github.com/iaintshine/docker@v1.8.2/contrib/mkseccomp.pl (about) 1 #!/usr/bin/perl 2 # 3 # A simple helper script to help people build seccomp profiles for 4 # Docker/LXC. The goal is mostly to reduce the attack surface to the 5 # kernel, by restricting access to rarely used, recently added or not used 6 # syscalls. 7 # 8 # This script processes one or more files which contain the list of system 9 # calls to be allowed. See mkseccomp.sample for more information how you 10 # can configure the list of syscalls. When run, this script produces output 11 # which, when stored in a file, can be passed to docker as follows: 12 # 13 # docker run --lxc-conf="lxc.seccomp=$file" <rest of arguments> 14 # 15 # The included sample file shows how to cut about a quarter of all syscalls, 16 # which affecting most applications. 17 # 18 # For specific situations it is possible to reduce the list further. By 19 # reducing the list to just those syscalls required by a certain application 20 # you can make it difficult for unknown/unexpected code to run. 21 # 22 # Run this script as follows: 23 # 24 # ./mkseccomp.pl < mkseccomp.sample >syscalls.list 25 # or 26 # ./mkseccomp.pl mkseccomp.sample >syscalls.list 27 # 28 # Multiple files can be specified, in which case the lists of syscalls are 29 # combined. 30 # 31 # By Martijn van Oosterhout <kleptog@svana.org> Nov 2013 32 33 # How it works: 34 # 35 # This program basically spawns two processes to form a chain like: 36 # 37 # <process data section to prefix __NR_> | cpp | <add header and filter unknown syscalls> 38 39 use strict; 40 use warnings; 41 42 if( -t ) { 43 print STDERR "Helper script to make seccomp filters for Docker/LXC.\n"; 44 print STDERR "Usage: mkseccomp.pl < [files...]\n"; 45 exit 1; 46 } 47 48 my $pid = open(my $in, "-|") // die "Couldn't fork1 ($!)\n"; 49 50 if($pid == 0) { # Child 51 $pid = open(my $out, "|-") // die "Couldn't fork2 ($!)\n"; 52 53 if($pid == 0) { # Child, which execs cpp 54 exec "cpp" or die "Couldn't exec cpp ($!)\n"; 55 exit 1; 56 } 57 58 # Process the DATA section and output to cpp 59 print $out "#include <sys/syscall.h>\n"; 60 while(<>) { 61 if(/^\w/) { 62 print $out "__NR_$_"; 63 } 64 } 65 close $out; 66 exit 0; 67 68 } 69 70 # Print header and then process output from cpp. 71 print "1\n"; 72 print "whitelist\n"; 73 74 while(<$in>) { 75 print if( /^[0-9]/ ); 76 } 77