github.com/qichengzx/mattermost-server@v4.5.1-0.20180604164826-2c75247c97d0+incompatible/plugin/rpcplugin/sandbox/seccomp_linux_amd64.go (about) 1 // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package sandbox 5 6 import ( 7 "golang.org/x/sys/unix" 8 ) 9 10 const NATIVE_AUDIT_ARCH = AUDIT_ARCH_X86_64 11 12 var AllowedSyscalls = []SeccompSyscall{ 13 {Syscall: unix.SYS_ACCEPT}, 14 {Syscall: unix.SYS_ACCEPT4}, 15 {Syscall: unix.SYS_ACCESS}, 16 {Syscall: unix.SYS_ADJTIMEX}, 17 {Syscall: unix.SYS_ALARM}, 18 {Syscall: unix.SYS_ARCH_PRCTL}, 19 {Syscall: unix.SYS_BIND}, 20 {Syscall: unix.SYS_BRK}, 21 {Syscall: unix.SYS_CAPGET}, 22 {Syscall: unix.SYS_CAPSET}, 23 {Syscall: unix.SYS_CHDIR}, 24 {Syscall: unix.SYS_CHMOD}, 25 {Syscall: unix.SYS_CHOWN}, 26 {Syscall: unix.SYS_CLOCK_GETRES}, 27 {Syscall: unix.SYS_CLOCK_GETTIME}, 28 {Syscall: unix.SYS_CLOCK_NANOSLEEP}, 29 { 30 Syscall: unix.SYS_CLONE, 31 Any: []SeccompConditions{{ 32 All: []SeccompCondition{SeccompArgHasNoBits{ 33 Arg: 0, 34 Mask: unix.CLONE_NEWCGROUP | unix.CLONE_NEWIPC | unix.CLONE_NEWNET | unix.CLONE_NEWNS | unix.CLONE_NEWPID | unix.CLONE_NEWUSER | unix.CLONE_NEWUTS, 35 }}, 36 }}, 37 }, 38 {Syscall: unix.SYS_CLOSE}, 39 {Syscall: unix.SYS_CONNECT}, 40 {Syscall: unix.SYS_COPY_FILE_RANGE}, 41 {Syscall: unix.SYS_CREAT}, 42 {Syscall: unix.SYS_DUP}, 43 {Syscall: unix.SYS_DUP2}, 44 {Syscall: unix.SYS_DUP3}, 45 {Syscall: unix.SYS_EPOLL_CREATE}, 46 {Syscall: unix.SYS_EPOLL_CREATE1}, 47 {Syscall: unix.SYS_EPOLL_CTL}, 48 {Syscall: unix.SYS_EPOLL_CTL_OLD}, 49 {Syscall: unix.SYS_EPOLL_PWAIT}, 50 {Syscall: unix.SYS_EPOLL_WAIT}, 51 {Syscall: unix.SYS_EPOLL_WAIT_OLD}, 52 {Syscall: unix.SYS_EVENTFD}, 53 {Syscall: unix.SYS_EVENTFD2}, 54 {Syscall: unix.SYS_EXECVE}, 55 {Syscall: unix.SYS_EXECVEAT}, 56 {Syscall: unix.SYS_EXIT}, 57 {Syscall: unix.SYS_EXIT_GROUP}, 58 {Syscall: unix.SYS_FACCESSAT}, 59 {Syscall: unix.SYS_FADVISE64}, 60 {Syscall: unix.SYS_FALLOCATE}, 61 {Syscall: unix.SYS_FANOTIFY_MARK}, 62 {Syscall: unix.SYS_FCHDIR}, 63 {Syscall: unix.SYS_FCHMOD}, 64 {Syscall: unix.SYS_FCHMODAT}, 65 {Syscall: unix.SYS_FCHOWN}, 66 {Syscall: unix.SYS_FCHOWNAT}, 67 {Syscall: unix.SYS_FCNTL}, 68 {Syscall: unix.SYS_FDATASYNC}, 69 {Syscall: unix.SYS_FGETXATTR}, 70 {Syscall: unix.SYS_FLISTXATTR}, 71 {Syscall: unix.SYS_FLOCK}, 72 {Syscall: unix.SYS_FORK}, 73 {Syscall: unix.SYS_FREMOVEXATTR}, 74 {Syscall: unix.SYS_FSETXATTR}, 75 {Syscall: unix.SYS_FSTAT}, 76 {Syscall: unix.SYS_FSTATFS}, 77 {Syscall: unix.SYS_FSYNC}, 78 {Syscall: unix.SYS_FTRUNCATE}, 79 {Syscall: unix.SYS_FUTEX}, 80 {Syscall: unix.SYS_FUTIMESAT}, 