github.com/opencontainers/runtime-tools@v0.9.0/generate/seccomp/seccomp_default.go (about) 1 package seccomp 2 3 import ( 4 "runtime" 5 6 "github.com/opencontainers/runtime-spec/specs-go" 7 rspec "github.com/opencontainers/runtime-spec/specs-go" 8 ) 9 10 func arches() []rspec.Arch { 11 native := runtime.GOARCH 12 13 switch native { 14 case "amd64": 15 return []rspec.Arch{rspec.ArchX86_64, rspec.ArchX86, rspec.ArchX32} 16 case "arm64": 17 return []rspec.Arch{rspec.ArchARM, rspec.ArchAARCH64} 18 case "mips64": 19 return []rspec.Arch{rspec.ArchMIPS, rspec.ArchMIPS64, rspec.ArchMIPS64N32} 20 case "mips64n32": 21 return []rspec.Arch{rspec.ArchMIPS, rspec.ArchMIPS64, rspec.ArchMIPS64N32} 22 case "mipsel64": 23 return []rspec.Arch{rspec.ArchMIPSEL, rspec.ArchMIPSEL64, rspec.ArchMIPSEL64N32} 24 case "mipsel64n32": 25 return []rspec.Arch{rspec.ArchMIPSEL, rspec.ArchMIPSEL64, rspec.ArchMIPSEL64N32} 26 case "s390x": 27 return []rspec.Arch{rspec.ArchS390, rspec.ArchS390X} 28 default: 29 return []rspec.Arch{} 30 } 31 } 32 33 // DefaultProfile defines the whitelist for the default seccomp profile. 34 func DefaultProfile(rs *specs.Spec) *rspec.LinuxSeccomp { 35 36 syscalls := []rspec.LinuxSyscall{ 37 { 38 Names: []string{ 39 "accept", 40 "accept4", 41 "access", 42 "alarm", 43 "bind", 44 "brk", 45 "capget", 46 "capset", 47 "chdir", 48 "chmod", 49 "chown", 50 "chown32", 51 "clock_getres", 52 "clock_gettime", 53 "clock_nanosleep", 54 "close", 55 "connect", 56 "copy_file_range", 57 "creat", 58 "dup", 59 "dup2", 60 "dup3", 61 "epoll_create", 62 "epoll_create1", 63 "epoll_ctl", 64 "epoll_ctl_old", 65 "epoll_pwait", 66 "epoll_wait", 67 "epoll_wait_old", 68 "eventfd", 69 "eventfd2", 70 "execve", 71 "execveat", 72 "exit", 73 "exit_group", 74 "faccessat", 75 "fadvise64", 76 "fadvise64_64", 77 "fallocate", 78 "fanotify_mark", 79 "fchdir", 80 "fchmod", 81 "fchmodat", 82 "fchown", 83 "fchown32", 84 "fchownat", 85 "fcntl", 86 "fcntl64", 87 "fdatasync", 88 "fgetxattr", 89 "flistxattr", 90 "flock", 91 "fork", 92 "fremovexattr", 93 "fsetxattr", 94 "fstat", 95 "fstat64", 96 "fstatat64", 97 "fstatfs", 98 "fstatfs64", 99 "fsync", 100 "ftruncate", 101 "ftruncate64", 102 "futex", 103 "futimesat", 104 "getcpu", 105 "getcwd", 106 "getdents", 107 "getdents64", 108 "getegid", 109 "getegid32", 110 "geteuid", 111 "geteuid32", 112 "getgid", 113 "getgid32", 114 "getgroups", 115 "getgroups32", 116 "getitimer", 117 "getpeername", 118 "getpgid", 119 "getpgrp", 120 "getpid", 121 "getppid", 122 "getpriority", 123 "getrandom", 124 "getresgid", 125 "getresgid32", 126 "getresuid", 127 "getresuid32", 128 "getrlimit", 129 "get_robust_list", 130 "getrusage", 131 "getsid", 132 "getsockname", 133 "getsockopt", 134 "get_thread_area", 135 "gettid", 136 "gettimeofday", 137 "getuid", 138 "getuid32", 139 "getxattr", 140 "inotify_add_watch", 