github.com/MerlinKodo/gvisor@v0.0.0-20231110090155-957f62ecf90e/runsc/fsgofer/filter/config.go (about) 1 // Copyright 2018 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package filter 16 17 import ( 18 "os" 19 20 "github.com/MerlinKodo/gvisor/pkg/abi/linux" 21 "github.com/MerlinKodo/gvisor/pkg/seccomp" 22 "golang.org/x/sys/unix" 23 ) 24 25 // allowedSyscalls is the set of syscalls executed by the gofer. 26 var allowedSyscalls = seccomp.SyscallRules{ 27 unix.SYS_ACCEPT: {}, 28 unix.SYS_CLOCK_GETTIME: {}, 29 unix.SYS_CLOSE: {}, 30 unix.SYS_DUP: {}, 31 unix.SYS_EPOLL_CTL: {}, 32 unix.SYS_EPOLL_PWAIT: []seccomp.Rule{ 33 { 34 seccomp.MatchAny{}, 35 seccomp.MatchAny{}, 36 seccomp.MatchAny{}, 37 seccomp.MatchAny{}, 38 seccomp.EqualTo(0), 39 }, 40 }, 41 unix.SYS_EVENTFD2: []seccomp.Rule{ 42 { 43 seccomp.EqualTo(0), 44 seccomp.EqualTo(0), 45 }, 46 }, 47 unix.SYS_EXIT: {}, 48 unix.SYS_EXIT_GROUP: {}, 49 unix.SYS_FALLOCATE: []seccomp.Rule{ 50 { 51 seccomp.MatchAny{}, 52 seccomp.EqualTo(0), 53 }, 54 }, 55 unix.SYS_FCHMOD: {}, 56 unix.SYS_FCHMODAT: {}, 57 unix.SYS_FCHOWNAT: {}, 58 unix.SYS_FCNTL: []seccomp.Rule{ 59 { 60 seccomp.MatchAny{}, 61 seccomp.EqualTo(unix.F_GETFL), 62 }, 63 { 64 seccomp.MatchAny{}, 65 seccomp.EqualTo(unix.F_SETFL), 66 }, 67 { 68 seccomp.MatchAny{}, 69 seccomp.EqualTo(unix.F_GETFD), 70 }, 71 // Used by flipcall.PacketWindowAllocator.Init(). 72 { 73 seccomp.MatchAny{}, 74 seccomp.EqualTo(unix.F_ADD_SEALS), 75 }, 76 }, 77 unix.SYS_FSTAT: {}, 78 unix.SYS_FSTATFS: {}, 79 unix.SYS_FSYNC: {}, 80 unix.SYS_FTRUNCATE: {}, 81 unix.SYS_FUTEX: { 82 seccomp.Rule{ 83 seccomp.MatchAny{}, 84 seccomp.EqualTo(linux.FUTEX_WAIT | linux.FUTEX_PRIVATE_FLAG), 85 seccomp.MatchAny{}, 86 seccomp.MatchAny{}, 87 seccomp.EqualTo(0), 88 }, 89 seccomp.Rule{ 90 seccomp.MatchAny{}, 91 seccomp.EqualTo(linux.FUTEX_WAKE | linux.FUTEX_PRIVATE_FLAG), 92 seccomp.MatchAny{}, 93 seccomp.MatchAny{}, 94 seccomp.EqualTo(0), 95 }, 96 // Non-private futex used for flipcall. 97 seccomp.Rule{ 98 seccomp.MatchAny{}, 99 seccomp.EqualTo(linux.FUTEX_WAIT), 100 seccomp.MatchAny{}, 101 seccomp.MatchAny{}, 102 }, 103 seccomp.Rule{ 104 seccomp.MatchAny{}, 105 seccomp.EqualTo(linux.FUTEX_WAKE), 106 seccomp.MatchAny{}, 107 seccomp.MatchAny{}, 108 }, 109 }, 110 // getcpu is used by some versions of the Go runtime and by the hostcpu 111 // package on arm64. 112 unix.SYS_GETCPU: []seccomp.Rule{ 113 { 114 seccomp.MatchAny{}, 115 seccomp.EqualTo(0), 116 seccomp.EqualTo(0), 117 }, 118 }, 119 unix.SYS_GETDENTS64: {}, 120 unix.SYS_GETPID: {}, 121 unix.SYS_GETRANDOM: {}, 122 unix.SYS_GETTID: {}, 123 unix.SYS_GETTIMEOFDAY: {}, 124 unix.SYS_LINKAT: {}, 125 unix.SYS_LSEEK: {}, 126 unix.SYS_MADVISE: {}, 127 unix.SYS_MEMFD_CREATE: {}, /// Used by flipcall.PacketWindowAllocator.Init(). 