81 {Syscall: unix.SYS_GETCPU}, 82 {Syscall: unix.SYS_GETCWD}, 83 {Syscall: unix.SYS_GETDENTS}, 84 {Syscall: unix.SYS_GETDENTS64}, 85 {Syscall: unix.SYS_GETEGID}, 86 {Syscall: unix.SYS_GETEUID}, 87 {Syscall: unix.SYS_GETGID}, 88 {Syscall: unix.SYS_GETGROUPS}, 89 {Syscall: unix.SYS_GETITIMER}, 90 {Syscall: unix.SYS_GETPEERNAME}, 91 {Syscall: unix.SYS_GETPGID}, 92 {Syscall: unix.SYS_GETPGRP}, 93 {Syscall: unix.SYS_GETPID}, 94 {Syscall: unix.SYS_GETPPID}, 95 {Syscall: unix.SYS_GETPRIORITY}, 96 {Syscall: unix.SYS_GETRANDOM}, 97 {Syscall: unix.SYS_GETRESGID}, 98 {Syscall: unix.SYS_GETRESUID}, 99 {Syscall: unix.SYS_GETRLIMIT}, 100 {Syscall: unix.SYS_GET_ROBUST_LIST}, 101 {Syscall: unix.SYS_GETRUSAGE}, 102 {Syscall: unix.SYS_GETSID}, 103 {Syscall: unix.SYS_GETSOCKNAME}, 104 {Syscall: unix.SYS_GETSOCKOPT}, 105 {Syscall: unix.SYS_GET_THREAD_AREA}, 106 {Syscall: unix.SYS_GETTID}, 107 {Syscall: unix.SYS_GETTIMEOFDAY}, 108 {Syscall: unix.SYS_GETUID}, 109 {Syscall: unix.SYS_GETXATTR}, 110 {Syscall: unix.SYS_INOTIFY_ADD_WATCH}, 111 {Syscall: unix.SYS_INOTIFY_INIT}, 112 {Syscall: unix.SYS_INOTIFY_INIT1}, 113 {Syscall: unix.SYS_INOTIFY_RM_WATCH}, 114 {Syscall: unix.SYS_IO_CANCEL}, 115 {Syscall: unix.SYS_IOCTL}, 116 {Syscall: unix.SYS_IO_DESTROY}, 117 {Syscall: unix.SYS_IO_GETEVENTS}, 118 {Syscall: unix.SYS_IOPRIO_GET}, 119 {Syscall: unix.SYS_IOPRIO_SET}, 120 {Syscall: unix.SYS_IO_SETUP}, 121 {Syscall: unix.SYS_IO_SUBMIT}, 122 {Syscall: unix.SYS_KILL}, 123 {Syscall: unix.SYS_LCHOWN}, 124 {Syscall: unix.SYS_LGETXATTR}, 125 {Syscall: unix.SYS_LINK}, 126 {Syscall: unix.SYS_LINKAT}, 127 {Syscall: unix.SYS_LISTEN}, 128 {Syscall: unix.SYS_LISTXATTR}, 129 {Syscall: unix.SYS_LLISTXATTR}, 130 {Syscall: unix.SYS_LREMOVEXATTR}, 131 {Syscall: unix.SYS_LSEEK}, 132 {Syscall: unix.SYS_LSETXATTR}, 133 {Syscall: unix.SYS_LSTAT}, 134 {Syscall: unix.SYS_MADVISE}, 135 {Syscall: unix.SYS_MEMFD_CREATE}, 136 {Syscall: unix.SYS_MINCORE}, 137 {Syscall: unix.SYS_MKDIR}, 138 {Syscall: unix.SYS_MKDIRAT}, 139 {Syscall: unix.SYS_MKNOD}, 140 {Syscall: unix.SYS_MKNODAT}, 141 {Syscall: unix.SYS_MLOCK}, 142 {Syscall: unix.SYS_MLOCK2}, 143 {Syscall: unix.SYS_MLOCKALL}, 144 {Syscall: unix.SYS_MMAP}, 145 {Syscall: unix.SYS_MODIFY_LDT}, 146 {Syscall: unix.SYS_MPROTECT}, 147 {Syscall: unix.SYS_MQ_GETSETATTR}, 148 {Syscall: unix.SYS_MQ_NOTIFY}, 149 {Syscall: unix.SYS_MQ_OPEN}, 150 {Syscall: unix.SYS_MQ_TIMEDRECEIVE}, 151 {Syscall: unix.SYS_MQ_TIMEDSEND}, 152 {Syscall: unix.SYS_MQ_UNLINK}, 153 {Syscall: unix.SYS_MREMAP}, 154 {Syscall: unix.SYS_MSGCTL}, 155 {Syscall: unix.SYS_MSGGET}, 156 {Syscall: unix.SYS_MSGRCV}, 157 {Syscall: unix.SYS_MSGSND}, 158 {Syscall: unix.SYS_MSYNC}, 159 {Syscall: unix.SYS_MUNLOCK}, 160 {Syscall: unix.SYS_MUNLOCKALL}, 161 {Syscall: unix.SYS_MUNMAP}, 162 {Syscall: unix.SYS_NANOSLEEP}, 163 {Syscall: unix.SYS_NEWFSTATAT}, 164 {Syscall: unix.SYS_OPEN}, 165 {Syscall: unix.SYS_OPENAT}, 166 {Syscall: unix.SYS_PAUSE}, 167 { 168 Syscall: unix.SYS_PERSONALITY, 169 Any: []SeccompConditions{ 170 {All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0}}}, 171 {All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 8}}}, 172 {All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0x20000}}}, 173 {All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0x20008}}}, 174 {All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0xffffffff}}}, 175 }, 176 }, 177 {Syscall: unix.SYS_PIPE}, 178 {Syscall: unix.SYS_PIPE2}, 179 {Syscall: unix.SYS_POLL}, 180 {Syscall: unix.SYS_PPOLL}, 181 {Syscall: unix.SYS_PRCTL}, 182 {Syscall: unix.SYS_PREAD64}, 183 {Syscall: unix.SYS_PREADV}, 184 {Syscall: unix.SYS_PREADV2}, 185 {Syscall: unix.SYS_PRLIMIT64}, 186 {Syscall: unix.SYS_PSELECT6}, 187 {Syscall: unix.SYS_PWRITE64}, 188 {Syscall: unix.SYS_PWRITEV}, 189 {Syscall: unix.SYS_PWRITEV2}, 190 {Syscall: unix.SYS_READ}, 191 {Syscall: unix.SYS_READAHEAD}, 192 {Syscall: unix.SYS_READLINK}, 193 {Syscall: unix.SYS_READLINKAT}, 194 {Syscall: unix.SYS_READV}, 195 {Syscall: unix.SYS_RECVFROM}, 196 {Syscall: unix.SYS_RECVMMSG}, 197 {Syscall: unix.SYS_RECVMSG}, 198 {Syscall: unix.SYS_REMAP_FILE_PAGES}, 199 {Syscall: unix.SYS_REMOVEXATTR}, 200 {Syscall: unix.SYS_RENAME}, 201 {Syscall: unix.SYS_RENAMEAT}, 202 {Syscall: unix.SYS_RENAMEAT2}, 203 {Syscall: unix.SYS_RESTART_SYSCALL}, 204 {Syscall: unix.SYS_RMDIR}, 205 {Syscall: unix.SYS_RT_SIGACTION}, 206 {Syscall: unix.SYS_RT_SIGPENDING}, 207 {Syscall: unix.SYS_RT_SIGPROCMASK}, 208 {Syscall: unix.SYS_RT_SIGQUEUEINFO}, 209 {Syscall: unix.SYS_RT_SIGRETURN}, 210 {Syscall: unix.SYS_RT_SIGSUSPEND}, 211 {Syscall: unix.SYS_RT_SIGTIMEDWAIT}, 212 {Syscall: unix.SYS_RT_TGSIGQUEUEINFO}, 213 {Syscall: unix.SYS_SCHED_GETAFFINITY}, 214 {Syscall: unix.SYS_SCHED_GETATTR}, 215 {Syscall: unix.SYS_SCHED_GETPARAM}, 216 {Syscall: unix.SYS_SCHED_GET_PRIORITY_MAX}, 217 {Syscall: unix.SYS_SCHED_GET_PRIORITY_MIN}, 218 {Syscall: unix.SYS_SCHED_GETSCHEDULER}, 219 {Syscall: unix.SYS_SCHED_RR_GET_INTERVAL}, 220 {Syscall: unix.SYS_SCHED_SETAFFINITY}, 221 {Syscall: unix.SYS_SCHED_SETATTR}, 222 {Syscall: unix.SYS_SCHED_SETPARAM}, 223 {Syscall: unix.SYS_SCHED_SETSCHEDULER}, 224 {Syscall: unix.SYS_SCHED_YIELD}, 225 {Syscall: unix.SYS_SECCOMP}, 226 {Syscall: unix.SYS_SELECT}, 227 {Syscall: unix.SYS_SEMCTL}, 228 {Syscall: unix.SYS_SEMGET}, 229 {Syscall: unix.SYS_SEMOP}, 230 {Syscall: unix.SYS_SEMTIMEDOP}, 231 {Syscall: unix.SYS_SENDFILE}, 232 {Syscall: unix.SYS_SENDMMSG}, 233 {Syscall: unix.SYS_SENDMSG}, 234 {Syscall: unix.SYS_SENDTO}, 235 {Syscall: unix.SYS_SETFSGID}, 236 {Syscall: unix.SYS_SETFSUID}, 237 {Syscall: unix.SYS_SETGID}, 238 {Syscall: unix.SYS_SETGROUPS}, 239 {Syscall: unix.SYS_SETITIMER}, 240 {Syscall: unix.SYS_SETPGID}, 241 {Syscall: unix.SYS_SETPRIORITY}, 242 {Syscall: unix.SYS_SETREGID}, 243 {Syscall: unix.SYS_SETRESGID}, 244 {Syscall: unix.SYS_SETRESUID}, 245 {Syscall: unix.SYS_SETREUID}, 246 {Syscall: unix.SYS_SETRLIMIT}, 247 {Syscall: unix.SYS_SET_ROBUST_LIST}, 248 {Syscall: unix.SYS_SETSID}, 249 {Syscall: unix.SYS_SETSOCKOPT}, 250 {Syscall: unix.SYS_SET_THREAD_AREA}, 251 {Syscall: unix.SYS_SET_TID_ADDRESS}, 252 {Syscall: unix.SYS_SETUID}, 253 {Syscall: unix.SYS_SETXATTR}, 254 {Syscall: unix.SYS_SHMAT}, 255 {Syscall: unix.SYS_SHMCTL}, 256 {Syscall: unix.SYS_SHMDT}, 257 {Syscall: unix.SYS_SHMGET}, 258 {Syscall: unix.SYS_SHUTDOWN}, 259 {Syscall: unix.SYS_SIGALTSTACK}, 260 {Syscall: unix.SYS_SIGNALFD}, 261 {Syscall: unix.SYS_SIGNALFD4}, 262 {Syscall: unix.SYS_SOCKET}, 263 {Syscall: unix.SYS_SOCKETPAIR}, 264 {Syscall: unix.SYS_SPLICE}, 265 {Syscall: unix.SYS_STAT}, 266 {Syscall: unix.SYS_STATFS}, 267 {Syscall: unix.SYS_SYMLINK}, 268 {Syscall: unix.SYS_SYMLINKAT}, 269 {Syscall: unix.SYS_SYNC}, 270 {Syscall: unix.SYS_SYNC_FILE_RANGE}, 271 {Syscall: unix.SYS_SYNCFS}, 272 {Syscall: unix.SYS_SYSINFO}, 273 {Syscall: unix.SYS_SYSLOG}, 274 {Syscall: unix.SYS_TEE}, 275 {Syscall: unix.SYS_TGKILL}, 276 {Syscall: unix.SYS_TIME}, 277 {Syscall: unix.SYS_TIMER_CREATE}, 278 {Syscall: unix.SYS_TIMER_DELETE}, 279 {Syscall: unix.SYS_TIMERFD_CREATE}, 280 {Syscall: unix.SYS_TIMERFD_GETTIME}, 281 {Syscall: unix.SYS_TIMERFD_SETTIME}, 282 {Syscall: unix.SYS_TIMER_GETOVERRUN}, 283 {Syscall: unix.SYS_TIMER_GETTIME}, 284 {Syscall: unix.SYS_TIMER_SETTIME}, 285 {Syscall: unix.SYS_TIMES}, 286 {Syscall: unix.SYS_TKILL}, 287 {Syscall: unix.SYS_TRUNCATE}, 288 {Syscall: unix.SYS_UMASK}, 289 {Syscall: unix.SYS_UNAME}, 290 {Syscall: unix.SYS_UNLINK}, 291 {Syscall: unix.SYS_UNLINKAT}, 292 {Syscall: unix.SYS_UTIME}, 293 {Syscall: unix.SYS_UTIMENSAT}, 294 {Syscall: unix.SYS_UTIMES}, 295 {Syscall: unix.SYS_VFORK}, 296 {Syscall: unix.SYS_VMSPLICE}, 297 {Syscall: unix.SYS_WAIT4}, 298 {Syscall: unix.SYS_WAITID}, 299 {Syscall: unix.SYS_WRITE}, 300 {Syscall: unix.SYS_WRITEV}, 301 }