141 "inotify_init", 142 "inotify_init1", 143 "inotify_rm_watch", 144 "io_cancel", 145 "ioctl", 146 "io_destroy", 147 "io_getevents", 148 "ioprio_get", 149 "ioprio_set", 150 "io_setup", 151 "io_submit", 152 "ipc", 153 "kill", 154 "lchown", 155 "lchown32", 156 "lgetxattr", 157 "link", 158 "linkat", 159 "listen", 160 "listxattr", 161 "llistxattr", 162 "_llseek", 163 "lremovexattr", 164 "lseek", 165 "lsetxattr", 166 "lstat", 167 "lstat64", 168 "madvise", 169 "memfd_create", 170 "mincore", 171 "mkdir", 172 "mkdirat", 173 "mknod", 174 "mknodat", 175 "mlock", 176 "mlock2", 177 "mlockall", 178 "mmap", 179 "mmap2", 180 "mprotect", 181 "mq_getsetattr", 182 "mq_notify", 183 "mq_open", 184 "mq_timedreceive", 185 "mq_timedsend", 186 "mq_unlink", 187 "mremap", 188 "msgctl", 189 "msgget", 190 "msgrcv", 191 "msgsnd", 192 "msync", 193 "munlock", 194 "munlockall", 195 "munmap", 196 "nanosleep", 197 "newfstatat", 198 "_newselect", 199 "open", 200 "openat", 201 "pause", 202 "pipe", 203 "pipe2", 204 "poll", 205 "ppoll", 206 "prctl", 207 "pread64", 208 "preadv", 209 "prlimit64", 210 "pselect6", 211 "pwrite64", 212 "pwritev", 213 "read", 214 "readahead", 215 "readlink", 216 "readlinkat", 217 "readv", 218 "recv", 219 "recvfrom", 220 "recvmmsg", 221 "recvmsg", 222 "remap_file_pages", 223 "removexattr", 224 "rename", 225 "renameat", 226 "renameat2", 227 "restart_syscall", 228 "rmdir", 229 "rt_sigaction", 230 "rt_sigpending", 231 "rt_sigprocmask", 232 "rt_sigqueueinfo", 233 "rt_sigreturn", 234 "rt_sigsuspend", 235 "rt_sigtimedwait", 236 "rt_tgsigqueueinfo", 237 "sched_getaffinity", 238 "sched_getattr", 239 "sched_getparam", 240 "sched_get_priority_max", 241 "sched_get_priority_min", 242 "sched_getscheduler", 243 "sched_rr_get_interval", 244 "sched_setaffinity", 245 "sched_setattr", 246 "sched_setparam", 247 "sched_setscheduler", 248 "sched_yield", 249 "seccomp", 250 "select", 251 "semctl", 252 "semget", 253 "semop", 254 "semtimedop", 255 "send", 256 "sendfile", 257 "sendfile64", 258 "sendmmsg", 259 "sendmsg", 260 "sendto", 261 "setfsgid", 262 "setfsgid32", 263 "setfsuid", 264 "setfsuid32", 265 "setgid", 266 "setgid32", 267 "setgroups", 268 "setgroups32", 269 "setitimer", 270 "setpgid", 271 "setpriority", 272 "setregid", 273 "setregid32", 274 "setresgid", 275 "setresgid32", 276 "setresuid", 277 "setresuid32", 278 "setreuid", 279 "setreuid32", 280 "setrlimit", 281 "set_robust_list", 282 "setsid", 283 "setsockopt", 284 "set_thread_area", 285 "set_tid_address", 286 "setuid", 287 "setuid32", 288 "setxattr", 289 "shmat", 290 "shmctl", 291 "shmdt", 292 "shmget", 293 "shutdown", 294 "sigaltstack", 295 "signalfd", 296 "signalfd4", 297 "sigreturn", 298 "socket", 299 "socketcall", 300 "socketpair", 301 "splice", 302 "stat", 303 "stat64", 304 "statfs", 305 "statfs64", 306 "symlink", 307 "symlinkat", 