diff --git a/configs/config.go b/configs/config.go index 293af0a9..f18afc81 100644 --- a/configs/config.go +++ b/configs/config.go @@ -61,6 +61,9 @@ type Config struct { // All capbilities not specified will be dropped from the processes capability mask Capabilities []string `json:"capabilities"` + // SysCalls specify the system calls to keep when executing the process inside the container + SysCalls []string `json:"syscalls"` + // Networks specifies the container's network setup to be created Networks []*Network `json:"networks"` diff --git a/init_linux.go b/init_linux.go index 1771fd19..969d4c2a 100644 --- a/init_linux.go +++ b/init_linux.go @@ -13,6 +13,7 @@ import ( "github.com/docker/libcontainer/cgroups" "github.com/docker/libcontainer/configs" "github.com/docker/libcontainer/netlink" + "github.com/docker/libcontainer/seccomp" "github.com/docker/libcontainer/system" "github.com/docker/libcontainer/user" "github.com/docker/libcontainer/utils" @@ -259,3 +260,17 @@ func killCgroupProcesses(m cgroups.Manager) error { } return nil } + +func finalizeSeccomp(config *initConfig) error { + scmpCtx, _ := seccomp.ScmpInit(seccomp.ScmpActAllow) + if 0 == len(config.Config.SysCalls) { + for key := range seccomp.SyscallMap { + seccomp.ScmpAdd(scmpCtx, key, seccomp.ScmpActAllow) + } + } else { + for _, call := range config.Config.SysCalls { + seccomp.ScmpAdd(scmpCtx, call, seccomp.ScmpActAllow) + } + } + return seccomp.ScmpLoad(scmpCtx) +} diff --git a/integration/exec_test.go b/integration/exec_test.go index 20d781ee..df6569b0 100644 --- a/integration/exec_test.go +++ b/integration/exec_test.go @@ -2,6 +2,7 @@ package integration import ( "bytes" + "fmt" "io/ioutil" "os" "path/filepath" @@ -13,6 +14,7 @@ import ( "github.com/docker/libcontainer" "github.com/docker/libcontainer/cgroups/systemd" "github.com/docker/libcontainer/configs" + "github.com/docker/libcontainer/seccomp" ) func TestExecPS(t *testing.T) { @@ -714,3 +716,66 @@ func TestSystemProperties(t *testing.T) { t.Fatalf("kernel.shmmni property expected to be 8192, but is %s", shmmniOutput) } } + +func allExcept(calls []string) []string { + num := len(seccomp.SyscallMap) - len(calls) + filter := make([]string, num) + i := 0 + for key := range seccomp.SyscallMap { + j := 0 + for _, key1 := range calls { + if strings.EqualFold(key, key1) { + break + } + j++ + } + if j == len(calls) { + filter[i] = key + i++ + } + } + return filter +} + +func TestSeccompNotStat(t *testing.T) { + if testing.Short() { + return + } + + rootfs, err := newRootfs() + if err != nil { + t.Fatal(err) + } + defer remove(rootfs) + + config := newTemplateConfig(rootfs) + exceptCall := []string{"STAT"} + config.SysCalls = allExcept(exceptCall) + out, _, err := runContainer(config, "", "/bin/sh", "-c", "ls / -l") + if err == nil { + t.Fatal("runContainer should be failed") + } else { + fmt.Println(out) + } +} + +func TestSeccompStat(t *testing.T) { + if testing.Short() { + return + } + + rootfs, err := newRootfs() + if err != nil { + t.Fatal(err) + } + defer remove(rootfs) + + config := newTemplateConfig(rootfs) + exceptCall := []string{} + config.SysCalls = allExcept(exceptCall) + out, _, err := runContainer(config, "", "/bin/sh", "-c", "ls / -l") + if err != nil { + t.Fatal(err) + } + fmt.Println(out) +} diff --git a/seccomp/seccomp.go b/seccomp/seccomp.go new file mode 100755 index 00000000..6e74ae75 --- /dev/null +++ b/seccomp/seccomp.go @@ -0,0 +1,133 @@ +package seccomp + +import ( + "errors" + "fmt" + "syscall" + "unsafe" +) + +type sockFilter struct { + code uint16 + jt uint8 + jf uint8 + k uint32 +} + +type sockFprog struct { + len uint16 + filt []sockFilter +} + +type Action struct { + syscall uint32 + action int + args []string +} + +type ScmpCtx struct { + CallMap map[string]Action + act int +} + +var ScmpActAllow = 0 + +func ScmpInit(action int) (*ScmpCtx, error) { + ctx := ScmpCtx{ + CallMap: make(map[string]Action), + act: action, + } + return &ctx, nil +} + +func ScmpAdd(ctx *ScmpCtx, call string, action int, args ...string) error { + _, exists := ctx.CallMap[call] + if exists { + return errors.New("syscall exist") + } + + //fmt.Printf("%s\n", call) + + sysCall, sysExists := SyscallMap[call] + if sysExists { + ctx.CallMap[call] = Action{sysCall, action, args} + return nil + } + return errors.New("syscall not surport") +} + +func ScmpDel(ctx *ScmpCtx, call string) error { + _, exists := ctx.CallMap[call] + if exists { + delete(ctx.CallMap, call) + return nil + } + + return errors.New("syscall not exist") +} + +func ScmpBpfStmt(code uint16, k uint32) sockFilter { + return sockFilter{code, 0, 0, k} +} + +func ScmpBpfJump(code uint16, k uint32, jt, jf uint8) sockFilter { + return sockFilter{code, jt, jf, k} +} + +func prctl(option int, arg2, arg3, arg4, arg5 uintptr) (err error) { + _, _, e1 := syscall.Syscall6(syscall.SYS_PRCTL, uintptr(option), arg2, arg3, arg4, arg5, 0) + if e1 != 0 { + err = e1 + } + return nil +} + +func scmpfilter(prog *sockFprog) (err error) { + _, _, e1 := syscall.Syscall(syscall.SYS_PRCTL, uintptr(syscall.PR_SET_SECCOMP), + uintptr(SECCOMP_MODE_FILTER), uintptr(unsafe.Pointer(prog))) + if e1 != 0 { + err = e1 + } + return nil +} + +func ScmpLoad(ctx *ScmpCtx) error { + for key := range SyscallMapMin { + ScmpAdd(ctx, key, ScmpActAllow) + } + + num := len(ctx.CallMap) + filter := make([]sockFilter, num*2+3) + + i := 0 + filter[i] = ScmpBpfStmt(syscall.BPF_LD+syscall.BPF_W+syscall.BPF_ABS, 0) + i++ + + for _, value := range ctx.CallMap { + filter[i] = ScmpBpfJump(syscall.BPF_JMP+syscall.BPF_JEQ+syscall.BPF_K, value.syscall, 0, 1) + i++ + filter[i] = ScmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, SECCOMP_RET_ALLOW) + i++ + } + + filter[i] = ScmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, SECCOMP_RET_TRAP) + i++ + filter[i] = ScmpBpfStmt(syscall.BPF_RET+syscall.BPF_K, SECCOMP_RET_KILL) + i++ + + prog := sockFprog{ + len: uint16(i), + filt: filter, + } + + if nil != prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) { + fmt.Println("prctl PR_SET_NO_NEW_PRIVS error") + return errors.New("prctl PR_SET_NO_NEW_PRIVS error") + } + + if nil != scmpfilter(&prog) { + fmt.Println("scmpfilter error") + return errors.New("scmpfilter error") + } + return nil +} diff --git a/seccomp/syscall_linux_386.go b/seccomp/syscall_linux_386.go new file mode 100644 index 00000000..ad98e162 --- /dev/null +++ b/seccomp/syscall_linux_386.go @@ -0,0 +1,364 @@ +// +build linux +// +build 386 + +package seccomp + +import ( + "syscall" +) + +const ( + SECCOMP_RET_KILL = 0x00000000 + SECCOMP_RET_TRAP = 0x00030000 + SECCOMP_RET_ALLOW = 0x7fff0000 + SECCOMP_MODE_FILTER = 0x2 + PR_SET_NO_NEW_PRIVS = 0x26 +) + +var SyscallMap = map[string]uint32{ + "RESTART_SYSCALL": syscall.SYS_RESTART_SYSCALL, + "EXIT": syscall.SYS_EXIT, + "FORK": syscall.SYS_FORK, + "READ": syscall.SYS_READ, + "WRITE": syscall.SYS_WRITE, + "OPEN": syscall.SYS_OPEN, + "CLOSE": syscall.SYS_CLOSE, + "WAITPID": syscall.SYS_WAITPID, + "CREAT": syscall.SYS_CREAT, + "LINK": syscall.SYS_LINK, + "UNLINK": syscall.SYS_UNLINK, + "EXECVE": syscall.SYS_EXECVE, + "CHDIR": syscall.SYS_CHDIR, + "TIME": syscall.SYS_TIME, + "MKNOD": syscall.SYS_MKNOD, + "CHMOD": syscall.SYS_CHMOD, + "LCHOWN": syscall.SYS_LCHOWN, + "BREAK": syscall.SYS_BREAK, + "OLDSTAT": syscall.SYS_OLDSTAT, + "LSEEK": syscall.SYS_LSEEK, + "GETPID": syscall.SYS_GETPID, + "MOUNT": syscall.SYS_MOUNT, + "UMOUNT": syscall.SYS_UMOUNT, + "SETUID": syscall.SYS_SETUID, + "GETUID": syscall.SYS_GETUID, + "STIME": syscall.SYS_STIME, + "PTRACE": syscall.SYS_PTRACE, + "ALARM": syscall.SYS_ALARM, + "OLDFSTAT": syscall.SYS_OLDFSTAT, + "PAUSE": syscall.SYS_PAUSE, + "UTIME": syscall.SYS_UTIME, + "STTY": syscall.SYS_STTY, + "GTTY": syscall.SYS_GTTY, + "ACCESS": syscall.SYS_ACCESS, + "NICE": syscall.SYS_NICE, + "FTIME": syscall.SYS_FTIME, + "SYNC": syscall.SYS_SYNC, + "KILL": syscall.SYS_KILL, + "RENAME": syscall.SYS_RENAME, + "MKDIR": syscall.SYS_MKDIR, + "RMDIR": syscall.SYS_RMDIR, + "DUP": syscall.SYS_DUP, + "PIPE": syscall.SYS_PIPE, + "TIMES": syscall.SYS_TIMES, + "PROF": syscall.SYS_PROF, + "BRK": syscall.SYS_BRK, + "SETGID": syscall.SYS_SETGID, + "GETGID": syscall.SYS_GETGID, + "SIGNAL": syscall.SYS_SIGNAL, + "GETEUID": syscall.SYS_GETEUID, + "GETEGID": syscall.SYS_GETEGID, + "ACCT": syscall.SYS_ACCT, + "UMOUNT2": syscall.SYS_UMOUNT2, + "LOCK": syscall.SYS_LOCK, + "IOCTL": syscall.SYS_IOCTL, + "FCNTL": syscall.SYS_FCNTL, + "MPX": syscall.SYS_MPX, + "SETPGID": syscall.SYS_SETPGID, + "ULIMIT": syscall.SYS_ULIMIT, + "OLDOLDUNAME": syscall.SYS_OLDOLDUNAME, + "UMASK": syscall.SYS_UMASK, + "CHROOT": syscall.SYS_CHROOT, + "USTAT": syscall.SYS_USTAT, + "DUP2": syscall.SYS_DUP2, + "GETPPID": syscall.SYS_GETPPID, + "GETPGRP": syscall.SYS_GETPGRP, + "SETSID": syscall.SYS_SETSID, + "SIGACTION": syscall.SYS_SIGACTION, + "SGETMASK": syscall.SYS_SGETMASK, + "SSETMASK": syscall.SYS_SSETMASK, + "SETREUID": syscall.SYS_SETREUID, + "SETREGID": syscall.SYS_SETREGID, + "SIGSUSPEND": syscall.SYS_SIGSUSPEND, + "SIGPENDING": syscall.SYS_SIGPENDING, + "SETHOSTNAME": syscall.SYS_SETHOSTNAME, + "SETRLIMIT": syscall.SYS_SETRLIMIT, + "GETRLIMIT": syscall.SYS_GETRLIMIT, + "GETRUSAGE": syscall.SYS_GETRUSAGE, + "GETTIMEOFDAY": syscall.SYS_GETTIMEOFDAY, + "SETTIMEOFDAY": syscall.SYS_SETTIMEOFDAY, + "GETGROUPS": syscall.SYS_GETGROUPS, + "SETGROUPS": syscall.SYS_SETGROUPS, + "SELECT": syscall.SYS_SELECT, + "SYMLINK": syscall.SYS_SYMLINK, + "OLDLSTAT": syscall.SYS_OLDLSTAT, + "READLINK": syscall.SYS_READLINK, + "USELIB": syscall.SYS_USELIB, + "SWAPON": syscall.SYS_SWAPON, + "REBOOT": syscall.SYS_REBOOT, + "READDIR": syscall.SYS_READDIR, + "MMAP": syscall.SYS_MMAP, + "MUNMAP": syscall.SYS_MUNMAP, + "TRUNCATE": syscall.SYS_TRUNCATE, + "FTRUNCATE": syscall.SYS_FTRUNCATE, + "FCHMOD": syscall.SYS_FCHMOD, + "FCHOWN": syscall.SYS_FCHOWN, + "GETPRIORITY": syscall.SYS_GETPRIORITY, + "SETPRIORITY": syscall.SYS_SETPRIORITY, + "PROFIL": syscall.SYS_PROFIL, + "STATFS": syscall.SYS_STATFS, + "FSTATFS": syscall.SYS_FSTATFS, + "IOPERM": syscall.SYS_IOPERM, + "SOCKETCALL": syscall.SYS_SOCKETCALL, + "SYSLOG": syscall.SYS_SYSLOG, + "SETITIMER": syscall.SYS_SETITIMER, + "GETITIMER": syscall.SYS_GETITIMER, + "STAT": syscall.SYS_STAT, + "LSTAT": syscall.SYS_LSTAT, + "FSTAT": syscall.SYS_FSTAT, + "OLDUNAME": syscall.SYS_OLDUNAME, + "IOPL": syscall.SYS_IOPL, + "VHANGUP": syscall.SYS_VHANGUP, + "IDLE": syscall.SYS_IDLE, + "VM86OLD": syscall.SYS_VM86OLD, + "WAIT4": syscall.SYS_WAIT4, + "SWAPOFF": syscall.SYS_SWAPOFF, + "SYSINFO": syscall.SYS_SYSINFO, + "IPC": syscall.SYS_IPC, + "FSYNC": syscall.SYS_FSYNC, + "SIGRETURN": syscall.SYS_SIGRETURN, + "CLONE": syscall.SYS_CLONE, + "SETDOMAINNAME": syscall.SYS_SETDOMAINNAME, + "UNAME": syscall.SYS_UNAME, + "MODIFY_LDT": syscall.SYS_MODIFY_LDT, + "ADJTIMEX": syscall.SYS_ADJTIMEX, + "MPROTECT": syscall.SYS_MPROTECT, + "SIGPROCMASK": syscall.SYS_SIGPROCMASK, + "CREATE_MODULE": syscall.SYS_CREATE_MODULE, + "INIT_MODULE": syscall.SYS_INIT_MODULE, + "DELETE_MODULE": syscall.SYS_DELETE_MODULE, + "GET_KERNEL_SYMS": syscall.SYS_GET_KERNEL_SYMS, + "QUOTACTL": syscall.SYS_QUOTACTL, + "GETPGID": syscall.SYS_GETPGID, + "FCHDIR": syscall.SYS_FCHDIR, + "BDFLUSH": syscall.SYS_BDFLUSH, + "SYSFS": syscall.SYS_SYSFS, + "PERSONALITY": syscall.SYS_PERSONALITY, + "AFS_SYSCALL": syscall.SYS_AFS_SYSCALL, + "SETFSUID": syscall.SYS_SETFSUID, + "SETFSGID": syscall.SYS_SETFSGID, + "_LLSEEK": syscall.SYS__LLSEEK, + "GETDENTS": syscall.SYS_GETDENTS, + "_NEWSELECT": syscall.SYS__NEWSELECT, + "FLOCK": syscall.SYS_FLOCK, + "MSYNC": syscall.SYS_MSYNC, + "READV": syscall.SYS_READV, + "WRITEV": syscall.SYS_WRITEV, + "GETSID": syscall.SYS_GETSID, + "FDATASYNC": syscall.SYS_FDATASYNC, + "_SYSCTL": syscall.SYS__SYSCTL, + "MLOCK": syscall.SYS_MLOCK, + "MUNLOCK": syscall.SYS_MUNLOCK, + "MLOCKALL": syscall.SYS_MLOCKALL, + "MUNLOCKALL": syscall.SYS_MUNLOCKALL, + "SCHED_SETPARAM": syscall.SYS_SCHED_SETPARAM, + "SCHED_GETPARAM": syscall.SYS_SCHED_GETPARAM, + "SCHED_SETSCHEDULER": syscall.SYS_SCHED_SETSCHEDULER, + "SCHED_GETSCHEDULER": syscall.SYS_SCHED_GETSCHEDULER, + "SCHED_YIELD": syscall.SYS_SCHED_YIELD, + "SCHED_GET_PRIORITY_MAX": syscall.SYS_SCHED_GET_PRIORITY_MAX, + "SCHED_GET_PRIORITY_MIN": syscall.SYS_SCHED_GET_PRIORITY_MIN, + "SCHED_RR_GET_INTERVAL": syscall.SYS_SCHED_RR_GET_INTERVAL, + "NANOSLEEP": syscall.SYS_NANOSLEEP, + "MREMAP": syscall.SYS_MREMAP, + "SETRESUID": syscall.SYS_SETRESUID, + "GETRESUID": syscall.SYS_GETRESUID, + "VM86": syscall.SYS_VM86, + "QUERY_MODULE": syscall.SYS_QUERY_MODULE, + "POLL": syscall.SYS_POLL, + "NFSSERVCTL": syscall.SYS_NFSSERVCTL, + "SETRESGID": syscall.SYS_SETRESGID, + "GETRESGID": syscall.SYS_GETRESGID, + "PRCTL": syscall.SYS_PRCTL, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "RT_SIGACTION": syscall.SYS_RT_SIGACTION, + "RT_SIGPROCMASK": syscall.SYS_RT_SIGPROCMASK, + "RT_SIGPENDING": syscall.SYS_RT_SIGPENDING, + "RT_SIGTIMEDWAIT": syscall.SYS_RT_SIGTIMEDWAIT, + "RT_SIGQUEUEINFO": syscall.SYS_RT_SIGQUEUEINFO, + "RT_SIGSUSPEND": syscall.SYS_RT_SIGSUSPEND, + "PREAD64": syscall.SYS_PREAD64, + "PWRITE64": syscall.SYS_PWRITE64, + "CHOWN": syscall.SYS_CHOWN, + "GETCWD": syscall.SYS_GETCWD, + "CAPGET": syscall.SYS_CAPGET, + "CAPSET": syscall.SYS_CAPSET, + "SIGALTSTACK": syscall.SYS_SIGALTSTACK, + "SENDFILE": syscall.SYS_SENDFILE, + "GETPMSG": syscall.SYS_GETPMSG, + "PUTPMSG": syscall.SYS_PUTPMSG, + "VFORK": syscall.SYS_VFORK, + "UGETRLIMIT": syscall.SYS_UGETRLIMIT, + "MMAP2": syscall.SYS_MMAP2, + "TRUNCATE64": syscall.SYS_TRUNCATE64, + "FTRUNCATE64": syscall.SYS_FTRUNCATE64, + "STAT64": syscall.SYS_STAT64, + "LSTAT64": syscall.SYS_LSTAT64, + "FSTAT64": syscall.SYS_FSTAT64, + "LCHOWN32": syscall.SYS_LCHOWN32, + "GETUID32": syscall.SYS_GETUID32, + "GETGID32": syscall.SYS_GETGID32, + "GETEUID32": syscall.SYS_GETEUID32, + "GETEGID32": syscall.SYS_GETEGID32, + "SETREUID32": syscall.SYS_SETREUID32, + "SETREGID32": syscall.SYS_SETREGID32, + "GETGROUPS32": syscall.SYS_GETGROUPS32, + "SETGROUPS32": syscall.SYS_SETGROUPS32, + "FCHOWN32": syscall.SYS_FCHOWN32, + "SETRESUID32": syscall.SYS_SETRESUID32, + "GETRESUID32": syscall.SYS_GETRESUID32, + "SETRESGID32": syscall.SYS_SETRESGID32, + "GETRESGID32": syscall.SYS_GETRESGID32, + "CHOWN32": syscall.SYS_CHOWN32, + "SETUID32": syscall.SYS_SETUID32, + "SETGID32": syscall.SYS_SETGID32, + "SETFSUID32": syscall.SYS_SETFSUID32, + "SETFSGID32": syscall.SYS_SETFSGID32, + "PIVOT_ROOT": syscall.SYS_PIVOT_ROOT, + "MINCORE": syscall.SYS_MINCORE, + "MADVISE": syscall.SYS_MADVISE, + "MADVISE1": syscall.SYS_MADVISE1, + "GETDENTS64": syscall.SYS_GETDENTS64, + "FCNTL64": syscall.SYS_FCNTL64, + "GETTID": syscall.SYS_GETTID, + "READAHEAD": syscall.SYS_READAHEAD, + "SETXATTR": syscall.SYS_SETXATTR, + "LSETXATTR": syscall.SYS_LSETXATTR, + "FSETXATTR": syscall.SYS_FSETXATTR, + "GETXATTR": syscall.SYS_GETXATTR, + "LGETXATTR": syscall.SYS_LGETXATTR, + "FGETXATTR": syscall.SYS_FGETXATTR, + "LISTXATTR": syscall.SYS_LISTXATTR, + "LLISTXATTR": syscall.SYS_LLISTXATTR, + "FLISTXATTR": syscall.SYS_FLISTXATTR, + "REMOVEXATTR": syscall.SYS_REMOVEXATTR, + "LREMOVEXATTR": syscall.SYS_LREMOVEXATTR, + "FREMOVEXATTR": syscall.SYS_FREMOVEXATTR, + "TKILL": syscall.SYS_TKILL, + "SENDFILE64": syscall.SYS_SENDFILE64, + "FUTEX": syscall.SYS_FUTEX, + "SCHED_SETAFFINITY": syscall.SYS_SCHED_SETAFFINITY, + "SCHED_GETAFFINITY": syscall.SYS_SCHED_GETAFFINITY, + "SET_THREAD_AREA": syscall.SYS_SET_THREAD_AREA, + "GET_THREAD_AREA": syscall.SYS_GET_THREAD_AREA, + "IO_SETUP": syscall.SYS_IO_SETUP, + "IO_DESTROY": syscall.SYS_IO_DESTROY, + "IO_GETEVENTS": syscall.SYS_IO_GETEVENTS, + "IO_SUBMIT": syscall.SYS_IO_SUBMIT, + "IO_CANCEL": syscall.SYS_IO_CANCEL, + "FADVISE64": syscall.SYS_FADVISE64, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "LOOKUP_DCOOKIE": syscall.SYS_LOOKUP_DCOOKIE, + "EPOLL_CREATE": syscall.SYS_EPOLL_CREATE, + "EPOLL_CTL": syscall.SYS_EPOLL_CTL, + "EPOLL_WAIT": syscall.SYS_EPOLL_WAIT, + "REMAP_FILE_PAGES": syscall.SYS_REMAP_FILE_PAGES, + "SET_TID_ADDRESS": syscall.SYS_SET_TID_ADDRESS, + "TIMER_CREATE": syscall.SYS_TIMER_CREATE, + "TIMER_SETTIME": syscall.SYS_TIMER_SETTIME, + "TIMER_GETTIME": syscall.SYS_TIMER_GETTIME, + "TIMER_GETOVERRUN": syscall.SYS_TIMER_GETOVERRUN, + "TIMER_DELETE": syscall.SYS_TIMER_DELETE, + "CLOCK_SETTIME": syscall.SYS_CLOCK_SETTIME, + "CLOCK_GETTIME": syscall.SYS_CLOCK_GETTIME, + "CLOCK_GETRES": syscall.SYS_CLOCK_GETRES, + "CLOCK_NANOSLEEP": syscall.SYS_CLOCK_NANOSLEEP, + "STATFS64": syscall.SYS_STATFS64, + "FSTATFS64": syscall.SYS_FSTATFS64, + "TGKILL": syscall.SYS_TGKILL, + "UTIMES": syscall.SYS_UTIMES, + "FADVISE64_64": syscall.SYS_FADVISE64_64, + "VSERVER": syscall.SYS_VSERVER, + "MBIND": syscall.SYS_MBIND, + "GET_MEMPOLICY": syscall.SYS_GET_MEMPOLICY, + "SET_MEMPOLICY": syscall.SYS_SET_MEMPOLICY, + "MQ_OPEN": syscall.SYS_MQ_OPEN, + "MQ_UNLINK": syscall.SYS_MQ_UNLINK, + "MQ_TIMEDSEND": syscall.SYS_MQ_TIMEDSEND, + "MQ_TIMEDRECEIVE": syscall.SYS_MQ_TIMEDRECEIVE, + "MQ_NOTIFY": syscall.SYS_MQ_NOTIFY, + "MQ_GETSETATTR": syscall.SYS_MQ_GETSETATTR, + "KEXEC_LOAD": syscall.SYS_KEXEC_LOAD, + "WAITID": syscall.SYS_WAITID, + "ADD_KEY": syscall.SYS_ADD_KEY, + "REQUEST_KEY": syscall.SYS_REQUEST_KEY, + "KEYCTL": syscall.SYS_KEYCTL, + "IOPRIO_SET": syscall.SYS_IOPRIO_SET, + "IOPRIO_GET": syscall.SYS_IOPRIO_GET, + "INOTIFY_INIT": syscall.SYS_INOTIFY_INIT, + "INOTIFY_ADD_WATCH": syscall.SYS_INOTIFY_ADD_WATCH, + "INOTIFY_RM_WATCH": syscall.SYS_INOTIFY_RM_WATCH, + "MIGRATE_PAGES": syscall.SYS_MIGRATE_PAGES, + "OPENAT": syscall.SYS_OPENAT, + "MKDIRAT": syscall.SYS_MKDIRAT, + "MKNODAT": syscall.SYS_MKNODAT, + "FCHOWNAT": syscall.SYS_FCHOWNAT, + "FUTIMESAT": syscall.SYS_FUTIMESAT, + "FSTATAT64": syscall.SYS_FSTATAT64, + "UNLINKAT": syscall.SYS_UNLINKAT, + "RENAMEAT": syscall.SYS_RENAMEAT, + "LINKAT": syscall.SYS_LINKAT, + "SYMLINKAT": syscall.SYS_SYMLINKAT, + "READLINKAT": syscall.SYS_READLINKAT, + "FCHMODAT": syscall.SYS_FCHMODAT, + "FACCESSAT": syscall.SYS_FACCESSAT, + "PSELECT6": syscall.SYS_PSELECT6, + "PPOLL": syscall.SYS_PPOLL, + "UNSHARE": syscall.SYS_UNSHARE, + "SET_ROBUST_LIST": syscall.SYS_SET_ROBUST_LIST, + "GET_ROBUST_LIST": syscall.SYS_GET_ROBUST_LIST, + "SPLICE": syscall.SYS_SPLICE, + "SYNC_FILE_RANGE": syscall.SYS_SYNC_FILE_RANGE, + "TEE": syscall.SYS_TEE, + "VMSPLICE": syscall.SYS_VMSPLICE, + "MOVE_PAGES": syscall.SYS_MOVE_PAGES, + "GETCPU": syscall.SYS_GETCPU, + "EPOLL_PWAIT": syscall.SYS_EPOLL_PWAIT, + "UTIMENSAT": syscall.SYS_UTIMENSAT, + "SIGNALFD": syscall.SYS_SIGNALFD, + "TIMERFD_CREATE": syscall.SYS_TIMERFD_CREATE, + "EVENTFD": syscall.SYS_EVENTFD, + "FALLOCATE": syscall.SYS_FALLOCATE, + "TIMERFD_SETTIME": syscall.SYS_TIMERFD_SETTIME, + "TIMERFD_GETTIME": syscall.SYS_TIMERFD_GETTIME, + "SIGNALFD4": syscall.SYS_SIGNALFD4, + "EVENTFD2": syscall.SYS_EVENTFD2, + "EPOLL_CREATE1": syscall.SYS_EPOLL_CREATE1, + "DUP3": syscall.SYS_DUP3, + "PIPE2": syscall.SYS_PIPE2, + "INOTIFY_INIT1": syscall.SYS_INOTIFY_INIT1, + "PREADV": syscall.SYS_PREADV, + "PWRITEV": syscall.SYS_PWRITEV, + "RT_TGSIGQUEUEINFO": syscall.SYS_RT_TGSIGQUEUEINFO, + "PERF_EVENT_OPEN": syscall.SYS_PERF_EVENT_OPEN, + "RECVMMSG": syscall.SYS_RECVMMSG, + "FANOTIFY_INIT": syscall.SYS_FANOTIFY_INIT, + "FANOTIFY_MARK": syscall.SYS_FANOTIFY_MARK, + "PRLIMIT64": syscall.SYS_PRLIMIT64, +} + +var