github.com/SagerNet/gvisor@v0.0.0-20210707092255-7731c139d75c/pkg/seccomp/seccomp_test_victim.go (about) 1 // Copyright 2018 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Test binary used to test that seccomp filters are properly constructed and 16 // indeed kill the process on violation. 17 package main 18 19 import ( 20 "flag" 21 "fmt" 22 "os" 23 24 "golang.org/x/sys/unix" 25 "github.com/SagerNet/gvisor/pkg/seccomp" 26 ) 27 28 func main() { 29 dieFlag := flag.Bool("die", false, "trips over the filter if true") 30 flag.Parse() 31 32 syscalls := seccomp.SyscallRules{ 33 unix.SYS_ACCEPT: {}, 34 unix.SYS_BIND: {}, 35 unix.SYS_BRK: {}, 36 unix.SYS_CLOCK_GETTIME: {}, 37 unix.SYS_CLONE: {}, 38 unix.SYS_CLOSE: {}, 39 unix.SYS_DUP: {}, 40 unix.SYS_DUP3: {}, 41 unix.SYS_EPOLL_CREATE1: {}, 42 unix.SYS_EPOLL_CTL: {}, 43 unix.SYS_EPOLL_PWAIT: {}, 44 unix.SYS_EXIT: {}, 45 unix.SYS_EXIT_GROUP: {}, 46 unix.SYS_FALLOCATE: {}, 47 unix.SYS_FCHMOD: {}, 48 unix.SYS_FCNTL: {}, 49 unix.SYS_FSTAT: {}, 50 unix.SYS_FSYNC: {}, 51 unix.SYS_FTRUNCATE: {}, 52 unix.SYS_FUTEX: {}, 53 unix.SYS_GETDENTS64: {}, 54 unix.SYS_GETPEERNAME: {}, 55 unix.SYS_GETPID: {}, 56 unix.SYS_GETSOCKNAME: {}, 57 unix.SYS_GETSOCKOPT: {}, 58 unix.SYS_GETTID: {}, 59 unix.SYS_GETTIMEOFDAY: {}, 60 unix.SYS_LISTEN: {}, 61 unix.SYS_LSEEK: {}, 62 unix.SYS_MADVISE: {}, 63 unix.SYS_MINCORE: {}, 64 unix.SYS_MMAP: {}, 65 unix.SYS_MPROTECT: {}, 66 unix.SYS_MUNLOCK: {}, 67 unix.SYS_MUNMAP: {}, 68 unix.SYS_NANOSLEEP: {}, 69 unix.SYS_PPOLL: {}, 70 unix.SYS_PREAD64: {}, 71 unix.SYS_PSELECT6: {}, 72 unix.SYS_PWRITE64: {}, 73 unix.SYS_READ: {}, 74 unix.SYS_READLINKAT: {}, 75 unix.SYS_READV: {}, 76 unix.SYS_RECVMSG: {}, 77 unix.SYS_RENAMEAT: {}, 78 unix.SYS_RESTART_SYSCALL: {}, 79 unix.SYS_RT_SIGACTION: {}, 80 unix.SYS_RT_SIGPROCMASK: {}, 81 unix.SYS_RT_SIGRETURN: {}, 82 unix.SYS_SCHED_YIELD: {}, 83 unix.SYS_SENDMSG: {}, 84 unix.SYS_SETITIMER: {}, 85 unix.SYS_SET_ROBUST_LIST: {}, 86 unix.SYS_SETSOCKOPT: {}, 87 unix.SYS_SHUTDOWN: {}, 88 unix.SYS_SIGALTSTACK: {}, 89 unix.SYS_SOCKET: {}, 90 unix.SYS_SYNC_FILE_RANGE: {}, 91 unix.SYS_TGKILL: {}, 92 unix.SYS_UTIMENSAT: {}, 93 unix.SYS_WRITE: {}, 94 unix.SYS_WRITEV: {}, 95 } 96 97 arch_syscalls(syscalls) 98 99 die := *dieFlag 100 if !die { 101 syscalls[unix.SYS_OPENAT] = []seccomp.Rule{ 102 { 103 seccomp.EqualTo(10), 104 }, 105 } 106 } 107 108 if err := seccomp.Install(syscalls); err != nil { 109 fmt.Printf("Failed to install seccomp: %v", err) 110 os.Exit(1) 111 } 112 fmt.Printf("Filters installed\n") 113 114 unix.RawSyscall(unix.SYS_OPENAT, 10, 0, 0) 115 fmt.Printf("Syscall was allowed!!!\n") 116 }