github.com/SagerNet/gvisor@v0.0.0-20210707092255-7731c139d75c/runsc/boot/filter/config.go (about) 1 // Copyright 2018 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package filter 16 17 import ( 18 "os" 19 20 "golang.org/x/sys/unix" 21 "github.com/SagerNet/gvisor/pkg/abi/linux" 22 "github.com/SagerNet/gvisor/pkg/seccomp" 23 "github.com/SagerNet/gvisor/pkg/tcpip/link/fdbased" 24 ) 25 26 // allowedSyscalls is the set of syscalls executed by the Sentry to the host OS. 27 var allowedSyscalls = seccomp.SyscallRules{ 28 unix.SYS_CLOCK_GETTIME: {}, 29 unix.SYS_CLOSE: {}, 30 unix.SYS_DUP: {}, 31 unix.SYS_DUP3: []seccomp.Rule{ 32 { 33 seccomp.MatchAny{}, 34 seccomp.MatchAny{}, 35 seccomp.EqualTo(unix.O_CLOEXEC), 36 }, 37 }, 38 unix.SYS_EPOLL_CREATE1: {}, 39 unix.SYS_EPOLL_CTL: {}, 40 unix.SYS_EPOLL_PWAIT: []seccomp.Rule{ 41 { 42 seccomp.MatchAny{}, 43 seccomp.MatchAny{}, 44 seccomp.MatchAny{}, 45 seccomp.MatchAny{}, 46 seccomp.EqualTo(0), 47 }, 48 }, 49 unix.SYS_EVENTFD2: []seccomp.Rule{ 50 { 51 seccomp.EqualTo(0), 52 seccomp.EqualTo(0), 53 }, 54 }, 55 unix.SYS_EXIT: {}, 56 unix.SYS_EXIT_GROUP: {}, 57 unix.SYS_FALLOCATE: {}, 58 unix.SYS_FCHMOD: {}, 59 unix.SYS_FCNTL: []seccomp.Rule{ 60 { 61 seccomp.MatchAny{}, 62 seccomp.EqualTo(unix.F_GETFL), 63 }, 64 { 65 seccomp.MatchAny{}, 66 seccomp.EqualTo(unix.F_SETFL), 67 }, 68 { 69 seccomp.MatchAny{}, 70 seccomp.EqualTo(unix.F_GETFD), 71 }, 72 }, 73 unix.SYS_FSTAT: {}, 74 unix.SYS_FSYNC: {}, 75 unix.SYS_FTRUNCATE: {}, 76 unix.SYS_FUTEX: []seccomp.Rule{ 77 { 78 seccomp.MatchAny{}, 79 seccomp.EqualTo(linux.FUTEX_WAIT | linux.FUTEX_PRIVATE_FLAG), 80 seccomp.MatchAny{}, 81 seccomp.MatchAny{}, 82 }, 83 { 84 seccomp.MatchAny{}, 85 seccomp.EqualTo(linux.FUTEX_WAKE | linux.FUTEX_PRIVATE_FLAG), 86 seccomp.MatchAny{}, 87 }, 88 // Non-private variants are included for flipcall support. They are otherwise 89 // unncessary, as the sentry will use only private futexes internally. 90 { 91 seccomp.MatchAny{}, 92 seccomp.EqualTo(linux.FUTEX_WAIT), 93 seccomp.MatchAny{}, 94 seccomp.MatchAny{}, 95 }, 96 { 97 seccomp.MatchAny{}, 98 seccomp.EqualTo(linux.FUTEX_WAKE), 99 seccomp.MatchAny{}, 100 }, 101 }, 102 // getcpu is used by some versions of the Go runtime and by the hostcpu 103 // package on arm64. 