SyscallMapMin = map[string]uint32{ + "WRITE": syscall.SYS_WRITE, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "FUTEX": syscall.SYS_FUTEX, +} diff --git a/seccomp/syscall_linux_amd64.go b/seccomp/syscall_linux_amd64.go new file mode 100755 index 00000000..b44d5546 --- /dev/null +++ b/seccomp/syscall_linux_amd64.go @@ -0,0 +1,329 @@ +// +build linux +// +build amd64 + +package seccomp + +import ( + "syscall" +) + +const ( + SECCOMP_RET_KILL = 0x00000000 + SECCOMP_RET_TRAP = 0x00030000 + SECCOMP_RET_ALLOW = 0x7fff0000 + SECCOMP_MODE_FILTER = 0x2 + PR_SET_NO_NEW_PRIVS = 0x26 +) + +var SyscallMap = map[string]uint32{ + "READ": syscall.SYS_READ, + "WRITE": syscall.SYS_WRITE, + "OPEN": syscall.SYS_OPEN, + "CLOSE": syscall.SYS_CLOSE, + "STAT": syscall.SYS_STAT, + "FSTAT": syscall.SYS_FSTAT, + "LSTAT": syscall.SYS_LSTAT, + "POLL": syscall.SYS_POLL, + "LSEEK": syscall.SYS_LSEEK, + "MMAP": syscall.SYS_MMAP, + "MPROTECT": syscall.SYS_MPROTECT, + "MUNMAP": syscall.SYS_MUNMAP, + "BRK": syscall.SYS_BRK, + "RT_SIGACTION": syscall.SYS_RT_SIGACTION, + "RT_SIGPROCMASK": syscall.SYS_RT_SIGPROCMASK, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "IOCTL": syscall.SYS_IOCTL, + "PREAD64": syscall.SYS_PREAD64, + "PWRITE64": syscall.SYS_PWRITE64, + "READV": syscall.SYS_READV, + "WRITEV": syscall.SYS_WRITEV, + "ACCESS": syscall.SYS_ACCESS, + "PIPE": syscall.SYS_PIPE, + "SELECT": syscall.SYS_SELECT, + "SCHED_YIELD": syscall.SYS_SCHED_YIELD, + "MREMAP": syscall.SYS_MREMAP, + "MSYNC": syscall.SYS_MSYNC, + "MINCORE": syscall.SYS_MINCORE, + "MADVISE": syscall.SYS_MADVISE, + "SHMGET": syscall.SYS_SHMGET, + "SHMAT": syscall.SYS_SHMAT, + "SHMCTL": syscall.SYS_SHMCTL, + "DUP": syscall.SYS_DUP, + "DUP2": syscall.SYS_DUP2, + "PAUSE": syscall.SYS_PAUSE, + "NANOSLEEP": syscall.SYS_NANOSLEEP, + "GETITIMER": syscall.SYS_GETITIMER, + "ALARM": syscall.SYS_ALARM, + "SETITIMER": syscall.SYS_SETITIMER, + "GETPID": syscall.SYS_GETPID, + "SENDFILE": syscall.SYS_SENDFILE, + "SOCKET": syscall.SYS_SOCKET, + "CONNECT": syscall.SYS_CONNECT, + "ACCEPT": syscall.SYS_ACCEPT, + "SENDTO": syscall.SYS_SENDTO, + "RECVFROM": syscall.SYS_RECVFROM, + "SENDMSG": syscall.SYS_SENDMSG, + "RECVMSG": syscall.SYS_RECVMSG, + "SHUTDOWN": syscall.SYS_SHUTDOWN, + "BIND": syscall.SYS_BIND, + "LISTEN": syscall.SYS_LISTEN, + "GETSOCKNAME": syscall.SYS_GETSOCKNAME, + "GETPEERNAME": syscall.SYS_GETPEERNAME, + "SOCKETPAIR": syscall.SYS_SOCKETPAIR, + "SETSOCKOPT": syscall.SYS_SETSOCKOPT, + "GETSOCKOPT": syscall.SYS_GETSOCKOPT, + "CLONE": syscall.SYS_CLONE, + "FORK": syscall.SYS_FORK, + "VFORK": syscall.SYS_VFORK, + "EXECVE": syscall.SYS_EXECVE, + "EXIT": syscall.SYS_EXIT, + "WAIT4": syscall.SYS_WAIT4, + "KILL": syscall.SYS_KILL, + "UNAME": syscall.SYS_UNAME, + "SEMGET": syscall.SYS_SEMGET, + "SEMOP": syscall.SYS_SEMOP, + "SEMCTL": syscall.SYS_SEMCTL, + "SHMDT": syscall.SYS_SHMDT, + "MSGGET": syscall.SYS_MSGGET, + "MSGSND": syscall.SYS_MSGSND, + "MSGRCV": syscall.SYS_MSGRCV, + "MSGCTL": syscall.SYS_MSGCTL, + "FCNTL": syscall.SYS_FCNTL, + "FLOCK": syscall.SYS_FLOCK, + "FSYNC": syscall.SYS_FSYNC, + "FDATASYNC": syscall.SYS_FDATASYNC, + "TRUNCATE": syscall.SYS_TRUNCATE, + "FTRUNCATE": syscall.SYS_FTRUNCATE, + "GETDENTS": syscall.SYS_GETDENTS, + "GETCWD": syscall.SYS_GETCWD, + "CHDIR": syscall.SYS_CHDIR, + "FCHDIR": syscall.SYS_FCHDIR, + "RENAME": syscall.SYS_RENAME, + "MKDIR": syscall.SYS_MKDIR, + "RMDIR": syscall.SYS_RMDIR, + "CREAT": syscall.SYS_CREAT, + "LINK": syscall.SYS_LINK, + "UNLINK": syscall.SYS_UNLINK, + "SYMLINK": syscall.SYS_SYMLINK, + "READLINK": syscall.SYS_READLINK, + "CHMOD": syscall.SYS_CHMOD, + "FCHMOD": syscall.SYS_FCHMOD, + "CHOWN": syscall.SYS_CHOWN, + "FCHOWN": syscall.SYS_FCHOWN, + "LCHOWN": syscall.SYS_LCHOWN, + "UMASK": syscall.SYS_UMASK, + "GETTIMEOFDAY": syscall.SYS_GETTIMEOFDAY, + "GETRLIMIT": syscall.SYS_GETRLIMIT, + "GETRUSAGE": syscall.SYS_GETRUSAGE, + "SYSINFO": syscall.SYS_SYSINFO, + "TIMES": syscall.SYS_TIMES, + "PTRACE": syscall.SYS_PTRACE, + "GETUID": syscall.SYS_GETUID, + "SYSLOG": syscall.SYS_SYSLOG, + "GETGID": syscall.SYS_GETGID, + "SETUID": syscall.SYS_SETUID, + "SETGID": syscall.SYS_SETGID, + "GETEUID": syscall.SYS_GETEUID, + "GETEGID": syscall.SYS_GETEGID, + "SETPGID": syscall.SYS_SETPGID, + "GETPPID": syscall.SYS_GETPPID, + "GETPGRP": syscall.SYS_GETPGRP, + "SETSID": syscall.SYS_SETSID, + "SETREUID": syscall.SYS_SETREUID, + "SETREGID": syscall.SYS_SETREGID, + "GETGROUPS": syscall.SYS_GETGROUPS, + "SETGROUPS": syscall.SYS_SETGROUPS, + "SETRESUID": syscall.SYS_SETRESUID, + "GETRESUID": syscall.SYS_GETRESUID, + "SETRESGID": syscall.SYS_SETRESGID, + "GETRESGID": syscall.SYS_GETRESGID, + "GETPGID": syscall.SYS_GETPGID, + "SETFSUID": syscall.SYS_SETFSUID, + "SETFSGID": syscall.SYS_SETFSGID, + "GETSID": syscall.SYS_GETSID, + "CAPGET": syscall.SYS_CAPGET, + "CAPSET": syscall.SYS_CAPSET, + "RT_SIGPENDING": syscall.SYS_RT_SIGPENDING, + "RT_SIGTIMEDWAIT": syscall.SYS_RT_SIGTIMEDWAIT, + "RT_SIGQUEUEINFO": syscall.SYS_RT_SIGQUEUEINFO, + "RT_SIGSUSPEND": syscall.SYS_RT_SIGSUSPEND, + "SIGALTSTACK": syscall.SYS_SIGALTSTACK, + "UTIME": syscall.SYS_UTIME, + "MKNOD": syscall.SYS_MKNOD, + "USELIB": syscall.SYS_USELIB, + "PERSONALITY": syscall.SYS_PERSONALITY, + "USTAT": syscall.SYS_USTAT, + "STATFS": syscall.SYS_STATFS, + "FSTATFS": syscall.SYS_FSTATFS, + "SYSFS": syscall.SYS_SYSFS, + "GETPRIORITY": syscall.SYS_GETPRIORITY, + "SETPRIORITY": syscall.SYS_SETPRIORITY, + "SCHED_SETPARAM": syscall.SYS_SCHED_SETPARAM, + "SCHED_GETPARAM": syscall.SYS_SCHED_GETPARAM, + "SCHED_SETSCHEDULER": syscall.SYS_SCHED_SETSCHEDULER, + "SCHED_GETSCHEDULER": syscall.SYS_SCHED_GETSCHEDULER, + "SCHED_GET_PRIORITY_MAX": syscall.SYS_SCHED_GET_PRIORITY_MAX, + "SCHED_GET_PRIORITY_MIN": syscall.SYS_SCHED_GET_PRIORITY_MIN, + "SCHED_RR_GET_INTERVAL": syscall.SYS_SCHED_RR_GET_INTERVAL, + "MLOCK": syscall.SYS_MLOCK, + "MUNLOCK": syscall.SYS_MUNLOCK, + "MLOCKALL": syscall.SYS_MLOCKALL, + "MUNLOCKALL": syscall.SYS_MUNLOCKALL, + "VHANGUP": syscall.SYS_VHANGUP, + "MODIFY_LDT": syscall.SYS_MODIFY_LDT, + "PIVOT_ROOT": syscall.SYS_PIVOT_ROOT, + "_SYSCTL": syscall.SYS__SYSCTL, + "PRCTL": syscall.SYS_PRCTL, + "ARCH_PRCTL": syscall.SYS_ARCH_PRCTL, + "ADJTIMEX": syscall.SYS_ADJTIMEX, + "SETRLIMIT": syscall.SYS_SETRLIMIT, + "CHROOT": syscall.SYS_CHROOT, + "SYNC": syscall.SYS_SYNC, + "ACCT": syscall.SYS_ACCT, + "SETTIMEOFDAY": syscall.SYS_SETTIMEOFDAY, + "MOUNT": syscall.SYS_MOUNT, + "UMOUNT2": syscall.SYS_UMOUNT2, + "SWAPON": syscall.SYS_SWAPON, + "SWAPOFF": syscall.SYS_SWAPOFF, + "REBOOT": syscall.SYS_REBOOT, + "SETHOSTNAME": syscall.SYS_SETHOSTNAME, + "SETDOMAINNAME": syscall.SYS_SETDOMAINNAME, + "IOPL": syscall.SYS_IOPL, + "IOPERM": syscall.SYS_IOPERM, + "CREATE_MODULE": syscall.SYS_CREATE_MODULE, + "INIT_MODULE": syscall.SYS_INIT_MODULE, + "DELETE_MODULE": syscall.SYS_DELETE_MODULE, + "GET_KERNEL_SYMS": syscall.SYS_GET_KERNEL_SYMS, + "QUERY_MODULE": syscall.SYS_QUERY_MODULE, + "QUOTACTL": syscall.SYS_QUOTACTL, + "NFSSERVCTL": syscall.SYS_NFSSERVCTL, + "GETPMSG": syscall.SYS_GETPMSG, + "PUTPMSG": syscall.SYS_PUTPMSG, + "AFS_SYSCALL": syscall.SYS_AFS_SYSCALL, + "TUXCALL": syscall.SYS_TUXCALL, + "SECURITY": syscall.SYS_SECURITY, + "GETTID": syscall.SYS_GETTID, + "READAHEAD": syscall.SYS_READAHEAD, + "SETXATTR": syscall.SYS_SETXATTR, + "LSETXATTR": syscall.SYS_LSETXATTR, + "FSETXATTR": syscall.SYS_FSETXATTR, + "GETXATTR": syscall.SYS_GETXATTR, + "LGETXATTR": syscall.SYS_LGETXATTR, + "FGETXATTR": syscall.SYS_FGETXATTR, + "LISTXATTR": syscall.SYS_LISTXATTR, + "LLISTXATTR": syscall.SYS_LLISTXATTR, + "FLISTXATTR": syscall.SYS_FLISTXATTR, + "REMOVEXATTR": syscall.SYS_REMOVEXATTR, + "LREMOVEXATTR": syscall.SYS_LREMOVEXATTR, + "FREMOVEXATTR": syscall.SYS_FREMOVEXATTR, + "TKILL": syscall.SYS_TKILL, + "TIME": syscall.SYS_TIME, + "FUTEX": syscall.SYS_FUTEX, + "SCHED_SETAFFINITY": syscall.SYS_SCHED_SETAFFINITY, + "SCHED_GETAFFINITY": syscall.SYS_SCHED_GETAFFINITY, + "SET_THREAD_AREA": syscall.SYS_SET_THREAD_AREA, + "IO_SETUP": syscall.SYS_IO_SETUP, + "IO_DESTROY": syscall.SYS_IO_DESTROY, + "IO_GETEVENTS": syscall.SYS_IO_GETEVENTS, + "IO_SUBMIT": syscall.SYS_IO_SUBMIT, + "IO_CANCEL": syscall.SYS_IO_CANCEL, + "GET_THREAD_AREA": syscall.SYS_GET_THREAD_AREA, + "LOOKUP_DCOOKIE": syscall.SYS_LOOKUP_DCOOKIE, + "EPOLL_CREATE": syscall.SYS_EPOLL_CREATE, + "EPOLL_CTL_OLD": syscall.SYS_EPOLL_CTL_OLD, + "EPOLL_WAIT_OLD": syscall.SYS_EPOLL_WAIT_OLD, + "REMAP_FILE_PAGES": syscall.SYS_REMAP_FILE_PAGES, + "GETDENTS64": syscall.SYS_GETDENTS64, + "SET_TID_ADDRESS": syscall.SYS_SET_TID_ADDRESS, + "RESTART_SYSCALL": syscall.SYS_RESTART_SYSCALL, + "SEMTIMEDOP": syscall.SYS_SEMTIMEDOP, + "FADVISE64": syscall.SYS_FADVISE64, + "TIMER_CREATE": syscall.SYS_TIMER_CREATE, + "TIMER_SETTIME": syscall.SYS_TIMER_SETTIME, + "TIMER_GETTIME": syscall.SYS_TIMER_GETTIME, + "TIMER_GETOVERRUN": syscall.SYS_TIMER_GETOVERRUN, + "TIMER_DELETE": syscall.SYS_TIMER_DELETE, + "CLOCK_SETTIME": syscall.SYS_CLOCK_SETTIME, + "CLOCK_GETTIME": syscall.SYS_CLOCK_GETTIME, + "CLOCK_GETRES": syscall.SYS_CLOCK_GETRES, + "CLOCK_NANOSLEEP": syscall.SYS_CLOCK_NANOSLEEP, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "EPOLL_WAIT": syscall.SYS_EPOLL_WAIT, + "EPOLL_CTL": syscall.SYS_EPOLL_CTL, + "TGKILL": syscall.SYS_TGKILL, + "UTIMES": syscall.SYS_UTIMES, + "VSERVER": syscall.SYS_VSERVER, + "MBIND": syscall.SYS_MBIND, + "SET_MEMPOLICY": syscall.SYS_SET_MEMPOLICY, + "GET_MEMPOLICY": syscall.SYS_GET_MEMPOLICY, + "MQ_OPEN": syscall.SYS_MQ_OPEN, + "MQ_UNLINK": syscall.SYS_MQ_UNLINK, + "MQ_TIMEDSEND": syscall.SYS_MQ_TIMEDSEND, + "MQ_TIMEDRECEIVE": syscall.SYS_MQ_TIMEDRECEIVE, + "MQ_NOTIFY": syscall.SYS_MQ_NOTIFY, + "MQ_GETSETATTR": syscall.SYS_MQ_GETSETATTR, + "KEXEC_LOAD": syscall.SYS_KEXEC_LOAD, + "WAITID": syscall.SYS_WAITID, + "ADD_KEY": syscall.SYS_ADD_KEY, + "REQUEST_KEY": syscall.SYS_REQUEST_KEY, + "KEYCTL": syscall.SYS_KEYCTL, + "IOPRIO_SET": syscall.SYS_IOPRIO_SET, + "IOPRIO_GET": syscall.SYS_IOPRIO_GET, + "INOTIFY_INIT": syscall.SYS_INOTIFY_INIT, + "INOTIFY_ADD_WATCH": syscall.SYS_INOTIFY_ADD_WATCH, + "INOTIFY_RM_WATCH": syscall.SYS_INOTIFY_RM_WATCH, + "MIGRATE_PAGES": syscall.SYS_MIGRATE_PAGES, + "OPENAT": syscall.SYS_OPENAT, + "MKDIRAT": syscall.SYS_MKDIRAT, + "MKNODAT": syscall.SYS_MKNODAT, + "FCHOWNAT": syscall.SYS_FCHOWNAT, + "FUTIMESAT": syscall.SYS_FUTIMESAT, + "NEWFSTATAT": syscall.SYS_NEWFSTATAT, + "UNLINKAT": syscall.SYS_UNLINKAT, + "RENAMEAT": syscall.SYS_RENAMEAT, + "LINKAT": syscall.SYS_LINKAT, + "SYMLINKAT": syscall.SYS_SYMLINKAT, + "READLINKAT": syscall.SYS_READLINKAT, + "FCHMODAT": syscall.SYS_FCHMODAT, + "FACCESSAT": syscall.SYS_FACCESSAT, + "PSELECT6": syscall.SYS_PSELECT6, + "PPOLL": syscall.SYS_PPOLL, + "UNSHARE": syscall.SYS_UNSHARE, + "SET_ROBUST_LIST": syscall.SYS_SET_ROBUST_LIST, + "GET_ROBUST_LIST": syscall.SYS_GET_ROBUST_LIST, + "SPLICE": syscall.SYS_SPLICE, + "TEE": syscall.SYS_TEE, + "SYNC_FILE_RANGE": syscall.SYS_SYNC_FILE_RANGE, + "VMSPLICE": syscall.SYS_VMSPLICE, + "MOVE_PAGES": syscall.SYS_MOVE_PAGES, + "UTIMENSAT": syscall.SYS_UTIMENSAT, + "EPOLL_PWAIT": syscall.SYS_EPOLL_PWAIT, + "SIGNALFD": syscall.SYS_SIGNALFD, + "TIMERFD_CREATE": syscall.SYS_TIMERFD_CREATE, + "EVENTFD": syscall.SYS_EVENTFD, + "FALLOCATE": syscall.SYS_FALLOCATE, + "TIMERFD_SETTIME": syscall.SYS_TIMERFD_SETTIME, + "TIMERFD_GETTIME": syscall.SYS_TIMERFD_GETTIME, + "ACCEPT4": syscall.SYS_ACCEPT4, + "SIGNALFD4": syscall.SYS_SIGNALFD4, + "EVENTFD2": syscall.SYS_EVENTFD2, + "EPOLL_CREATE1": syscall.SYS_EPOLL_CREATE1, + "DUP3": syscall.SYS_DUP3, + "PIPE2": syscall.SYS_PIPE2, + "INOTIFY_INIT1": syscall.SYS_INOTIFY_INIT1, + "PREADV": syscall.SYS_PREADV, + "PWRITEV": syscall.SYS_PWRITEV, + "RT_TGSIGQUEUEINFO": syscall.SYS_RT_TGSIGQUEUEINFO, + "PERF_EVENT_OPEN": syscall.SYS_PERF_EVENT_OPEN, + "RECVMMSG": syscall.SYS_RECVMMSG, + "FANOTIFY_INIT": syscall.SYS_FANOTIFY_INIT, + "FANOTIFY_MARK": syscall.SYS_FANOTIFY_MARK, + "PRLIMIT64": syscall.SYS_PRLIMIT64, +} + +var SyscallMapMin = map[string]int{ + "WRITE": syscall.SYS_WRITE, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "FUTEX": syscall.SYS_FUTEX, +} diff --git a/seccomp/syscall_linux_arm.go b/seccomp/syscall_linux_arm.go new file mode 100644 index 00000000..141ec76a --- /dev/null +++ b/seccomp/syscall_linux_arm.go @@ -0,0 +1,373 @@ +// +build linux +// +build arm + +package seccomp + +import ( + "syscall" +) + +const ( + SECCOMP_RET_KILL = 0x00000000 + SECCOMP_RET_TRAP = 0x00030000 + SECCOMP_RET_ALLOW = 0x7fff0000 + SECCOMP_MODE_FILTER = 0x2 + PR_SET_NO_NEW_PRIVS = 0x26 +) + +var SyscallMap = map[string]uint32{ + "OABI_SYSCALL_BASE": syscall.SYS_OABI_SYSCALL_BASE, + "SYSCALL_BASE": syscall.SYS_SYSCALL_BASE, + "RESTART_SYSCALL": syscall.SYS_RESTART_SYSCALL, + "EXIT": syscall.SYS_EXIT, + "FORK": syscall.SYS_FORK, + "READ": syscall.SYS_READ, + "WRITE": syscall.SYS_WRITE, + "OPEN": syscall.SYS_OPEN, + "CLOSE": syscall.SYS_CLOSE, + "CREAT": syscall.SYS_CREAT, + "LINK": syscall.SYS_LINK, + "UNLINK": syscall.SYS_UNLINK, + "EXECVE": syscall.SYS_EXECVE, + "CHDIR": syscall.SYS_CHDIR, + "TIME": syscall.SYS_TIME, + "MKNOD": syscall.SYS_MKNOD, + "CHMOD": syscall.SYS_CHMOD, + "LCHOWN": syscall.SYS_LCHOWN, + "LSEEK": syscall.SYS_LSEEK, + "GETPID": syscall.SYS_GETPID, + "MOUNT": syscall.SYS_MOUNT, + "UMOUNT": syscall.SYS_UMOUNT, + "SETUID": syscall.SYS_SETUID, + "GETUID": syscall.SYS_GETUID, + "STIME": syscall.SYS_STIME, + "PTRACE": syscall.SYS_PTRACE, + "ALARM": syscall.SYS_ALARM, + "PAUSE": syscall.SYS_PAUSE, + "UTIME": syscall.SYS_UTIME, + "ACCESS": syscall.SYS_ACCESS, + "NICE": syscall.SYS_NICE, + "SYNC": syscall.SYS_SYNC, + "KILL": syscall.SYS_KILL, + "RENAME": syscall.SYS_RENAME, + "MKDIR": syscall.SYS_MKDIR, + "RMDIR": syscall.SYS_RMDIR, + "DUP": syscall.SYS_DUP, + "PIPE": syscall.SYS_PIPE, + "TIMES": syscall.SYS_TIMES, + "BRK": syscall.SYS_BRK, + "SETGID": syscall.SYS_SETGID, + "GETGID": syscall.SYS_GETGID, + "GETEUID": syscall.SYS_GETEUID, + "GETEGID": syscall.SYS_GETEGID, + "ACCT": syscall.SYS_ACCT, + "UMOUNT2": syscall.SYS_UMOUNT2, + "IOCTL": syscall.SYS_IOCTL, + "FCNTL": syscall.SYS_FCNTL, + "SETPGID": syscall.SYS_SETPGID, + "UMASK": syscall.SYS_UMASK, + "CHROOT": syscall.SYS_CHROOT, + "USTAT": syscall.SYS_USTAT, + "DUP2": syscall.SYS_DUP2, + "GETPPID": syscall.SYS_GETPPID, + "GETPGRP": syscall.SYS_GETPGRP, + "SETSID": syscall.SYS_SETSID, + "SIGACTION": syscall.SYS_SIGACTION, + "SETREUID": syscall.SYS_SETREUID, + "SETREGID": syscall.SYS_SETREGID, + "SIGSUSPEND": syscall.SYS_SIGSUSPEND, + "SIGPENDING": syscall.SYS_SIGPENDING, + "SETHOSTNAME": syscall.SYS_SETHOSTNAME, + "SETRLIMIT": syscall.SYS_SETRLIMIT, + "GETRLIMIT": syscall.SYS_GETRLIMIT, + "GETRUSAGE": syscall.SYS_GETRUSAGE, + "GETTIMEOFDAY": syscall.SYS_GETTIMEOFDAY, + "SETTIMEOFDAY": syscall.SYS_SETTIMEOFDAY, + "GETGROUPS": syscall.SYS_GETGROUPS, + "SETGROUPS": syscall.SYS_SETGROUPS, + "SELECT": syscall.SYS_SELECT, + "SYMLINK": syscall.SYS_SYMLINK, + "READLINK": syscall.SYS_READLINK, + "USELIB": syscall.SYS_USELIB, + "SWAPON": syscall.SYS_SWAPON, + "REBOOT": syscall.SYS_REBOOT, + "READDIR": syscall.SYS_READDIR, + "MMAP": syscall.SYS_MMAP, + "MUNMAP": syscall.SYS_MUNMAP, + "TRUNCATE": syscall.SYS_TRUNCATE, + "FTRUNCATE": syscall.SYS_FTRUNCATE, + "FCHMOD": syscall.SYS_FCHMOD, + "FCHOWN": syscall.SYS_FCHOWN, + "GETPRIORITY": syscall.SYS_GETPRIORITY, + "SETPRIORITY": syscall.SYS_SETPRIORITY, + "STATFS": syscall.SYS_STATFS, + "FSTATFS": syscall.SYS_FSTATFS, + "SOCKETCALL": syscall.SYS_SOCKETCALL, + "SYSLOG": syscall.SYS_SYSLOG, + "SETITIMER": syscall.SYS_SETITIMER, + "GETITIMER": syscall.SYS_GETITIMER, + "STAT": syscall.SYS_STAT, + "LSTAT": syscall.SYS_LSTAT, + "FSTAT": syscall.SYS_FSTAT, + "VHANGUP": syscall.SYS_VHANGUP, + "SYSCALL": syscall.SYS_SYSCALL, + "WAIT4": syscall.SYS_WAIT4, + "SWAPOFF": syscall.SYS_SWAPOFF, + "SYSINFO": syscall.SYS_SYSINFO, + "IPC": syscall.SYS_IPC, + "FSYNC": syscall.SYS_FSYNC, + "SIGRETURN": syscall.SYS_SIGRETURN, + "CLONE": syscall.SYS_CLONE, + "SETDOMAINNAME": syscall.SYS_SETDOMAINNAME, + "UNAME": syscall.SYS_UNAME, + "ADJTIMEX": syscall.SYS_ADJTIMEX, + "MPROTECT": syscall.SYS_MPROTECT, + "SIGPROCMASK": syscall.SYS_SIGPROCMASK, + "INIT_MODULE": syscall.SYS_INIT_MODULE, + "DELETE_MODULE": syscall.SYS_DELETE_MODULE, + "QUOTACTL": syscall.SYS_QUOTACTL, + "GETPGID": syscall.SYS_GETPGID, + "FCHDIR": syscall.SYS_FCHDIR, + "BDFLUSH": syscall.SYS_BDFLUSH, + "SYSFS": syscall.SYS_SYSFS, + "PERSONALITY": syscall.SYS_PERSONALITY, + "SETFSUID": syscall.SYS_SETFSUID, + "SETFSGID": syscall.SYS_SETFSGID, + "_LLSEEK": syscall.SYS__LLSEEK, + "GETDENTS": syscall.SYS_GETDENTS, + "_NEWSELECT": syscall.SYS__NEWSELECT, + "FLOCK": syscall.SYS_FLOCK, + "MSYNC": syscall.SYS_MSYNC, + "READV": syscall.SYS_READV, + "WRITEV": syscall.SYS_WRITEV, + "GETSID": syscall.SYS_GETSID, + "FDATASYNC": syscall.SYS_FDATASYNC, + "_SYSCTL": syscall.SYS__SYSCTL, + "MLOCK": syscall.SYS_MLOCK, + "MUNLOCK": syscall.SYS_MUNLOCK, + "MLOCKALL": syscall.SYS_MLOCKALL, + "MUNLOCKALL": syscall.SYS_MUNLOCKALL, + "SCHED_SETPARAM": syscall.SYS_SCHED_SETPARAM, + "SCHED_GETPARAM": syscall.SYS_SCHED_GETPARAM, + "SCHED_SETSCHEDULER": syscall.SYS_SCHED_SETSCHEDULER, + "SCHED_GETSCHEDULER": syscall.SYS_SCHED_GETSCHEDULER, + "SCHED_YIELD": syscall.SYS_SCHED_YIELD, + "SCHED_GET_PRIORITY_MAX": syscall.SYS_SCHED_GET_PRIORITY_MAX, + "SCHED_GET_PRIORITY_MIN": syscall.SYS_SCHED_GET_PRIORITY_MIN, + "SCHED_RR_GET_INTERVAL": syscall.SYS_SCHED_RR_GET_INTERVAL, + "NANOSLEEP": syscall.SYS_NANOSLEEP, + "MREMAP": syscall.SYS_MREMAP, + "SETRESUID": syscall.SYS_SETRESUID, + "GETRESUID": syscall.SYS_GETRESUID, + "POLL": syscall.SYS_POLL, + "NFSSERVCTL": syscall.SYS_NFSSERVCTL, + "SETRESGID": syscall.SYS_SETRESGID, + "GETRESGID": syscall.SYS_GETRESGID, + "PRCTL": syscall.SYS_PRCTL, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "RT_SIGACTION": syscall.SYS_RT_SIGACTION, + "RT_SIGPROCMASK": syscall.SYS_RT_SIGPROCMASK, + "RT_SIGPENDING": syscall.SYS_RT_SIGPENDING, + "RT_SIGTIMEDWAIT": syscall.SYS_RT_SIGTIMEDWAIT, + "RT_SIGQUEUEINFO": syscall.SYS_RT_SIGQUEUEINFO, + "RT_SIGSUSPEND": syscall.SYS_RT_SIGSUSPEND, + "PREAD64": syscall.SYS_PREAD64, + "PWRITE64": syscall.SYS_PWRITE64, + "CHOWN": syscall.SYS_CHOWN, + "GETCWD": syscall.SYS_GETCWD, + "CAPGET": syscall.SYS_CAPGET, + "CAPSET": syscall.SYS_CAPSET, + "SIGALTSTACK": syscall.SYS_SIGALTSTACK, + "SENDFILE": syscall.SYS_SENDFILE, + "VFORK": syscall.SYS_VFORK, + "UGETRLIMIT": syscall.SYS_UGETRLIMIT, + "MMAP2": syscall.SYS_MMAP2, + "TRUNCATE64": syscall.SYS_TRUNCATE64, + "FTRUNCATE64": syscall.SYS_FTRUNCATE64, + "STAT64": syscall.SYS_STAT64, + "LSTAT64": syscall.SYS_LSTAT64, + "FSTAT64": syscall.SYS_FSTAT64, + "LCHOWN32": syscall.SYS_LCHOWN32, + "GETUID32": syscall.SYS_GETUID32, + "GETGID32": syscall.SYS_GETGID32, + "GETEUID32": syscall.SYS_GETEUID32, + "GETEGID32": syscall.SYS_GETEGID32, + "SETREUID32": syscall.SYS_SETREUID32, + "SETREGID32": syscall.SYS_SETREGID32, + "GETGROUPS32": syscall.SYS_GETGROUPS32, + "SETGROUPS32": syscall.SYS_SETGROUPS32, + "FCHOWN32": syscall.SYS_FCHOWN32, + "SETRESUID32": syscall.SYS_SETRESUID32, + "GETRESUID32": syscall.SYS_GETRESUID32, + "SETRESGID32": syscall.SYS_SETRESGID32, + "GETRESGID32": syscall.SYS_GETRESGID32, + "CHOWN32": syscall.SYS_CHOWN32, + "SETUID32": syscall.SYS_SETUID32, + "SETGID32": syscall.SYS_SETGID32, + "SETFSUID32": syscall.SYS_SETFSUID32, + "SETFSGID32": syscall.SYS_SETFSGID32, + "GETDENTS64": syscall.SYS_GETDENTS64, + "PIVOT_ROOT": syscall.SYS_PIVOT_ROOT, + "MINCORE": syscall.SYS_MINCORE, + "MADVISE": syscall.SYS_MADVISE, + "FCNTL64": syscall.SYS_FCNTL64, + "GETTID": syscall.SYS_GETTID, + "READAHEAD": syscall.SYS_READAHEAD, + "SETXATTR": syscall.SYS_SETXATTR, + "LSETXATTR": syscall.SYS_LSETXATTR, + "FSETXATTR": syscall.SYS_FSETXATTR, + "GETXATTR": syscall.SYS_GETXATTR, + "LGETXATTR": syscall.SYS_LGETXATTR, + "FGETXATTR": syscall.SYS_FGETXATTR, + "LISTXATTR": syscall.SYS_LISTXATTR, + "LLISTXATTR": syscall.SYS_LLISTXATTR, + "FLISTXATTR": syscall.SYS_FLISTXATTR, + "REMOVEXATTR": syscall.SYS_REMOVEXATTR, + "LREMOVEXATTR": syscall.SYS_LREMOVEXATTR, + "FREMOVEXATTR": syscall.SYS_FREMOVEXATTR, + "TKILL": syscall.SYS_TKILL, + "SENDFILE64": syscall.SYS_SENDFILE64, + "FUTEX": syscall.SYS_FUTEX, + "SCHED_SETAFFINITY": syscall.SYS_SCHED_SETAFFINITY, + "SCHED_GETAFFINITY": syscall.SYS_SCHED_GETAFFINITY, + "IO_SETUP": syscall.SYS_IO_SETUP, + "IO_DESTROY": syscall.SYS_IO_DESTROY, + "IO_GETEVENTS": syscall.SYS_IO_GETEVENTS, + "IO_SUBMIT": syscall.SYS_IO_SUBMIT, + "IO_CANCEL": syscall.SYS_IO_CANCEL, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "LOOKUP_DCOOKIE": syscall.SYS_LOOKUP_DCOOKIE, + "EPOLL_CREATE": syscall.SYS_EPOLL_CREATE, + "EPOLL_CTL": syscall.SYS_EPOLL_CTL, + "EPOLL_WAIT": syscall.SYS_EPOLL_WAIT, + "REMAP_FILE_PAGES": syscall.SYS_REMAP_FILE_PAGES, + "SET_TID_ADDRESS": syscall.SYS_SET_TID_ADDRESS, + "TIMER_CREATE": syscall.SYS_TIMER_CREATE, + "TIMER_SETTIME": syscall.SYS_TIMER_SETTIME, + "TIMER_GETTIME": syscall.SYS_TIMER_GETTIME, + "TIMER_GETOVERRUN": syscall.SYS_TIMER_GETOVERRUN, + "TIMER_DELETE": syscall.SYS_TIMER_DELETE, + "CLOCK_SETTIME": syscall.SYS_CLOCK_SETTIME, + "CLOCK_GETTIME": syscall.SYS_CLOCK_GETTIME, + "CLOCK_GETRES": syscall.SYS_CLOCK_GETRES, + "CLOCK_NANOSLEEP": syscall.SYS_CLOCK_NANOSLEEP, + "STATFS64": syscall.SYS_STATFS64, + "FSTATFS64": syscall.SYS_FSTATFS64, + "TGKILL": syscall.SYS_TGKILL, + "UTIMES": syscall.SYS_UTIMES, + "ARM_FADVISE64_64": syscall.SYS_ARM_FADVISE64_64, + "PCICONFIG_IOBASE": syscall.SYS_PCICONFIG_IOBASE, + "PCICONFIG_READ": syscall.SYS_PCICONFIG_READ, + "PCICONFIG_WRITE": syscall.SYS_PCICONFIG_WRITE, + "MQ_OPEN": syscall.SYS_MQ_OPEN, + "MQ_UNLINK": syscall.SYS_MQ_UNLINK, + "MQ_TIMEDSEND": syscall.SYS_MQ_TIMEDSEND, + "MQ_TIMEDRECEIVE": syscall.SYS_MQ_TIMEDRECEIVE, + "MQ_NOTIFY": syscall.SYS_MQ_NOTIFY, + "MQ_GETSETATTR": syscall.SYS_MQ_GETSETATTR, + "WAITID": syscall.SYS_WAITID, + "SOCKET": syscall.SYS_SOCKET, + "BIND": syscall.SYS_BIND, + "CONNECT": syscall.SYS_CONNECT, + "LISTEN": syscall.SYS_LISTEN, + "ACCEPT": syscall.SYS_ACCEPT, + "GETSOCKNAME": syscall.SYS_GETSOCKNAME, + "GETPEERNAME": syscall.SYS_GETPEERNAME, + "SOCKETPAIR": syscall.SYS_SOCKETPAIR, + "SEND": syscall.SYS_SEND, + "SENDTO": syscall.SYS_SENDTO, + "RECV": syscall.SYS_RECV, + "RECVFROM": syscall.SYS_RECVFROM, + "SHUTDOWN": syscall.SYS_SHUTDOWN, + "SETSOCKOPT": syscall.SYS_SETSOCKOPT, + "GETSOCKOPT": syscall.SYS_GETSOCKOPT, + "SENDMSG": syscall.SYS_SENDMSG, + "RECVMSG": syscall.SYS_RECVMSG, + "SEMOP": syscall.SYS_SEMOP, + "SEMGET": syscall.SYS_SEMGET, + "SEMCTL": syscall.SYS_SEMCTL, + "MSGSND": syscall.SYS_MSGSND, + "MSGRCV": syscall.SYS_MSGRCV, + "MSGGET": syscall.SYS_MSGGET, + "MSGCTL": syscall.SYS_MSGCTL, + "SHMAT": syscall.SYS_SHMAT, + "SHMDT": syscall.SYS_SHMDT, + "SHMGET": syscall.SYS_SHMGET, + "SHMCTL": syscall.SYS_SHMCTL, + "ADD_KEY": syscall.SYS_ADD_KEY, + "REQUEST_KEY": syscall.SYS_REQUEST_KEY, + "KEYCTL": syscall.SYS_KEYCTL, + "SEMTIMEDOP": syscall.SYS_SEMTIMEDOP, + "VSERVER": syscall.SYS_VSERVER, + "IOPRIO_SET": syscall.SYS_IOPRIO_SET, + "IOPRIO_GET": syscall.SYS_IOPRIO_GET, + "INOTIFY_INIT": syscall.SYS_INOTIFY_INIT, + "INOTIFY_ADD_WATCH": syscall.SYS_INOTIFY_ADD_WATCH, + "INOTIFY_RM_WATCH": syscall.SYS_INOTIFY_RM_WATCH, + "MBIND": syscall.SYS_MBIND, + "GET_MEMPOLICY": syscall.SYS_GET_MEMPOLICY, + "SET_MEMPOLICY": syscall.SYS_SET_MEMPOLICY, + "OPENAT": syscall.SYS_OPENAT, + "MKDIRAT": syscall.SYS_MKDIRAT, + "MKNODAT": syscall.SYS_MKNODAT, + "FCHOWNAT": syscall.SYS_FCHOWNAT, + "FUTIMESAT": syscall.SYS_FUTIMESAT, + "FSTATAT64": syscall.SYS_FSTATAT64, + "UNLINKAT": syscall.SYS_UNLINKAT, + "RENAMEAT": syscall.SYS_RENAMEAT, + "LINKAT": syscall.SYS_LINKAT, + "SYMLINKAT": syscall.SYS_SYMLINKAT, + "READLINKAT": syscall.SYS_READLINKAT, + "FCHMODAT": syscall.SYS_FCHMODAT, + "FACCESSAT": syscall.SYS_FACCESSAT, + "PSELECT6": syscall.SYS_PSELECT6, + "PPOLL": syscall.SYS_PPOLL, + "UNSHARE": syscall.SYS_UNSHARE, + "SET_ROBUST_LIST": syscall.SYS_SET_ROBUST_LIST, + "GET_ROBUST_LIST": syscall.SYS_GET_ROBUST_LIST, + "SPLICE": syscall.SYS_SPLICE, + "ARM_SYNC_FILE_RANGE": syscall.SYS_ARM_SYNC_FILE_RANGE, + "TEE": syscall.SYS_TEE, + "VMSPLICE": syscall.SYS_VMSPLICE, + "MOVE_PAGES": syscall.SYS_MOVE_PAGES, + "GETCPU": syscall.SYS_GETCPU, + "EPOLL_PWAIT": syscall.SYS_EPOLL_PWAIT, + "KEXEC_LOAD": syscall.SYS_KEXEC_LOAD, + "UTIMENSAT": syscall.SYS_UTIMENSAT, + "SIGNALFD": syscall.SYS_SIGNALFD, + "TIMERFD_CREATE": syscall.SYS_TIMERFD_CREATE, + "EVENTFD": syscall.SYS_EVENTFD, + "FALLOCATE": syscall.SYS_FALLOCATE, + "TIMERFD_SETTIME": syscall.SYS_TIMERFD_SETTIME, + "TIMERFD_GETTIME": syscall.SYS_TIMERFD_GETTIME, + "SIGNALFD4": syscall.SYS_SIGNALFD4, + "EVENTFD2": syscall.SYS_EVENTFD2, + "EPOLL_CREATE1": syscall.SYS_EPOLL_CREATE1, + "DUP3": syscall.SYS_DUP3, + "PIPE2": syscall.SYS_PIPE2, + "INOTIFY_INIT1": syscall.SYS_INOTIFY_INIT1, + "PREADV": syscall.SYS_PREADV, + "PWRITEV": syscall.SYS_PWRITEV, + "RT_TGSIGQUEUEINFO": syscall.SYS_RT_TGSIGQUEUEINFO, + "PERF_EVENT_OPEN": syscall.SYS_PERF_EVENT_OPEN, + "RECVMMSG": syscall.SYS_RECVMMSG, + "ACCEPT4": syscall.SYS_ACCEPT4, + "FANOTIFY_INIT": syscall.SYS_FANOTIFY_INIT, + "FANOTIFY_MARK": syscall.SYS_FANOTIFY_MARK, + "PRLIMIT64": syscall.SYS_PRLIMIT64, + "NAME_TO_HANDLE_AT": syscall.SYS_NAME_TO_HANDLE_AT, + "OPEN_BY_HANDLE_AT": syscall.SYS_OPEN_BY_HANDLE_AT, + "CLOCK_ADJTIME": syscall.SYS_CLOCK_ADJTIME, + "SYNCFS": syscall.SYS_SYNCFS, + "SENDMMSG": syscall.SYS_SENDMMSG, + "SETNS": syscall.SYS_SETNS, + "PROCESS_VM_READV": syscall.SYS_PROCESS_VM_READV, + "PROCESS_VM_WRITEV": syscall.SYS_PROCESS_VM_WRITEV, +} + +var