gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/pkg/seccomp/victim/seccomp_test_victim.go

gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/pkg/seccomp/victim/seccomp_test_victim.go (about)

     1  // Copyright 2018 The gVisor Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Test binary used to test that seccomp filters are properly constructed and
    16  // indeed kill the process on violation.
    17  package main
    18  
    19  import (
    20  	"flag"
    21  	"fmt"
    22  	"os"
    23  
    24  	"golang.org/x/sys/unix"
    25  	"gvisor.dev/gvisor/pkg/seccomp"
    26  )
    27  
    28  func main() {
    29  	dieFlag := flag.Bool("die", false, "trips over the filter if true")
    30  	flag.Parse()
    31  
    32  	syscalls := seccomp.MakeSyscallRules(map[uintptr]seccomp.SyscallRule{
    33  		unix.SYS_ACCEPT:          seccomp.MatchAll{},
    34  		unix.SYS_BIND:            seccomp.MatchAll{},
    35  		unix.SYS_BRK:             seccomp.MatchAll{},
    36  		unix.SYS_CLOCK_GETTIME:   seccomp.MatchAll{},
    37  		unix.SYS_CLONE:           seccomp.MatchAll{},
    38  		unix.SYS_CLOSE:           seccomp.MatchAll{},
    39  		unix.SYS_DUP:             seccomp.MatchAll{},
    40  		unix.SYS_DUP3:            seccomp.MatchAll{},
    41  		unix.SYS_EPOLL_CREATE1:   seccomp.MatchAll{},
    42  		unix.SYS_EPOLL_CTL:       seccomp.MatchAll{},
    43  		unix.SYS_EPOLL_PWAIT:     seccomp.MatchAll{},
    44  		unix.SYS_EXIT:            seccomp.MatchAll{},
    45  		unix.SYS_EXIT_GROUP:      seccomp.MatchAll{},
    46  		unix.SYS_FALLOCATE:       seccomp.MatchAll{},
    47  		unix.SYS_FCHMOD:          seccomp.MatchAll{},
    48  		unix.SYS_FCNTL:           seccomp.MatchAll{},
    49  		unix.SYS_FSTAT:           seccomp.MatchAll{},
    50  		unix.SYS_FSYNC:           seccomp.MatchAll{},
    51  		unix.SYS_FTRUNCATE:       seccomp.MatchAll{},
    52  		unix.SYS_FUTEX:           seccomp.MatchAll{},
    53  		unix.SYS_GETDENTS64:      seccomp.MatchAll{},
    54  		unix.SYS_GETPEERNAME:     seccomp.MatchAll{},
    55  		unix.SYS_GETPID:          seccomp.MatchAll{},
    56  		unix.SYS_GETSOCKNAME:     seccomp.MatchAll{},
    57  		unix.SYS_GETSOCKOPT:      seccomp.MatchAll{},
    58  		unix.SYS_GETTID:          seccomp.MatchAll{},
    59  		unix.SYS_GETTIMEOFDAY:    seccomp.MatchAll{},
    60  		unix.SYS_LISTEN:          seccomp.MatchAll{},
    61  		unix.SYS_LSEEK:           seccomp.MatchAll{},
    62  		unix.SYS_MADVISE:         seccomp.MatchAll{},
    63  		unix.SYS_MINCORE:         seccomp.MatchAll{},
    64  		unix.SYS_MMAP:            seccomp.MatchAll{},
    65  		unix.SYS_MPROTECT:        seccomp.MatchAll{},
    66  		unix.SYS_MUNLOCK:         seccomp.MatchAll{},
    67  		unix.SYS_MUNMAP:          seccomp.MatchAll{},
    68  		unix.SYS_NANOSLEEP:       seccomp.MatchAll{},
    69  		unix.SYS_OPENAT:          seccomp.MatchAll{},
    70  		unix.SYS_PPOLL:           seccomp.MatchAll{},
    71  		unix.SYS_PREAD64:         seccomp.MatchAll{},
    72  		unix.SYS_PSELECT6:        seccomp.MatchAll{},
    73  		unix.SYS_PWRITE64:        seccomp.MatchAll{},
    74  		unix.SYS_READ:            seccomp.MatchAll{},
    75  		unix.SYS_READLINKAT:      seccomp.MatchAll{},
    76  		unix.SYS_READV:           seccomp.MatchAll{},
    77  		unix.SYS_RECVMSG:         seccomp.MatchAll{},
    78  		unix.SYS_RENAMEAT:        seccomp.MatchAll{},
    79  		unix.SYS_RESTART_SYSCALL: seccomp.MatchAll{},
    80  		unix.SYS_RT_SIGACTION:    seccomp.MatchAll{},
    81  		unix.SYS_RT_SIGPROCMASK:  seccomp.MatchAll{},
    82  		unix.SYS_RT_SIGRETURN:    seccomp.MatchAll{},
    83  		unix.SYS_SCHED_YIELD:     seccomp.MatchAll{},
    84  		unix.SYS_SENDMSG:         seccomp.MatchAll{},
    85  		unix.SYS_SETITIMER:       seccomp.MatchAll{},
    86  		unix.SYS_SET_ROBUST_LIST: seccomp.MatchAll{},
    87  		unix.SYS_SETSOCKOPT:      seccomp.MatchAll{},
    88  		unix.SYS_SHUTDOWN:        seccomp.MatchAll{},
    89  		unix.SYS_SIGALTSTACK:     seccomp.MatchAll{},
    90  		unix.SYS_SOCKET:          seccomp.MatchAll{},
    91  		unix.SYS_SYNC_FILE_RANGE: seccomp.MatchAll{},
    92  		unix.SYS_TGKILL:          seccomp.MatchAll{},
    93  		unix.SYS_UTIMENSAT:       seccomp.MatchAll{},
    94  		unix.SYS_WRITE:           seccomp.MatchAll{},
    95  		unix.SYS_WRITEV:          seccomp.MatchAll{},
    96  	})
    97  
    98  	arch_syscalls(syscalls)
    99  	// We choose a syscall that is unlikely to be called by Go runtime,
   100  	// even with race or other instrumentation enabled.
   101  	syscall := uintptr(unix.SYS_UMASK)
   102  
   103  	die := *dieFlag
   104  	if !die {
   105  		syscalls.Set(syscall, seccomp.PerArg{
   106  			seccomp.EqualTo(0),
   107  		})
   108  	}
   109  
   110  	if err := seccomp.Install(syscalls, seccomp.NewSyscallRules(), seccomp.DefaultProgramOptions()); err != nil {
   111  		fmt.Printf("Failed to install seccomp: %v\n", err)
   112  		os.Exit(1)
   113  	}
   114  	fmt.Printf("Filters installed\n")
   115  
   116  	unix.RawSyscall(syscall, 0, 0, 0)
   117  	fmt.Printf("Syscall was allowed!!!\n")
   118  }