104 unix.SYS_GETCPU: []seccomp.Rule{ 105 { 106 seccomp.MatchAny{}, 107 seccomp.EqualTo(0), 108 seccomp.EqualTo(0), 109 }, 110 }, 111 unix.SYS_GETPID: {}, 112 unix.SYS_GETRANDOM: {}, 113 unix.SYS_GETSOCKOPT: []seccomp.Rule{ 114 { 115 seccomp.MatchAny{}, 116 seccomp.EqualTo(unix.SOL_SOCKET), 117 seccomp.EqualTo(unix.SO_DOMAIN), 118 }, 119 { 120 seccomp.MatchAny{}, 121 seccomp.EqualTo(unix.SOL_SOCKET), 122 seccomp.EqualTo(unix.SO_TYPE), 123 }, 124 { 125 seccomp.MatchAny{}, 126 seccomp.EqualTo(unix.SOL_SOCKET), 127 seccomp.EqualTo(unix.SO_ERROR), 128 }, 129 { 130 seccomp.MatchAny{}, 131 seccomp.EqualTo(unix.SOL_SOCKET), 132 seccomp.EqualTo(unix.SO_SNDBUF), 133 }, 134 }, 135 unix.SYS_GETTID: {}, 136 unix.SYS_GETTIMEOFDAY: {}, 137 // SYS_IOCTL is needed for terminal support, but we only allow 138 // setting/getting termios and winsize. 139 unix.SYS_IOCTL: []seccomp.Rule{ 140 { 141 seccomp.MatchAny{}, /* fd */ 142 seccomp.EqualTo(linux.TCGETS), 143 seccomp.MatchAny{}, /* termios struct */ 144 }, 145 { 146 seccomp.MatchAny{}, /* fd */ 147 seccomp.EqualTo(linux.TCSETS), 148 seccomp.MatchAny{}, /* termios struct */ 149 }, 150 { 151 seccomp.MatchAny{}, /* fd */ 152 seccomp.EqualTo(linux.TCSETSF), 153 seccomp.MatchAny{}, /* termios struct */ 154 }, 155 { 156 seccomp.MatchAny{}, /* fd */ 157 seccomp.EqualTo(linux.TCSETSW), 158 seccomp.MatchAny{}, /* termios struct */ 159 }, 160 { 161 seccomp.MatchAny{}, /* fd */ 162 seccomp.EqualTo(linux.TIOCSWINSZ), 163 seccomp.MatchAny{}, /* winsize struct */ 164 }, 165 { 166 seccomp.MatchAny{}, /* fd */ 167 seccomp.EqualTo(linux.TIOCGWINSZ), 168 seccomp.MatchAny{}, /* winsize struct */ 169 }, 170 }, 171 unix.SYS_LSEEK: {}, 172 unix.SYS_MADVISE: {}, 173 unix.SYS_MEMBARRIER: []seccomp.Rule{ 174 { 175 seccomp.EqualTo(linux.MEMBARRIER_CMD_GLOBAL), 176 seccomp.EqualTo(0), 177 }, 178 }, 179 unix.SYS_MINCORE: {}, 180 // Used by the Go runtime as a temporarily workaround for a Linux 181 // 5.2-5.4 bug. 182 // 183 // See src/runtime/os_linux_x86.go. 184 // 185 // TODO(b/148688965): Remove once this is gone from Go. 186 unix.SYS_MLOCK: []seccomp.Rule{ 187 { 188 seccomp.MatchAny{}, 189 seccomp.EqualTo(4096), 190 }, 191 }, 192 unix.SYS_MMAP: []seccomp.Rule{ 193 { 194 seccomp.MatchAny{}, 195 seccomp.MatchAny{}, 196 seccomp.MatchAny{}, 197 seccomp.EqualTo(unix.MAP_SHARED), 198 }, 199 { 200 seccomp.MatchAny{}, 201 seccomp.MatchAny{}, 202 seccomp.MatchAny{}, 203 seccomp.EqualTo(unix.MAP_SHARED | unix.MAP_FIXED), 204 }, 205 { 206 seccomp.MatchAny{}, 207 seccomp.MatchAny{}, 208 seccomp.MatchAny{}, 209 seccomp.EqualTo(unix.MAP_PRIVATE), 210 }, 211 { 212 seccomp.MatchAny{}, 213 seccomp.MatchAny{}, 214 seccomp.MatchAny{}, 215 seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS), 216 }, 217 { 218 seccomp.MatchAny{}, 219 seccomp.MatchAny{}, 220 seccomp.MatchAny{}, 221 seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS | unix.MAP_STACK), 222 }, 223 { 224 seccomp.MatchAny{}, 225 seccomp.MatchAny{}, 226 seccomp.MatchAny{}, 227 seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS | unix.MAP_NORESERVE), 228 }, 229 { 230 seccomp.MatchAny{}, 231 seccomp.MatchAny{}, 232 seccomp.EqualTo(unix.PROT_WRITE | unix.PROT_READ), 233 seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS | unix.MAP_FIXED), 234 }, 235 }, 236 unix.SYS_MPROTECT: {}, 237 unix.SYS_MUNMAP: {}, 238 unix.SYS_NANOSLEEP: {}, 239 unix.SYS_PPOLL: {}, 240 unix.SYS_PREAD64: {}, 241 unix.SYS_PREADV: {}, 242 unix.SYS_PREADV2: {}, 243 unix.SYS_PWRITE64: {}, 244 unix.SYS_PWRITEV: {}, 245 unix.SYS_PWRITEV2: {}, 246 unix.SYS_READ: {}, 247 unix.SYS_RECVMSG: []seccomp.Rule{ 248 { 249 seccomp.MatchAny{}, 250 seccomp.MatchAny{}, 251 seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_TRUNC), 252 }, 253 { 254 seccomp.MatchAny{}, 255 seccomp.MatchAny{}, 256 seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_TRUNC | unix.MSG_PEEK), 257 }, 258 }, 259 unix.SYS_RECVMMSG: []seccomp.Rule{ 260 { 261 seccomp.MatchAny{}, 262 seccomp.MatchAny{}, 263 seccomp.EqualTo(fdbased.MaxMsgsPerRecv), 264 seccomp.EqualTo(unix.MSG_DONTWAIT), 265 seccomp.EqualTo(0), 266 }, 267 }, 268 unix.SYS_SENDMMSG: []seccomp.Rule{ 269 { 270 seccomp.MatchAny{}, 271 seccomp.MatchAny{}, 272 seccomp.MatchAny{}, 273 seccomp.EqualTo(unix.MSG_DONTWAIT), 274 }, 275 }, 276 unix.SYS_RESTART_SYSCALL: {}, 277 unix.SYS_RT_SIGACTION: {}, 278 unix.SYS_RT_SIGPROCMASK: {}, 279 unix.SYS_RT_SIGRETURN: {}, 280 unix.SYS_SCHED_YIELD: {}, 281 unix.SYS_SENDMSG: []seccomp.Rule{ 282 { 283 seccomp.MatchAny{}, 284 seccomp.MatchAny{}, 285 seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_NOSIGNAL), 286 }, 287 }, 288 unix.SYS_SETITIMER: {}, 289 unix.SYS_SHUTDOWN: []seccomp.Rule{ 290 // Used by fs/host to shutdown host sockets. 291 {seccomp.MatchAny{}, seccomp.EqualTo(unix.SHUT_RD)}, 292 {seccomp.MatchAny{}, seccomp.EqualTo(unix.SHUT_WR)}, 293 // Used by unet to shutdown connections. 294 {seccomp.MatchAny{}, seccomp.EqualTo(unix.SHUT_RDWR)}, 295 }, 296 unix.SYS_SIGALTSTACK: {}, 297 unix.SYS_STATX: {}, 298 unix.SYS_SYNC_FILE_RANGE: {}, 299 unix.SYS_TEE: []seccomp.Rule{ 300 { 301 seccomp.MatchAny{}, 302 seccomp.MatchAny{}, 303 seccomp.EqualTo(1), /* len */ 304 seccomp.EqualTo(unix.SPLICE_F_NONBLOCK), /* flags */ 305 }, 306 }, 307 unix.SYS_TGKILL: []seccomp.Rule{ 308 { 309 seccomp.EqualTo(uint64(os.Getpid())), 310 }, 311 }, 312 unix.SYS_UTIMENSAT: []seccomp.Rule{ 313 { 314 seccomp.MatchAny{}, 315 seccomp.EqualTo(0), /* null pathname */ 316 seccomp.MatchAny{}, 317 seccomp.EqualTo(0), /* flags */ 318 }, 319 }, 320 unix.SYS_WRITE: {}, 321 // For rawfile.NonBlockingWriteIovec. 