github.com/rkt/rkt@v1.30.1-0.20200224141603-171c416fac02/stage1/init/common/seccomp_wildcards.go (about) 1 // Copyright 2016 The rkt Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 //+build linux 16 17 package common 18 19 import "runtime" 20 21 // seccomp default whitelists/blacklists. 22 // rkt tries not to diverge from docker here, for the moment. 23 24 var ( 25 // DockerDefaultSeccompWhitelist contains a default whitelist of syscalls, 26 // used by docker for seccomp filtering. 27 // See https://github.com/docker/docker/blob/master/profiles/seccomp/default.json 28 DockerDefaultSeccompWhitelist = []string{ 29 "accept", 30 "accept4", 31 "access", 32 "alarm", 33 "bind", 34 "brk", 35 "capget", 36 "capset", 37 "chdir", 38 "chmod", 39 "chown", 40 "chown32", 41 "clock_getres", 42 "clock_gettime", 43 "clock_nanosleep", 44 "close", 45 "connect", 46 "copy_file_range", 47 "creat", 48 "dup", 49 "dup2", 50 "dup3", 51 "epoll_create", 52 "epoll_create1", 53 "epoll_ctl", 54 "epoll_ctl_old", 55 "epoll_pwait", 56 "epoll_wait", 57 "epoll_wait_old", 58 "eventfd", 59 "eventfd2", 60 "execve", 61 "execveat", 62 "exit", 63 "exit_group", 64 "faccessat", 65 "fadvise64", 66 "fadvise64_64", 67 "fallocate", 68 "fanotify_mark", 69 "fchdir", 70 "fchmod", 71 "fchmodat", 72 "fchown", 73 "fchown32", 74 "fchownat", 75 "fcntl", 76 "fcntl64", 77 "fdatasync", 78 "fgetxattr", 79 "flistxattr", 80 "flock", 81 "fork", 82 "fremovexattr", 83 "fsetxattr", 84 "fstat", 85 "fstat64", 86 "fstatat64", 87 "fstatfs", 88 "fstatfs64", 89 "fsync", 90 "ftruncate", 91 "ftruncate64", 92 "futex", 93 "futimesat", 94 "getcpu", 95 "getcwd", 96 "getdents", 97 "getdents64", 98 "getegid", 99 "getegid32", 100 "geteuid", 101 "geteuid32", 102 "getgid", 103 "getgid32", 104 "getgroups", 105 "getgroups32", 106 "getitimer", 107 "getpeername", 108 "getpgid", 109 "getpgrp", 110 "getpid", 111 "getppid", 112 "getpriority", 113 "getrandom", 114 "getresgid", 115 "getresgid32", 116 "getresuid", 117 "getresuid32", 118 "getrlimit", 119 "get_robust_list", 120 "getrusage", 121 "getsid", 122 "getsockname", 123 "getsockopt", 124 "get_thread_area", 125 "gettid", 126 "gettimeofday", 127 "getuid", 128 "getuid32", 129 "getxattr", 130 "inotify_add_watch", 131 "inotify_init", 132 "inotify_init1", 133 "inotify_rm_watch", 134 "io_cancel", 135 "ioctl", 136 "io_destroy", 137 "io_getevents", 138 "ioprio_get", 139 "ioprio_set", 140 "io_setup", 141 "io_submit", 142 "ipc", 143 "kill", 144 "lchown", 145 "lchown32", 146 "lgetxattr", 147 "link", 148 "linkat", 149 "listen", 150 "listxattr", 151 "llistxattr", 152 "_llseek", 153 "lremovexattr", 154 "lseek", 155 "lsetxattr", 156 "lstat", 157 "lstat64", 158 "madvise", 159 "memfd_create", 160 "mincore", 161 "mkdir", 162 "mkdirat", 163 "mknod", 164 "mknodat", 165 "mlock", 166 "mlock2", 167 "mlockall", 168 "mmap", 169 "mmap2", 170 "mprotect", 171 "mq_getsetattr", 172 "mq_notify", 173 "mq_open", 174 "mq_timedreceive", 175 "mq_timedsend", 176 "mq_unlink", 177 "mremap", 178 "msgctl", 179 "msgget", 180 "msgrcv", 181 "msgsnd", 182 "msync", 183 "munlock", 184 "munlockall", 185 "munmap", 186 "nanosleep", 187 "newfstatat", 188 "_newselect", 189 "open", 190 "openat", 191 "pause", 192 "personality", // this is args-filtered by docker 193 "pipe", 194 "pipe2", 195 "poll", 196 "ppoll", 197 "prctl", 198 "pread64", 199 "preadv", 200 "prlimit64", 201 "pselect6", 202 "pwrite64", 203 "pwritev", 204 "read", 205 "readahead", 206 "readlink", 207 "readlinkat", 208 "readv", 209 "recv", 210 "recvfrom", 211 "recvmmsg", 212 "recvmsg", 213 "remap_file_pages", 214 "removexattr", 215 "rename", 216 "renameat", 217 "renameat2", 218 "restart_syscall", 219 "rmdir", 220 "rt_sigaction", 221 "rt_sigpending", 222 "rt_sigprocmask", 223 "rt_sigqueueinfo", 224 "rt_sigreturn", 225 "rt_sigsuspend", 226 "rt_sigtimedwait", 227 "rt_tgsigqueueinfo", 228 "sched_getaffinity", 229 "sched_getattr", 230 "sched_getparam", 231 "sched_get_priority_max", 