gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/runsc/fsgofer/filter/config.go (about) 1 // Copyright 2018 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package filter 16 17 import ( 18 "os" 19 20 "golang.org/x/sys/unix" 21 "gvisor.dev/gvisor/pkg/abi/linux" 22 "gvisor.dev/gvisor/pkg/seccomp" 23 ) 24 25 // allowedSyscalls is the set of syscalls executed by the gofer. 26 var allowedSyscalls = seccomp.MakeSyscallRules(map[uintptr]seccomp.SyscallRule{ 27 unix.SYS_ACCEPT: seccomp.MatchAll{}, 28 unix.SYS_CLOCK_GETTIME: seccomp.MatchAll{}, 29 unix.SYS_CLOSE: seccomp.MatchAll{}, 30 unix.SYS_DUP: seccomp.MatchAll{}, 31 unix.SYS_EPOLL_CTL: seccomp.MatchAll{}, 32 unix.SYS_EPOLL_PWAIT: seccomp.PerArg{ 33 seccomp.AnyValue{}, 34 seccomp.AnyValue{}, 35 seccomp.AnyValue{}, 36 seccomp.AnyValue{}, 37 seccomp.EqualTo(0), 38 }, 39 unix.SYS_EVENTFD2: seccomp.PerArg{ 40 seccomp.EqualTo(0), 41 seccomp.EqualTo(0), 42 }, 43 unix.SYS_EXIT: seccomp.MatchAll{}, 44 unix.SYS_EXIT_GROUP: seccomp.MatchAll{}, 45 unix.SYS_FCHMOD: seccomp.MatchAll{}, 46 unix.SYS_FCHOWNAT: seccomp.MatchAll{}, 47 unix.SYS_FCNTL: seccomp.Or{ 48 seccomp.PerArg{ 49 seccomp.AnyValue{}, 50 seccomp.EqualTo(unix.F_GETFL), 51 }, 52 seccomp.PerArg{ 53 seccomp.AnyValue{}, 54 seccomp.EqualTo(unix.F_SETFL), 55 }, 56 seccomp.PerArg{ 57 seccomp.AnyValue{}, 58 seccomp.EqualTo(unix.F_GETFD), 59 }, 60 // Used by flipcall.PacketWindowAllocator.Init(). 61 seccomp.PerArg{ 62 seccomp.AnyValue{}, 63 seccomp.EqualTo(unix.F_ADD_SEALS), 64 }, 65 }, 66 unix.SYS_FSTAT: seccomp.MatchAll{}, 67 unix.SYS_FSYNC: seccomp.MatchAll{}, 68 unix.SYS_FUTEX: seccomp.Or{ 69 seccomp.PerArg{ 70 seccomp.AnyValue{}, 71 seccomp.EqualTo(linux.FUTEX_WAIT | linux.FUTEX_PRIVATE_FLAG), 72 seccomp.AnyValue{}, 73 seccomp.AnyValue{}, 74 seccomp.EqualTo(0), 75 }, 76 seccomp.PerArg{ 77 seccomp.AnyValue{}, 78 seccomp.EqualTo(linux.FUTEX_WAKE | linux.FUTEX_PRIVATE_FLAG), 79 seccomp.AnyValue{}, 80 seccomp.AnyValue{}, 81 seccomp.EqualTo(0), 82 }, 83 // Non-private futex used for flipcall. 84 seccomp.PerArg{ 85 seccomp.AnyValue{}, 86 seccomp.EqualTo(linux.FUTEX_WAIT), 87 seccomp.AnyValue{}, 88 seccomp.AnyValue{}, 89 }, 90 seccomp.PerArg{ 91 seccomp.AnyValue{}, 92 seccomp.EqualTo(linux.FUTEX_WAKE), 93 seccomp.AnyValue{}, 94 seccomp.AnyValue{}, 95 }, 96 }, 97 // getcpu is used by some versions of the Go runtime and by the hostcpu 98 // package on arm64. 99 unix.SYS_GETCPU: seccomp.PerArg{ 100 seccomp.AnyValue{}, 101 seccomp.EqualTo(0), 102 seccomp.EqualTo(0), 103 }, 104 unix.SYS_GETPID: seccomp.MatchAll{}, 105 unix.SYS_GETRANDOM: seccomp.MatchAll{}, 106 unix.SYS_GETTID: seccomp.MatchAll{}, 107 unix.SYS_GETTIMEOFDAY: seccomp.MatchAll{}, 108 unix.SYS_LSEEK: seccomp.MatchAll{}, 109 unix.SYS_MADVISE: seccomp.MatchAll{}, 110 unix.SYS_MEMFD_CREATE: seccomp.MatchAll{}, // Used by flipcall.PacketWindowAllocator.Init(). 111 unix.SYS_MMAP: seccomp.Or{ 112 seccomp.PerArg{ 113 seccomp.AnyValue{}, 114 seccomp.AnyValue{}, 115 seccomp.AnyValue{}, 116 seccomp.EqualTo(unix.MAP_SHARED), 117 }, 118 seccomp.PerArg{ 119 seccomp.AnyValue{}, 120 seccomp.AnyValue{}, 121 seccomp.AnyValue{}, 122 seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS), 123 }, 124 seccomp.PerArg{ 125 seccomp.AnyValue{}, 126 seccomp.AnyValue{}, 127 seccomp.AnyValue{}, 128 seccomp.EqualTo(unix.MAP_PRIVATE | unix.MAP_ANONYMOUS | unix.MAP_FIXED), 129 }, 130 }, 131 unix.SYS_MPROTECT: seccomp.MatchAll{}, 132 unix.SYS_MUNMAP: seccomp.MatchAll{}, 133 unix.SYS_NANOSLEEP: