github.com/nicocha30/gvisor-ligolo@v0.0.0-20230726075806-989fa2c0a413/runsc/fsgofer/filter/config.go

github.com/nicocha30/gvisor-ligolo@v0.0.0-20230726075806-989fa2c0a413/runsc/fsgofer/filter/config.go (about)

     1  // Copyright 2018 The gVisor Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package filter
    16  
    17  import (
    18  	"os"
    19  
    20  	"golang.org/x/sys/unix"
    21  	"github.com/nicocha30/gvisor-ligolo/pkg/abi/linux"
    22  	"github.com/nicocha30/gvisor-ligolo/pkg/seccomp"
    23  )
    24  
    25  // allowedSyscalls is the set of syscalls executed by the gofer.
    26  var allowedSyscalls = seccomp.SyscallRules{
    27  	unix.SYS_ACCEPT:        {},
    28  	unix.SYS_CLOCK_GETTIME: {},
    29  	unix.SYS_CLOSE:         {},
    30  	unix.SYS_DUP:           {},
    31  	unix.SYS_EPOLL_CTL:     {},
    32  	unix.SYS_EPOLL_PWAIT: []seccomp.Rule{
    33  		{
    34  			seccomp.MatchAny{},
    35  			seccomp.MatchAny{},
    36  			seccomp.MatchAny{},
    37  			seccomp.MatchAny{},
    38  			seccomp.EqualTo(0),
    39  		},
    40  	},
    41  	unix.SYS_EVENTFD2: []seccomp.Rule{
    42  		{
    43  			seccomp.EqualTo(0),
    44  			seccomp.EqualTo(0),
    45  		},
    46  	},
    47  	unix.SYS_EXIT:       {},
    48  	unix.SYS_EXIT_GROUP: {},
    49  	unix.SYS_FALLOCATE: []seccomp.Rule{
    50  		{
    51  			seccomp.MatchAny{},
    52  			seccomp.EqualTo(0),
    53  		},
    54  	},
    55  	unix.SYS_FCHMOD:   {},
    56  	unix.SYS_FCHMODAT: {},
    57  	unix.SYS_FCHOWNAT: {},
    58  	unix.SYS_FCNTL: []seccomp.Rule{
    59  		{
    60  			seccomp.MatchAny{},
    61  			seccomp.EqualTo(unix.F_GETFL),
    62  		},
    63  		{
    64  			seccomp.MatchAny{},
    65  			seccomp.EqualTo(unix.F_SETFL),
    66  		},
    67  		{
    68  			seccomp.MatchAny{},
    69  			seccomp.EqualTo(unix.F_GETFD),
    70  		},
    71  		// Used by flipcall.PacketWindowAllocator.Init().
    72  		{
    73  			seccomp.MatchAny{},
    74  			seccomp.EqualTo(unix.F_ADD_SEALS),
    75  		},
    76  	},
    77  	unix.SYS_FSTAT:     {},
    78  	unix.SYS_FSTATFS:   {},
    79  	unix.SYS_FSYNC:     {},
    80  	unix.SYS_FTRUNCATE: {},
    81  	unix.SYS_FUTEX: {
    82  		seccomp.Rule{
    83  			seccomp.MatchAny{},
    84  			seccomp.EqualTo(linux.FUTEX_WAIT | linux.FUTEX_PRIVATE_FLAG),
    85  			seccomp.MatchAny{},
    86  			seccomp.MatchAny{},
    87  			seccomp.EqualTo(0),
    88  		},
    89  		seccomp.Rule{
    90  			seccomp.MatchAny{},
    91  			seccomp.EqualTo(linux.FUTEX_WAKE | linux.FUTEX_PRIVATE_FLAG),
    92  			seccomp.MatchAny{},
    93  			seccomp.MatchAny{},
    94  			seccomp.EqualTo(0),
    95  		},
    96  		// Non-private futex used for flipcall.
    97  		seccomp.Rule{
    98  			seccomp.MatchAny{},
    99  			seccomp.EqualTo(linux.FUTEX_WAIT),
   100  			seccomp.MatchAny{},
   101  			seccomp.MatchAny{},
   102  		},
   103  		seccomp.Rule{
   104  			seccomp.MatchAny{},
   105  			seccomp.EqualTo(linux.FUTEX_WAKE),
   106  			seccomp.MatchAny{},
   107  			seccomp.MatchAny{},
   108  		},
   109  	},
   110  	// getcpu is used by some versions of the Go runtime and by the hostcpu
   111  	// package on arm64.
   112  	unix.SYS_GETCPU: []seccomp.Rule{
   113  		{
   114  			seccomp.MatchAny{},
   115  			seccomp.EqualTo(0),
   116  			seccomp.EqualTo(0),
   117  		},
   118  	},
   119  	unix.SYS_GETDENTS64:   {},
   120  	unix.SYS_GETPID:       {},
   121  	unix.SYS_GETRANDOM:    {},
   122  	unix.SYS_GETTID:       {},
   123  	unix.SYS_GETTIMEOFDAY: {},
   124  	unix.SYS_LINKAT:       {},
   125  	unix.SYS_LSEEK:        {},
   126  	unix.SYS_MADVISE:      {},
   127  	unix.SYS_MEMFD_CREATE: {}, /// Used by flipcall.PacketWindowAllocator.Init().