232 "sched_get_priority_min", 233 "sched_getscheduler", 234 "sched_rr_get_interval", 235 "sched_setaffinity", 236 "sched_setattr", 237 "sched_setparam", 238 "sched_setscheduler", 239 "sched_yield", 240 "seccomp", 241 "select", 242 "semctl", 243 "semget", 244 "semop", 245 "semtimedop", 246 "send", 247 "sendfile", 248 "sendfile64", 249 "sendmmsg", 250 "sendmsg", 251 "sendto", 252 "setfsgid", 253 "setfsgid32", 254 "setfsuid", 255 "setfsuid32", 256 "setgid", 257 "setgid32", 258 "setgroups", 259 "setgroups32", 260 "setitimer", 261 "setpgid", 262 "setpriority", 263 "setregid", 264 "setregid32", 265 "setresgid", 266 "setresgid32", 267 "setresuid", 268 "setresuid32", 269 "setreuid", 270 "setreuid32", 271 "setrlimit", 272 "set_robust_list", 273 "setsid", 274 "setsockopt", 275 "set_thread_area", 276 "set_tid_address", 277 "setuid", 278 "setuid32", 279 "setxattr", 280 "shmat", 281 "shmctl", 282 "shmdt", 283 "shmget", 284 "shutdown", 285 "sigaltstack", 286 "signalfd", 287 "signalfd4", 288 "sigreturn", 289 "socket", 290 "socketcall", 291 "socketpair", 292 "splice", 293 "stat", 294 "stat64", 295 "statfs", 296 "statfs64", 297 "symlink", 298 "symlinkat", 299 "sync", 300 "sync_file_range", 301 "syncfs", 302 "sysinfo", 303 "syslog", 304 "tee", 305 "tgkill", 306 "time", 307 "timer_create", 308 "timer_delete", 309 "timerfd_create", 310 "timerfd_gettime", 311 "timerfd_settime", 312 "timer_getoverrun", 313 "timer_gettime", 314 "timer_settime", 315 "times", 316 "tkill", 317 "truncate", 318 "truncate64", 319 "ugetrlimit", 320 "umask", 321 "uname", 322 "unlink", 323 "unlinkat", 324 "utime", 325 "utimensat", 326 "utimes", 327 "vfork", 328 "vmsplice", 329 "wait4", 330 "waitid", 331 "waitpid", 332 "write", 333 "writev", 334 "arch_prctl", 335 "modify_ldt", 336 "chroot", 337 "clone", // this is args-filtered by docker 338 } 339 // DockerDefaultSeccompBlacklist contains a default blacklist of syscalls, 340 // used by docker for seccomp filtering. 341 // See https://github.com/docker/docker/blob/master/docs/security/seccomp.md 342 DockerDefaultSeccompBlacklist = []string{ 343 "acct", 344 "add_key", 345 "adjtimex", 346 "bpf", 347 "clock_adjtime", 348 "clock_settime", 349 // "clone", // this is args-filtered by docker 350 "create_module", 351 "delete_module", 352 "finit_module", 353 "get_kernel_syms", 354 "get_mempolicy", 355 "init_module", 356 "ioperm", 357 "iopl", 358 "kcmp", 359 "kexec_file_load", 360 "kexec_load", 361 "keyctl", 362 "lookup_dcookie", 363 "mbind", 364 "mount", 365 "move_pages", 366 "name_to_handle_at", 367 "nfsservctl", 368 "open_by_handle_at", 369 "perf_event_open", 370 // "personality", // this is args-filtered by docker 371 "pivot_root", 372 "process_vm_readv", 373 "process_vm_writev", 374 "ptrace", 375 "query_module", 376 "quotactl", 377 "reboot", 378 "request_key", 379 "set_mempolicy", 380 "setns", 381 "settimeofday", 382 "stime", 383 "swapon", 384 "swapoff", 385 "sysfs", 386 "_sysctl", 387 "umount", 388 "umount2", 389 "unshare", 390 "uselib", 391 "userfaultfd", 392 "ustat", 393 "vm86", 394 "vm86old", 395 } 396 397 //RktDefaultSeccompArmWhitelist contains the additional needed syscalls for arm support 398 RktDefaultSeccompArmWhitelist = []string{ 399 "arm_fadvise64_64", 400 "arm_sync_file_range", 401 "breakpoint", 402 "cacheflush", 403 "set_tls", 404 "sync_file_range2", 405 } 406 407 // RktDefaultSeccompBlacklist contains a default blacklist of syscalls, 408 // used by rkt for seccomp filtering. 409 RktDefaultSeccompBlacklist = DockerDefaultSeccompBlacklist 410 // RktDefaultSeccompWhitelist contains a default whitelist of syscalls, 411 // used by rkt for seccomp filtering. 412 RktDefaultSeccompWhitelist = DockerDefaultSeccompWhitelist 413 ) 414 415 func init() { 416 if arch := runtime.GOARCH; arch == "arm" || arch == "arm64" { 417 RktDefaultSeccompWhitelist = append(RktDefaultSeccompWhitelist, RktDefaultSeccompArmWhitelist...) 418 } 419 }