322 unix.SYS_WRITEV: []seccomp.Rule{ 323 { 324 seccomp.MatchAny{}, 325 seccomp.MatchAny{}, 326 seccomp.GreaterThan(0), 327 }, 328 }, 329 } 330 331 // hostInetFilters contains syscalls that are needed by sentry/socket/hostinet. 332 func hostInetFilters() seccomp.SyscallRules { 333 return seccomp.SyscallRules{ 334 unix.SYS_ACCEPT4: []seccomp.Rule{ 335 { 336 seccomp.MatchAny{}, 337 seccomp.MatchAny{}, 338 seccomp.MatchAny{}, 339 seccomp.EqualTo(unix.SOCK_NONBLOCK | unix.SOCK_CLOEXEC), 340 }, 341 }, 342 unix.SYS_BIND: {}, 343 unix.SYS_CONNECT: {}, 344 unix.SYS_GETPEERNAME: {}, 345 unix.SYS_GETSOCKNAME: {}, 346 unix.SYS_GETSOCKOPT: []seccomp.Rule{ 347 { 348 seccomp.MatchAny{}, 349 seccomp.EqualTo(unix.SOL_IP), 350 seccomp.EqualTo(unix.IP_TOS), 351 }, 352 { 353 seccomp.MatchAny{}, 354 seccomp.EqualTo(unix.SOL_IP), 355 seccomp.EqualTo(unix.IP_RECVTOS), 356 }, 357 { 358 seccomp.MatchAny{}, 359 seccomp.EqualTo(unix.SOL_IP), 360 seccomp.EqualTo(unix.IP_PKTINFO), 361 }, 362 { 363 seccomp.MatchAny{}, 364 seccomp.EqualTo(unix.SOL_IP), 365 seccomp.EqualTo(unix.IP_RECVORIGDSTADDR), 366 }, 367 { 368 seccomp.MatchAny{}, 369 seccomp.EqualTo(unix.SOL_IP), 370 seccomp.EqualTo(unix.IP_RECVERR), 371 }, 372 { 373 seccomp.MatchAny{}, 374 seccomp.EqualTo(unix.SOL_IPV6), 375 seccomp.EqualTo(unix.IPV6_TCLASS), 376 }, 377 { 378 seccomp.MatchAny{}, 379 seccomp.EqualTo(unix.SOL_IPV6), 380 seccomp.EqualTo(unix.IPV6_RECVTCLASS), 381 }, 382 { 383 seccomp.MatchAny{}, 384 seccomp.EqualTo(unix.SOL_IPV6), 385 seccomp.EqualTo(unix.IPV6_RECVERR), 386 }, 387 { 388 seccomp.MatchAny{}, 389 seccomp.EqualTo(unix.SOL_IPV6), 390 seccomp.EqualTo(unix.IPV6_V6ONLY), 391 }, 392 { 393 seccomp.MatchAny{}, 394 seccomp.EqualTo(unix.SOL_IPV6), 395 seccomp.EqualTo(linux.IPV6_RECVORIGDSTADDR), 396 }, 397 { 398 seccomp.MatchAny{}, 399 seccomp.EqualTo(unix.SOL_SOCKET), 400 seccomp.EqualTo(unix.SO_ERROR), 401 }, 402 { 403 seccomp.MatchAny{}, 404 seccomp.EqualTo(unix.SOL_SOCKET), 405 seccomp.EqualTo(unix.SO_KEEPALIVE), 406 }, 407 { 408 seccomp.MatchAny{}, 409 seccomp.EqualTo(unix.SOL_SOCKET), 410 seccomp.EqualTo(unix.SO_SNDBUF), 411 }, 412 { 413 seccomp.MatchAny{}, 414 seccomp.EqualTo(unix.SOL_SOCKET), 415 seccomp.EqualTo(unix.SO_RCVBUF), 416 }, 417 { 418 seccomp.MatchAny{}, 419 seccomp.EqualTo(unix.SOL_SOCKET), 420 seccomp.EqualTo(unix.SO_REUSEADDR), 421 }, 422 { 423 seccomp.MatchAny{}, 