   128  	unix.SYS_MKDIRAT:      {},
   129  	unix.SYS_MKNODAT:      {},
   130  	unix.SYS_MMAP: []seccomp.Rule{
   131  		{
   132  			seccomp.MatchAny{},
   133  			seccomp.MatchAny{},
   134  			seccomp.MatchAny{},
   135  			seccomp.EqualTo(unix.MAP_SHARED),
   136  		},
   137  		{
   138  			seccomp.MatchAny{},
   139  			seccomp.MatchAny{},
   140  			seccomp.MatchAny{},
   141  			seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS),
   142  		},
   143  		{
   144  			seccomp.MatchAny{},
   145  			seccomp.MatchAny{},
   146  			seccomp.MatchAny{},
   147  			seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS | unix.MAP_FIXED),
   148  		},
   149  	},
   150  	unix.SYS_MPROTECT:   {},
   151  	unix.SYS_MUNMAP:     {},
   152  	unix.SYS_NANOSLEEP:  {},
   153  	unix.SYS_OPENAT:     {},
   154  	unix.SYS_PPOLL:      {},
   155  	unix.SYS_PREAD64:    {},
   156  	unix.SYS_PWRITE64:   {},
   157  	unix.SYS_READ:       {},
   158  	unix.SYS_READLINKAT: {},
   159  	unix.SYS_RECVMSG: []seccomp.Rule{
   160  		{
   161  			seccomp.MatchAny{},
   162  			seccomp.MatchAny{},
   163  			seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_TRUNC),
   164  		},
   165  		{
   166  			seccomp.MatchAny{},
   167  			seccomp.MatchAny{},
   168  			seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_TRUNC | unix.MSG_PEEK),
   169  		},
   170  	},
   171  	unix.SYS_RENAMEAT:        {},
   172  	unix.SYS_RESTART_SYSCALL: {},
   173  	// May be used by the runtime during panic().
   174  	unix.SYS_RT_SIGACTION:   {},
   175  	unix.SYS_RT_SIGPROCMASK: {},
   176  	unix.SYS_RT_SIGRETURN:   {},
   177  	unix.SYS_SCHED_YIELD:    {},
   178  	unix.SYS_SENDMSG: []seccomp.Rule{
   179  		// Used by fdchannel.Endpoint.SendFD().
   180  		{
   181  			seccomp.MatchAny{},
   182  			seccomp.MatchAny{},
   183  			seccomp.EqualTo(0),
   184  		},
   185  		// Used by unet.SocketWriter.WriteVec().
   186  		{
   187  			seccomp.MatchAny{},
   188  			seccomp.MatchAny{},
   189  			seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_NOSIGNAL),
   190  		},
   191  	},
   192  	unix.SYS_SHUTDOWN: []seccomp.Rule{
   193  		{seccomp.MatchAny{}, seccomp.EqualTo(unix.SHUT_RDWR)},
   194  	},
   195  	unix.SYS_SIGALTSTACK: {},
   196  	// Used by fdchannel.NewConnectedSockets().
   197  	unix.SYS_SOCKETPAIR: {
   198  		{
   199  			seccomp.EqualTo(unix.AF_UNIX),
   200  			seccomp.EqualTo(unix.SOCK_SEQPACKET | unix.SOCK_CLOEXEC),
   201  			seccomp.EqualTo(0),
   202  		},
   203  	},
   204  	unix.SYS_SYMLINKAT: {},
   205  	unix.SYS_TGKILL: []seccomp.Rule{
   206  		{
   207  			seccomp.EqualTo(uint64(os.Getpid())),
   208  		},
   209  	},
   210  	unix.SYS_UNLINKAT:  {},
   211  	unix.SYS_UTIMENSAT: {},
   212  	unix.SYS_WRITE:     {},
   213  }
   214  
   215  var udsCommonSyscalls = seccomp.SyscallRules{
   216  	unix.SYS_SOCKET: []seccomp.Rule{
   217  		{
   218  			seccomp.EqualTo(unix.AF_UNIX),
   219  			seccomp.EqualTo(unix.SOCK_STREAM),
   220  			seccomp.EqualTo(0),
   221  		},
   222  		{
   223  			seccomp.EqualTo(unix.AF_UNIX),
   224  			seccomp.EqualTo(unix.SOCK_DGRAM),
   225  			seccomp.EqualTo(0),
   226  		},
   227  		{
   228  			seccomp.EqualTo(unix.AF_UNIX),
   229  			seccomp.EqualTo(unix.SOCK_SEQPACKET),
   230  			seccomp.EqualTo(0),
   231  		},
   232  	},
   233  }
   234  
   235  var udsOpenSyscalls = seccomp.SyscallRules{
   236  	unix.SYS_CONNECT: {},
   237  }
   238  
   239  var udsCreateSyscalls = seccomp.SyscallRules{
   240  	unix.SYS_ACCEPT4: {},
   241  	unix.SYS_BIND:    {},
   242  	unix.SYS_LISTEN:  {},
   243  }
   244  
   245  var xattrSyscalls = seccomp.SyscallRules{
   246  	unix.SYS_FGETXATTR: {},
   247  	unix.SYS_FSETXATTR: {},
   248  }