128 unix.SYS_MKDIRAT: {}, 129 unix.SYS_MKNODAT: {}, 130 unix.SYS_MMAP: []seccomp.Rule{ 131 { 132 seccomp.MatchAny{}, 133 seccomp.MatchAny{}, 134 seccomp.MatchAny{}, 135 seccomp.EqualTo(unix.MAP_SHARED), 136 }, 137 { 138 seccomp.MatchAny{}, 139 seccomp.MatchAny{}, 140 seccomp.MatchAny{}, 141 seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS), 142 }, 143 { 144 seccomp.MatchAny{}, 145 seccomp.MatchAny{}, 146 seccomp.MatchAny{}, 147 seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS | unix.MAP_FIXED), 148 }, 149 }, 150 unix.SYS_MPROTECT: {}, 151 unix.SYS_MUNMAP: {}, 152 unix.SYS_NANOSLEEP: {}, 153 unix.SYS_OPENAT: {}, 154 unix.SYS_PPOLL: {}, 155 unix.SYS_PREAD64: {}, 156 unix.SYS_PWRITE64: {}, 157 unix.SYS_READ: {}, 158 unix.SYS_READLINKAT: {}, 159 unix.SYS_RECVMSG: []seccomp.Rule{ 160 { 161 seccomp.MatchAny{}, 162 seccomp.MatchAny{}, 163 seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_TRUNC), 164 }, 165 { 166 seccomp.MatchAny{}, 167 seccomp.MatchAny{}, 168 seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_TRUNC | unix.MSG_PEEK), 169 }, 170 }, 171 unix.SYS_RENAMEAT: {}, 172 unix.SYS_RESTART_SYSCALL: {}, 173 // May be used by the runtime during panic(). 174 unix.SYS_RT_SIGACTION: {}, 175 unix.SYS_RT_SIGPROCMASK: {}, 176 unix.SYS_RT_SIGRETURN: {}, 177 unix.SYS_SCHED_YIELD: {}, 178 unix.SYS_SENDMSG: []seccomp.Rule{ 179 // Used by fdchannel.Endpoint.SendFD(). 180 { 181 seccomp.MatchAny{}, 182 seccomp.MatchAny{}, 183 seccomp.EqualTo(0), 184 }, 185 // Used by unet.SocketWriter.WriteVec(). 186 { 187 seccomp.MatchAny{}, 188 seccomp.MatchAny{}, 189 seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_NOSIGNAL), 190 }, 191 }, 192 unix.SYS_SHUTDOWN: []seccomp.Rule{ 193 {seccomp.MatchAny{}, seccomp.EqualTo(unix.SHUT_RDWR)}, 194 }, 195 unix.SYS_SIGALTSTACK: {}, 196 // Used by fdchannel.NewConnectedSockets(). 197 unix.SYS_SOCKETPAIR: { 198 { 199 seccomp.EqualTo(unix.AF_UNIX), 200 seccomp.EqualTo(unix.SOCK_SEQPACKET | unix.SOCK_CLOEXEC), 201 seccomp.EqualTo(0), 202 }, 203 }, 204 unix.SYS_SYMLINKAT: {}, 205 unix.SYS_TGKILL: []seccomp.Rule{ 206 { 207 seccomp.EqualTo(uint64(os.Getpid())), 208 }, 209 }, 210 unix.SYS_UNLINKAT: {}, 211 unix.SYS_UTIMENSAT: {}, 212 unix.SYS_WRITE: {}, 213 } 214 215 var udsCommonSyscalls = seccomp.SyscallRules{ 216 unix.SYS_SOCKET: []seccomp.Rule{ 217 { 218 seccomp.EqualTo(unix.AF_UNIX), 219 seccomp.EqualTo(unix.SOCK_STREAM), 220 seccomp.EqualTo(0), 221 }, 222 { 223 seccomp.EqualTo(unix.AF_UNIX), 224 seccomp.EqualTo(unix.SOCK_DGRAM), 225 seccomp.EqualTo(0), 226 }, 227 { 228 seccomp.EqualTo(unix.AF_UNIX), 229 seccomp.EqualTo(unix.SOCK_SEQPACKET), 230 seccomp.EqualTo(0), 231 }, 232 }, 233 } 234 235 var udsOpenSyscalls = seccomp.SyscallRules{ 236 unix.SYS_CONNECT: {}, 237 } 238 239 var udsCreateSyscalls = seccomp.SyscallRules{ 240 unix.SYS_ACCEPT4: {}, 241 unix.SYS_BIND: {}, 242 unix.SYS_LISTEN: {}, 243 } 244 245 var xattrSyscalls = seccomp.SyscallRules{ 246 unix.SYS_FGETXATTR: {}, 247 unix.SYS_FSETXATTR: {}, 248 }