github.com/jandre/docker@v1.7.0/contrib/mkseccomp.pl (about)

     1  #!/usr/bin/perl
     2  #
     3  # A simple helper script to help people build seccomp profiles for
     4  # Docker/LXC.  The goal is mostly to reduce the attack surface to the
     5  # kernel, by restricting access to rarely used, recently added or not used
     6  # syscalls.
     7  #
     8  # This script processes one or more files which contain the list of system
     9  # calls to be allowed.  See mkseccomp.sample for more information how you
    10  # can configure the list of syscalls.  When run, this script produces output
    11  # which, when stored in a file, can be passed to docker as follows:
    12  #
    13  # docker run --lxc-conf="lxc.seccomp=$file" <rest of arguments>
    14  #
    15  # The included sample file shows how to cut about a quarter of all syscalls,
    16  # which affecting most applications.
    17  #
    18  # For specific situations it is possible to reduce the list further. By
    19  # reducing the list to just those syscalls required by a certain application
    20  # you can make it difficult for unknown/unexpected code to run.
    21  #
    22  # Run this script as follows:
    23  #
    24  # ./mkseccomp.pl < mkseccomp.sample >syscalls.list
    25  # or
    26  # ./mkseccomp.pl mkseccomp.sample >syscalls.list
    27  #
    28  # Multiple files can be specified, in which case the lists of syscalls are
    29  # combined.
    30  #
    31  # By Martijn van Oosterhout <kleptog@svana.org> Nov 2013
    32  
    33  # How it works:
    34  #
    35  # This program basically spawns two processes to form a chain like:
    36  #
    37  # <process data section to prefix __NR_> | cpp | <add header and filter unknown syscalls>
    38  
    39  use strict;
    40  use warnings;
    41  
    42  if( -t ) {
    43      print STDERR "Helper script to make seccomp filters for Docker/LXC.\n";
    44      print STDERR "Usage: mkseccomp.pl < [files...]\n";
    45      exit 1;
    46  }
    47  
    48  my $pid = open(my $in, "-|") // die "Couldn't fork1 ($!)\n";
    49  
    50  if($pid == 0) {  # Child
    51      $pid = open(my $out, "|-") // die "Couldn't fork2 ($!)\n";
    52  
    53      if($pid == 0) { # Child, which execs cpp
    54          exec "cpp" or die "Couldn't exec cpp ($!)\n";
    55          exit 1;
    56      }
    57  
    58      # Process the DATA section and output to cpp
    59      print $out "#include <sys/syscall.h>\n";
    60      while(<>) {
    61          if(/^\w/) {
    62              print $out "__NR_$_";
    63          }
    64      }
    65      close $out;
    66      exit 0;
    67  
    68  }
    69  
    70  # Print header and then process output from cpp.
    71  print "1\n";
    72  print "whitelist\n";
    73  
    74  while(<$in>) {
    75      print if( /^[0-9]/ );
    76  }
    77