RECVMSG},
	{Syscall: unix.SYS_REMAP_FILE_PAGES},
	{Syscall: unix.SYS_REMOVEXATTR},
	{Syscall: unix.SYS_RENAME},
	{Syscall: unix.SYS_RENAMEAT},
	{Syscall: unix.SYS_RENAMEAT2},
	{Syscall: unix.SYS_RESTART_SYSCALL},
	{Syscall: unix.SYS_RMDIR},
	{Syscall: unix.SYS_RT_SIGACTION},
	{Syscall: unix.SYS_RT_SIGPENDING},
	{Syscall: unix.SYS_RT_SIGPROCMASK},
	{Syscall: unix.SYS_RT_SIGQUEUEINFO},
	{Syscall: unix.SYS_RT_SIGRETURN},
	{Syscall: unix.SYS_RT_SIGSUSPEND},
	{Syscall: unix.SYS_RT_SIGTIMEDWAIT},
	{Syscall: unix.SYS_RT_TGSIGQUEUEINFO},
	{Syscall: unix.SYS_SCHED_GETAFFINITY},
	{Syscall: unix.SYS_SCHED_GETATTR},
	{Syscall: unix.SYS_SCHED_GETPARAM},
	{Syscall: unix.SYS_SCHED_GET_PRIORITY_MAX},
	{Syscall: unix.SYS_SCHED_GET_PRIORITY_MIN},
	{Syscall: unix.SYS_SCHED_GETSCHEDULER},
	{Syscall: unix.SYS_SCHED_RR_GET_INTERVAL},
	{Syscall: unix.SYS_SCHED_SETAFFINITY},
	{Syscall: unix.SYS_SCHED_SETATTR},
	{Syscall: unix.SYS_SCHED_SETPARAM},
	{Syscall: unix.SYS_SCHED_SETSCHEDULER},
	{Syscall: unix.SYS_SCHED_YIELD},
	{Syscall: unix.SYS_SECCOMP},
	{Syscall: unix.SYS_SELECT},
	{Syscall: unix.SYS_SEMCTL},
	{Syscall: unix.SYS_SEMGET},
	{Syscall: unix.SYS_SEMOP},
	{Syscall: unix.SYS_SEMTIMEDOP},
	{Syscall: unix.SYS_SENDFILE},
	{Syscall: unix.SYS_SENDMMSG},
	{Syscall: unix.SYS_SENDMSG},
	{Syscall: unix.SYS_SENDTO},
	{Syscall: unix.SYS_SETFSGID},
	{Syscall: unix.SYS_SETFSUID},
	{Syscall: unix.SYS_SETGID},
	{Syscall: unix.SYS_SETGROUPS},
	{Syscall: unix.SYS_SETITIMER},
	{Syscall: unix.SYS_SETPGID},
	{Syscall: unix.SYS_SETPRIORITY},
	{Syscall: unix.SYS_SETREGID},
	{Syscall: unix.SYS_SETRESGID},
	{Syscall: unix.SYS_SETRESUID},
	{Syscall: unix.SYS_SETREUID},
	{Syscall: unix.SYS_SETRLIMIT},
	{Syscall: unix.SYS_SET_ROBUST_LIST},
	{Syscall: unix.SYS_SETSID},
	{Syscall: unix.SYS_SETSOCKOPT},
	{Syscall: unix.SYS_SET_THREAD_AREA},
	{Syscall: unix.SYS_SET_TID_ADDRESS},
	{Syscall: unix.SYS_SETUID},
	{Syscall: unix.SYS_SETXATTR},
	{Syscall: unix.SYS_SHMAT},
	{Syscall: unix.SYS_SHMCTL},
	{Syscall: unix.SYS_SHMDT},
	{Syscall: unix.SYS_SHMGET},
	{Syscall: unix.SYS_SHUTDOWN},
	{Syscall: unix.SYS_SIGALTSTACK},
	{Syscall: unix.SYS_SIGNALFD},
	{Syscall: unix.SYS_SIGNALFD4},
	{Syscall: unix.SYS_SOCKET},
	{Syscall: unix.SYS_SOCKETPAIR},
	{Syscall: unix.SYS_SPLICE},
	{Syscall: unix.SYS_STAT},
	{Syscall: unix.SYS_STATFS},
	{Syscall: unix.SYS_SYMLINK},
	{Syscall: unix.SYS_SYMLINKAT},
	{Syscall: unix.SYS_SYNC},
	{Syscall: unix.SYS_SYNC_FILE_RANGE},
	{Syscall: unix.SYS_SYNCFS},
	{Syscall: unix.SYS_SYSINFO},
	{Syscall: unix.SYS_SYSLOG},
	{Syscall: unix.SYS_TEE},
	{Syscall: unix.SYS_TGKILL},
	{Syscall: unix.SYS_TIME},
	{Syscall: unix.SYS_TIMER_CREATE},
	{Syscall: unix.SYS_TIMER_DELETE},
	{Syscall: unix.SYS_TIMERFD_CREATE},
	{Syscall: unix.SYS_TIMERFD_GETTIME},
	{Syscall: unix.SYS_TIMERFD_SETTIME},
	{Syscall: unix.SYS_TIMER_GETOVERRUN},
	{Syscall: unix.SYS_TIMER_GETTIME},
	{Syscall: unix.SYS_TIMER_SETTIME},
	{Syscall: unix.SYS_TIMES},
	{Syscall: unix.SYS_TKILL},
	{Syscall: unix.SYS_TRUNCATE},
	{Syscall: unix.SYS_UMASK},
	{Syscall: unix.SYS_UNAME},
	{Syscall: unix.SYS_UNLINK},
	{Syscall: unix.SYS_UNLINKAT},
	{Syscall: unix.SYS_UTIME},
	{Syscall: unix.SYS_UTIMENSAT},
	{Syscall: unix.SYS_UTIMES},
	{Syscall: unix.SYS_VFORK},
	{Syscall: unix.SYS_VMSPLICE},
	{Syscall: unix.SYS_WAIT4},
	{Syscall: unix.SYS_WAITID},
	{Syscall: unix.SYS_WRITE},
	{Syscall: unix.SYS_WRITEV},
}