424 seccomp.EqualTo(unix.SOL_SOCKET), 425 seccomp.EqualTo(unix.SO_TYPE), 426 }, 427 { 428 seccomp.MatchAny{}, 429 seccomp.EqualTo(unix.SOL_SOCKET), 430 seccomp.EqualTo(unix.SO_LINGER), 431 }, 432 { 433 seccomp.MatchAny{}, 434 seccomp.EqualTo(unix.SOL_SOCKET), 435 seccomp.EqualTo(unix.SO_TIMESTAMP), 436 }, 437 { 438 seccomp.MatchAny{}, 439 seccomp.EqualTo(unix.SOL_TCP), 440 seccomp.EqualTo(unix.TCP_NODELAY), 441 }, 442 { 443 seccomp.MatchAny{}, 444 seccomp.EqualTo(unix.SOL_TCP), 445 seccomp.EqualTo(unix.TCP_INFO), 446 }, 447 { 448 seccomp.MatchAny{}, 449 seccomp.EqualTo(unix.SOL_TCP), 450 seccomp.EqualTo(linux.TCP_INQ), 451 }, 452 }, 453 unix.SYS_IOCTL: []seccomp.Rule{ 454 { 455 seccomp.MatchAny{}, 456 seccomp.EqualTo(unix.TIOCOUTQ), 457 }, 458 { 459 seccomp.MatchAny{}, 460 seccomp.EqualTo(unix.TIOCINQ), 461 }, 462 { 463 seccomp.MatchAny{}, 464 seccomp.EqualTo(unix.SIOCGIFFLAGS), 465 }, 466 }, 467 unix.SYS_LISTEN: {}, 468 unix.SYS_READV: {}, 469 unix.SYS_RECVFROM: {}, 470 unix.SYS_RECVMSG: {}, 471 unix.SYS_SENDMSG: {}, 472 unix.SYS_SENDTO: {}, 473 unix.SYS_SETSOCKOPT: []seccomp.Rule{ 474 { 475 seccomp.MatchAny{}, 476 seccomp.EqualTo(unix.SOL_SOCKET), 477 seccomp.EqualTo(unix.SO_SNDBUF), 478 seccomp.MatchAny{}, 479 seccomp.EqualTo(4), 480 }, 481 { 482 seccomp.MatchAny{}, 483 seccomp.EqualTo(unix.SOL_SOCKET), 484 seccomp.EqualTo(unix.SO_RCVBUF), 485 seccomp.MatchAny{}, 486 seccomp.EqualTo(4), 487 }, 488 { 489 seccomp.MatchAny{}, 490 seccomp.EqualTo(unix.SOL_SOCKET), 491 seccomp.EqualTo(unix.SO_REUSEADDR), 492 seccomp.MatchAny{}, 493 seccomp.EqualTo(4), 494 }, 495 { 496 seccomp.MatchAny{}, 497 seccomp.EqualTo(unix.SOL_SOCKET), 498 seccomp.EqualTo(unix.SO_TIMESTAMP), 499 seccomp.MatchAny{}, 500 seccomp.EqualTo(4), 501 }, 502 { 503 seccomp.MatchAny{}, 504 seccomp.EqualTo(unix.SOL_TCP), 505 seccomp.EqualTo(unix.TCP_NODELAY), 506 seccomp.MatchAny{}, 507 seccomp.EqualTo(4), 508 }, 509 { 510 seccomp.MatchAny{}, 511 seccomp.EqualTo(unix.SOL_TCP), 512 seccomp.EqualTo(linux.TCP_INQ), 513 seccomp.MatchAny{}, 514 seccomp.EqualTo(4), 515 }, 516 { 517 seccomp.MatchAny{}, 518 seccomp.EqualTo(unix.SOL_IP), 519 seccomp.EqualTo(unix.IP_TOS), 520 seccomp.MatchAny{}, 521 seccomp.EqualTo(4), 522 }, 523 { 524 seccomp.MatchAny{}, 525 seccomp.EqualTo(unix.SOL_IP), 526 seccomp.EqualTo(unix.IP_RECVTOS), 527 seccomp.MatchAny{}, 528 seccomp.EqualTo(4), 529 }, 530 { 531 seccomp.MatchAny{}, 532 seccomp.EqualTo(unix.SOL_IP), 533 seccomp.EqualTo(unix.IP_PKTINFO), 534 seccomp.MatchAny{}, 535 seccomp.EqualTo(4), 536 }, 537 { 538 seccomp.MatchAny{}, 