308 "sync", 309 "sync_file_range", 310 "syncfs", 311 "sysinfo", 312 "syslog", 313 "tee", 314 "tgkill", 315 "time", 316 "timer_create", 317 "timer_delete", 318 "timerfd_create", 319 "timerfd_gettime", 320 "timerfd_settime", 321 "timer_getoverrun", 322 "timer_gettime", 323 "timer_settime", 324 "times", 325 "tkill", 326 "truncate", 327 "truncate64", 328 "ugetrlimit", 329 "umask", 330 "uname", 331 "unlink", 332 "unlinkat", 333 "utime", 334 "utimensat", 335 "utimes", 336 "vfork", 337 "vmsplice", 338 "wait4", 339 "waitid", 340 "waitpid", 341 "write", 342 "writev", 343 }, 344 Action: rspec.ActAllow, 345 Args: []rspec.LinuxSeccompArg{}, 346 }, 347 { 348 Names: []string{"personality"}, 349 Action: rspec.ActAllow, 350 Args: []rspec.LinuxSeccompArg{ 351 { 352 Index: 0, 353 Value: 0x0, 354 Op: rspec.OpEqualTo, 355 }, 356 { 357 Index: 0, 358 Value: 0x0008, 359 Op: rspec.OpEqualTo, 360 }, 361 { 362 Index: 0, 363 Value: 0xffffffff, 364 Op: rspec.OpEqualTo, 365 }, 366 }, 367 }, 368 } 369 var sysCloneFlagsIndex uint 370 371 capSysAdmin := false 372 caps := make(map[string]bool) 373 374 for _, cap := range rs.Process.Capabilities.Bounding { 375 caps[cap] = true 376 } 377 for _, cap := range rs.Process.Capabilities.Effective { 378 caps[cap] = true 379 } 380 for _, cap := range rs.Process.Capabilities.Inheritable { 381 caps[cap] = true 382 } 383 for _, cap := range rs.Process.Capabilities.Permitted { 384 caps[cap] = true 385 } 386 for _, cap := range rs.Process.Capabilities.Ambient { 387 caps[cap] = true 388 } 389 390 for cap := range caps { 391 switch cap { 392 case "CAP_DAC_READ_SEARCH": 393 syscalls = append(syscalls, []rspec.LinuxSyscall{ 394 { 395 Names: []string{"open_by_handle_at"}, 396 Action: rspec.ActAllow, 397 Args: []rspec.LinuxSeccompArg{}, 398 }, 399 }...) 400 case "CAP_SYS_ADMIN": 401 capSysAdmin = true 402 syscalls = append(syscalls, []rspec.LinuxSyscall{ 403 { 404 Names: []string{ 405 "bpf", 406 "clone", 407 "fanotify_init", 408 "lookup_dcookie", 409 "mount", 410 "name_to_handle_at", 411 "perf_event_open", 412 "setdomainname", 413 "sethostname", 414 "setns", 415 "umount", 416 "umount2", 417 "unshare", 418 }, 419 Action: rspec.ActAllow, 420 Args: []rspec.LinuxSeccompArg{}, 421 }, 422 }...) 423 case "CAP_SYS_BOOT": 424 syscalls = append(syscalls, []rspec.LinuxSyscall{ 425 { 426 Names: []string{"reboot"}, 427 Action: rspec.ActAllow, 428 Args: []rspec.LinuxSeccompArg{}, 429 }, 430 }...) 431 case "CAP_SYS_CHROOT": 432 syscalls = append(syscalls, []rspec.LinuxSyscall{ 433 { 434 Names: []string{"chroot"}, 435 Action: rspec.ActAllow, 436 Args: []rspec.LinuxSeccompArg{}, 437 }, 438 }...) 439 case "CAP_SYS_MODULE": 440 syscalls = append(syscalls, []rspec.LinuxSyscall{ 441 { 442 Names: []string{ 443 "delete_module", 444 "init_module", 445 "finit_module", 446 "query_module", 447 }, 448 Action: rspec.ActAllow, 449 Args: []rspec.LinuxSeccompArg{}, 450 }, 451 }...) 