seccomp.MatchAll{}, 134 unix.SYS_OPENAT: seccomp.MatchAll{}, 135 unix.SYS_PPOLL: seccomp.MatchAll{}, 136 unix.SYS_PREAD64: seccomp.MatchAll{}, 137 unix.SYS_PWRITE64: seccomp.MatchAll{}, 138 unix.SYS_READ: seccomp.MatchAll{}, 139 unix.SYS_RECVMSG: seccomp.Or{ 140 seccomp.PerArg{ 141 seccomp.AnyValue{}, 142 seccomp.AnyValue{}, 143 seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_TRUNC), 144 }, 145 seccomp.PerArg{ 146 seccomp.AnyValue{}, 147 seccomp.AnyValue{}, 148 seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_TRUNC | unix.MSG_PEEK), 149 }, 150 }, 151 unix.SYS_RESTART_SYSCALL: seccomp.MatchAll{}, 152 // May be used by the runtime during panic(). 153 unix.SYS_RT_SIGACTION: seccomp.MatchAll{}, 154 unix.SYS_RT_SIGPROCMASK: seccomp.MatchAll{}, 155 unix.SYS_RT_SIGRETURN: seccomp.MatchAll{}, 156 unix.SYS_SCHED_YIELD: seccomp.MatchAll{}, 157 unix.SYS_SENDMSG: seccomp.Or{ 158 // Used by fdchannel.Endpoint.SendFD(). 159 seccomp.PerArg{ 160 seccomp.AnyValue{}, 161 seccomp.AnyValue{}, 162 seccomp.EqualTo(0), 163 }, 164 // Used by unet.SocketWriter.WriteVec(). 165 seccomp.PerArg{ 166 seccomp.AnyValue{}, 167 seccomp.AnyValue{}, 168 seccomp.EqualTo(unix.MSG_DONTWAIT | unix.MSG_NOSIGNAL), 169 }, 170 }, 171 unix.SYS_SHUTDOWN: seccomp.PerArg{ 172 seccomp.AnyValue{}, 173 seccomp.EqualTo(unix.SHUT_RDWR), 174 }, 175 unix.SYS_SIGALTSTACK: seccomp.MatchAll{}, 176 // Used by fdchannel.NewConnectedSockets(). 177 unix.SYS_SOCKETPAIR: seccomp.PerArg{ 178 seccomp.EqualTo(unix.AF_UNIX), 179 seccomp.EqualTo(unix.SOCK_SEQPACKET | unix.SOCK_CLOEXEC), 180 seccomp.EqualTo(0), 181 }, 182 unix.SYS_TGKILL: seccomp.PerArg{ 183 seccomp.EqualTo(uint64(os.Getpid())), 184 }, 185 unix.SYS_WRITE: seccomp.MatchAll{}, 186 }) 187 188 var udsCommonSyscalls = seccomp.MakeSyscallRules(map[uintptr]seccomp.SyscallRule{ 189 unix.SYS_SOCKET: seccomp.Or{ 190 seccomp.PerArg{ 191 seccomp.EqualTo(unix.AF_UNIX), 192 seccomp.EqualTo(unix.SOCK_STREAM), 193 seccomp.EqualTo(0), 194 }, 195 seccomp.PerArg{ 196 seccomp.EqualTo(unix.AF_UNIX), 197 seccomp.EqualTo(unix.SOCK_DGRAM), 198 seccomp.EqualTo(0), 199 }, 200 seccomp.PerArg{ 201 seccomp.EqualTo(unix.AF_UNIX), 202 seccomp.EqualTo(unix.SOCK_SEQPACKET), 203 seccomp.EqualTo(0), 204 }, 205 }, 206 }) 207 208 var udsOpenSyscalls = seccomp.MakeSyscallRules(map[uintptr]seccomp.SyscallRule{ 209 unix.SYS_CONNECT: seccomp.MatchAll{}, 210 }) 211 212 var udsCreateSyscalls = seccomp.MakeSyscallRules(map[uintptr]seccomp.SyscallRule{ 213 unix.SYS_ACCEPT4: seccomp.MatchAll{}, 214 unix.SYS_BIND: seccomp.MatchAll{}, 215 unix.SYS_LISTEN: seccomp.MatchAll{}, 216 }) 217 218 var lisafsFilters = seccomp.MakeSyscallRules(map[uintptr]seccomp.SyscallRule{ 219 unix.SYS_FALLOCATE: seccomp.PerArg{ 220 seccomp.AnyValue{}, 221 seccomp.EqualTo(0), 222 }, 223 unix.SYS_FCHMODAT: seccomp.MatchAll{}, 224 unix.SYS_FGETXATTR: seccomp.MatchAll{}, 225 unix.SYS_FSTATFS: seccomp.MatchAll{}, 226 unix.SYS_GETDENTS64: seccomp.MatchAll{}, 227 unix.SYS_LINKAT: seccomp.PerArg{ 228 seccomp.NonNegativeFD{}, 229 seccomp.AnyValue{}, 230 seccomp.NonNegativeFD{}, 231 seccomp.AnyValue{}, 232 seccomp.EqualTo(0), 233 }, 234 unix.SYS_MKDIRAT: seccomp.MatchAll{}, 235 unix.SYS_MKNODAT: seccomp.MatchAll{}, 236 unix.SYS_READLINKAT: seccomp.MatchAll{}, 237 unix.SYS_RENAMEAT: seccomp.MatchAll{}, 238 unix.SYS_SYMLINKAT: seccomp.MatchAll{}, 239 unix.SYS_FTRUNCATE: seccomp.MatchAll{}, 240 unix.SYS_UNLINKAT: seccomp.MatchAll{}, 241 unix.SYS_UTIMENSAT: seccomp.MatchAll{}, 242 })