539 seccomp.EqualTo(unix.SOL_IP), 540 seccomp.EqualTo(unix.IP_RECVORIGDSTADDR), 541 seccomp.MatchAny{}, 542 seccomp.EqualTo(4), 543 }, 544 { 545 seccomp.MatchAny{}, 546 seccomp.EqualTo(unix.SOL_IP), 547 seccomp.EqualTo(unix.IP_RECVERR), 548 seccomp.MatchAny{}, 549 seccomp.EqualTo(4), 550 }, 551 { 552 seccomp.MatchAny{}, 553 seccomp.EqualTo(unix.SOL_IPV6), 554 seccomp.EqualTo(unix.IPV6_TCLASS), 555 seccomp.MatchAny{}, 556 seccomp.EqualTo(4), 557 }, 558 { 559 seccomp.MatchAny{}, 560 seccomp.EqualTo(unix.SOL_IPV6), 561 seccomp.EqualTo(unix.IPV6_RECVTCLASS), 562 seccomp.MatchAny{}, 563 seccomp.EqualTo(4), 564 }, 565 { 566 seccomp.MatchAny{}, 567 seccomp.EqualTo(unix.SOL_IPV6), 568 seccomp.EqualTo(linux.IPV6_RECVORIGDSTADDR), 569 seccomp.MatchAny{}, 570 seccomp.EqualTo(4), 571 }, 572 { 573 seccomp.MatchAny{}, 574 seccomp.EqualTo(unix.SOL_IPV6), 575 seccomp.EqualTo(unix.IPV6_RECVERR), 576 seccomp.MatchAny{}, 577 seccomp.EqualTo(4), 578 }, 579 { 580 seccomp.MatchAny{}, 581 seccomp.EqualTo(unix.SOL_IPV6), 582 seccomp.EqualTo(unix.IPV6_V6ONLY), 583 seccomp.MatchAny{}, 584 seccomp.EqualTo(4), 585 }, 586 }, 587 unix.SYS_SHUTDOWN: []seccomp.Rule{ 588 { 589 seccomp.MatchAny{}, 590 seccomp.EqualTo(unix.SHUT_RD), 591 }, 592 { 593 seccomp.MatchAny{}, 594 seccomp.EqualTo(unix.SHUT_WR), 595 }, 596 { 597 seccomp.MatchAny{}, 598 seccomp.EqualTo(unix.SHUT_RDWR), 599 }, 600 }, 601 unix.SYS_SOCKET: []seccomp.Rule{ 602 { 603 seccomp.EqualTo(unix.AF_INET), 604 seccomp.EqualTo(unix.SOCK_STREAM | unix.SOCK_NONBLOCK | unix.SOCK_CLOEXEC), 605 seccomp.EqualTo(0), 606 }, 607 { 608 seccomp.EqualTo(unix.AF_INET), 609 seccomp.EqualTo(unix.SOCK_DGRAM | unix.SOCK_NONBLOCK | unix.SOCK_CLOEXEC), 610 seccomp.EqualTo(0), 611 }, 612 { 613 seccomp.EqualTo(unix.AF_INET6), 614 seccomp.EqualTo(unix.SOCK_STREAM | unix.SOCK_NONBLOCK | unix.SOCK_CLOEXEC), 615 seccomp.EqualTo(0), 616 }, 617 { 618 seccomp.EqualTo(unix.AF_INET6), 619 seccomp.EqualTo(unix.SOCK_DGRAM | unix.SOCK_NONBLOCK | unix.SOCK_CLOEXEC), 620 seccomp.EqualTo(0), 621 }, 622 }, 623 unix.SYS_WRITEV: {}, 624 } 625 } 626 627 func controlServerFilters(fd int) seccomp.SyscallRules { 628 return seccomp.SyscallRules{ 629 unix.SYS_ACCEPT: []seccomp.Rule{ 630 { 631 seccomp.EqualTo(fd), 632 }, 633 }, 634 unix.SYS_LISTEN: []seccomp.Rule{ 635 { 636 seccomp.EqualTo(fd), 637 seccomp.EqualTo(16 /* unet.backlog */), 638 }, 639 }, 640 unix.SYS_GETSOCKOPT: []seccomp.Rule{ 641 { 642 seccomp.MatchAny{}, 643 seccomp.EqualTo(unix.SOL_SOCKET), 644 seccomp.EqualTo(unix.SO_PEERCRED), 645 }, 646 }, 647 } 648 }