452 case "CAP_SYS_PACCT": 453 syscalls = append(syscalls, []rspec.LinuxSyscall{ 454 { 455 Names: []string{"acct"}, 456 Action: rspec.ActAllow, 457 Args: []rspec.LinuxSeccompArg{}, 458 }, 459 }...) 460 case "CAP_SYS_PTRACE": 461 syscalls = append(syscalls, []rspec.LinuxSyscall{ 462 { 463 Names: []string{ 464 "kcmp", 465 "process_vm_readv", 466 "process_vm_writev", 467 "ptrace", 468 }, 469 Action: rspec.ActAllow, 470 Args: []rspec.LinuxSeccompArg{}, 471 }, 472 }...) 473 case "CAP_SYS_RAWIO": 474 syscalls = append(syscalls, []rspec.LinuxSyscall{ 475 { 476 Names: []string{ 477 "iopl", 478 "ioperm", 479 }, 480 Action: rspec.ActAllow, 481 Args: []rspec.LinuxSeccompArg{}, 482 }, 483 }...) 484 case "CAP_SYS_TIME": 485 syscalls = append(syscalls, []rspec.LinuxSyscall{ 486 { 487 Names: []string{ 488 "settimeofday", 489 "stime", 490 "adjtimex", 491 }, 492 Action: rspec.ActAllow, 493 Args: []rspec.LinuxSeccompArg{}, 494 }, 495 }...) 496 case "CAP_SYS_TTY_CONFIG": 497 syscalls = append(syscalls, []rspec.LinuxSyscall{ 498 { 499 Names: []string{"vhangup"}, 500 Action: rspec.ActAllow, 501 Args: []rspec.LinuxSeccompArg{}, 502 }, 503 }...) 504 } 505 } 506 507 if !capSysAdmin { 508 syscalls = append(syscalls, []rspec.LinuxSyscall{ 509 { 510 Names: []string{"clone"}, 511 Action: rspec.ActAllow, 512 Args: []rspec.LinuxSeccompArg{ 513 { 514 Index: sysCloneFlagsIndex, 515 Value: CloneNewNS | CloneNewUTS | CloneNewIPC | CloneNewUser | CloneNewPID | CloneNewNet, 516 ValueTwo: 0, 517 Op: rspec.OpMaskedEqual, 518 }, 519 }, 520 }, 521 }...) 522 523 } 524 525 arch := runtime.GOARCH 526 switch arch { 527 case "arm", "arm64": 528 syscalls = append(syscalls, []rspec.LinuxSyscall{ 529 { 530 Names: []string{ 531 "breakpoint", 532 "cacheflush", 533 "set_tls", 534 }, 535 Action: rspec.ActAllow, 536 Args: []rspec.LinuxSeccompArg{}, 537 }, 538 }...) 539 case "amd64", "x32": 540 syscalls = append(syscalls, []rspec.LinuxSyscall{ 541 { 542 Names: []string{"arch_prctl"}, 543 Action: rspec.ActAllow, 544 Args: []rspec.LinuxSeccompArg{}, 545 }, 546 }...) 547 fallthrough 548 case "x86": 549 syscalls = append(syscalls, []rspec.LinuxSyscall{ 550 { 551 Names: []string{"modify_ldt"}, 552 Action: rspec.ActAllow, 553 Args: []rspec.LinuxSeccompArg{}, 554 }, 555 }...) 556 case "s390", "s390x": 557 syscalls = append(syscalls, []rspec.LinuxSyscall{ 558 { 559 Names: []string{ 560 "s390_pci_mmio_read", 561 "s390_pci_mmio_write", 562 "s390_runtime_instr", 563 }, 564 Action: rspec.ActAllow, 565 Args: []rspec.LinuxSeccompArg{}, 566 }, 567 }...) 568 /* Flags parameter of the clone syscall is the 2nd on s390 */ 569 } 570 571 return &rspec.LinuxSeccomp{ 572 DefaultAction: rspec.ActErrno, 573 Architectures: arches(), 574 Syscalls: syscalls, 575 } 576 }