SyscallMapMin = map[string]int{ + "WRITE": syscall.SYS_WRITE, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "FUTEX": syscall.SYS_FUTEX, +} diff --git a/seccomp/syscall_linux_arm64.go b/seccomp/syscall_linux_arm64.go new file mode 100644 index 00000000..4c94ef91 --- /dev/null +++ b/seccomp/syscall_linux_arm64.go @@ -0,0 +1,294 @@ +// +build linux +// +build arm64 + +package seccomp + +import ( + "syscall" +) + +const ( + SECCOMP_RET_KILL = 0x00000000 + SECCOMP_RET_TRAP = 0x00030000 + SECCOMP_RET_ALLOW = 0x7fff0000 + SECCOMP_MODE_FILTER = 0x2 + PR_SET_NO_NEW_PRIVS = 0x26 +) + +var SyscallMap = map[string]uint32{ + "IO_SETUP": syscall.SYS_IO_SETUP, + "IO_DESTROY": syscall.SYS_IO_DESTROY, + "IO_SUBMIT": syscall.SYS_IO_SUBMIT, + "IO_CANCEL": syscall.SYS_IO_CANCEL, + "IO_GETEVENTS": syscall.SYS_IO_GETEVENTS, + "SETXATTR": syscall.SYS_SETXATTR, + "LSETXATTR": syscall.SYS_LSETXATTR, + "FSETXATTR": syscall.SYS_FSETXATTR, + "GETXATTR": syscall.SYS_GETXATTR, + "LGETXATTR": syscall.SYS_LGETXATTR, + "FGETXATTR": syscall.SYS_FGETXATTR, + "LISTXATTR": syscall.SYS_LISTXATTR, + "LLISTXATTR": syscall.SYS_LLISTXATTR, + "FLISTXATTR": syscall.SYS_FLISTXATTR, + "REMOVEXATTR": syscall.SYS_REMOVEXATTR, + "LREMOVEXATTR": syscall.SYS_LREMOVEXATTR, + "FREMOVEXATTR": syscall.SYS_FREMOVEXATTR, + "GETCWD": syscall.SYS_GETCWD, + "LOOKUP_DCOOKIE": syscall.SYS_LOOKUP_DCOOKIE, + "EVENTFD2": syscall.SYS_EVENTFD2, + "EPOLL_CREATE1": syscall.SYS_EPOLL_CREATE1, + "EPOLL_CTL": syscall.SYS_EPOLL_CTL, + "EPOLL_PWAIT": syscall.SYS_EPOLL_PWAIT, + "DUP": syscall.SYS_DUP, + "DUP3": syscall.SYS_DUP3, + "FCNTL": syscall.SYS_FCNTL, + "INOTIFY_INIT1": syscall.SYS_INOTIFY_INIT1, + "INOTIFY_ADD_WATCH": syscall.SYS_INOTIFY_ADD_WATCH, + "INOTIFY_RM_WATCH": syscall.SYS_INOTIFY_RM_WATCH, + "IOCTL": syscall.SYS_IOCTL, + "IOPRIO_SET": syscall.SYS_IOPRIO_SET, + "IOPRIO_GET": syscall.SYS_IOPRIO_GET, + "FLOCK": syscall.SYS_FLOCK, + "MKNODAT": syscall.SYS_MKNODAT, + "MKDIRAT": syscall.SYS_MKDIRAT, + "UNLINKAT": syscall.SYS_UNLINKAT, + "SYMLINKAT": syscall.SYS_SYMLINKAT, + "LINKAT": syscall.SYS_LINKAT, + "RENAMEAT": syscall.SYS_RENAMEAT, + "UMOUNT2": syscall.SYS_UMOUNT2, + "MOUNT": syscall.SYS_MOUNT, + "PIVOT_ROOT": syscall.SYS_PIVOT_ROOT, + "NFSSERVCTL": syscall.SYS_NFSSERVCTL, + "STATFS": syscall.SYS_STATFS, + "FSTATFS": syscall.SYS_FSTATFS, + "TRUNCATE": syscall.SYS_TRUNCATE, + "FTRUNCATE": syscall.SYS_FTRUNCATE, + "FALLOCATE": syscall.SYS_FALLOCATE, + "FACCESSAT": syscall.SYS_FACCESSAT, + "CHDIR": syscall.SYS_CHDIR, + "FCHDIR": syscall.SYS_FCHDIR, + "CHROOT": syscall.SYS_CHROOT, + "FCHMOD": syscall.SYS_FCHMOD, + "FCHMODAT": syscall.SYS_FCHMODAT, + "FCHOWNAT": syscall.SYS_FCHOWNAT, + "FCHOWN": syscall.SYS_FCHOWN, + "OPENAT": syscall.SYS_OPENAT, + "CLOSE": syscall.SYS_CLOSE, + "VHANGUP": syscall.SYS_VHANGUP, + "PIPE2": syscall.SYS_PIPE2, + "QUOTACTL": syscall.SYS_QUOTACTL, + "GETDENTS64": syscall.SYS_GETDENTS64, + "LSEEK": syscall.SYS_LSEEK, + "READ": syscall.SYS_READ, + "WRITE": syscall.SYS_WRITE, + "READV": syscall.SYS_READV, + "WRITEV": syscall.SYS_WRITEV, + "PREAD64": syscall.SYS_PREAD64, + "PWRITE64": syscall.SYS_PWRITE64, + "PREADV": syscall.SYS_PREADV, + "PWRITEV": syscall.SYS_PWRITEV, + "SENDFILE": syscall.SYS_SENDFILE, + "PSELECT6": syscall.SYS_PSELECT6, + "PPOLL": syscall.SYS_PPOLL, + "SIGNALFD4": syscall.SYS_SIGNALFD4, + "VMSPLICE": syscall.SYS_VMSPLICE, + "SPLICE": syscall.SYS_SPLICE, + "TEE": syscall.SYS_TEE, + "READLINKAT": syscall.SYS_READLINKAT, + "FSTATAT": syscall.SYS_FSTATAT, + "FSTAT": syscall.SYS_FSTAT, + "SYNC": syscall.SYS_SYNC, + "FSYNC": syscall.SYS_FSYNC, + "FDATASYNC": syscall.SYS_FDATASYNC, + "SYNC_FILE_RANGE2": syscall.SYS_SYNC_FILE_RANGE2, + "SYNC_FILE_RANGE": syscall.SYS_SYNC_FILE_RANGE, + "TIMERFD_CREATE": syscall.SYS_TIMERFD_CREATE, + "TIMERFD_SETTIME": syscall.SYS_TIMERFD_SETTIME, + "TIMERFD_GETTIME": syscall.SYS_TIMERFD_GETTIME, + "UTIMENSAT": syscall.SYS_UTIMENSAT, + "ACCT": syscall.SYS_ACCT, + "CAPGET": syscall.SYS_CAPGET, + "CAPSET": syscall.SYS_CAPSET, + "PERSONALITY": syscall.SYS_PERSONALITY, + "EXIT": syscall.SYS_EXIT, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "WAITID": syscall.SYS_WAITID, + "SET_TID_ADDRESS": syscall.SYS_SET_TID_ADDRESS, + "UNSHARE": syscall.SYS_UNSHARE, + "FUTEX": syscall.SYS_FUTEX, + "SET_ROBUST_LIST": syscall.SYS_SET_ROBUST_LIST, + "GET_ROBUST_LIST": syscall.SYS_GET_ROBUST_LIST, + "NANOSLEEP": syscall.SYS_NANOSLEEP, + "GETITIMER": syscall.SYS_GETITIMER, + "SETITIMER": syscall.SYS_SETITIMER, + "KEXEC_LOAD": syscall.SYS_KEXEC_LOAD, + "INIT_MODULE": syscall.SYS_INIT_MODULE, + "DELETE_MODULE": syscall.SYS_DELETE_MODULE, + "TIMER_CREATE": syscall.SYS_TIMER_CREATE, + "TIMER_GETTIME": syscall.SYS_TIMER_GETTIME, + "TIMER_GETOVERRUN": syscall.SYS_TIMER_GETOVERRUN, + "TIMER_SETTIME": syscall.SYS_TIMER_SETTIME, + "TIMER_DELETE": syscall.SYS_TIMER_DELETE, + "CLOCK_SETTIME": syscall.SYS_CLOCK_SETTIME, + "CLOCK_GETTIME": syscall.SYS_CLOCK_GETTIME, + "CLOCK_GETRES": syscall.SYS_CLOCK_GETRES, + "CLOCK_NANOSLEEP": syscall.SYS_CLOCK_NANOSLEEP, + "SYSLOG": syscall.SYS_SYSLOG, + "PTRACE": syscall.SYS_PTRACE, + "SCHED_SETPARAM": syscall.SYS_SCHED_SETPARAM, + "SCHED_SETSCHEDULER": syscall.SYS_SCHED_SETSCHEDULER, + "SCHED_GETSCHEDULER": syscall.SYS_SCHED_GETSCHEDULER, + "SCHED_GETPARAM": syscall.SYS_SCHED_GETPARAM, + "SCHED_SETAFFINITY": syscall.SYS_SCHED_SETAFFINITY, + "SCHED_GETAFFINITY": syscall.SYS_SCHED_GETAFFINITY, + "SCHED_YIELD": syscall.SYS_SCHED_YIELD, + "SCHED_GET_PRIORITY_MAX": syscall.SYS_SCHED_GET_PRIORITY_MAX, + "SCHED_GET_PRIORITY_MIN": syscall.SYS_SCHED_GET_PRIORITY_MIN, + "SCHED_RR_GET_INTERVAL": syscall.SYS_SCHED_RR_GET_INTERVAL, + "RESTART_SYSCALL": syscall.SYS_RESTART_SYSCALL, + "KILL": syscall.SYS_KILL, + "TKILL": syscall.SYS_TKILL, + "TGKILL": syscall.SYS_TGKILL, + "SIGALTSTACK": syscall.SYS_SIGALTSTACK, + "RT_SIGSUSPEND": syscall.SYS_RT_SIGSUSPEND, + "RT_SIGACTION": syscall.SYS_RT_SIGACTION, + "RT_SIGPROCMASK": syscall.SYS_RT_SIGPROCMASK, + "RT_SIGPENDING": syscall.SYS_RT_SIGPENDING, + "RT_SIGTIMEDWAIT": syscall.SYS_RT_SIGTIMEDWAIT, + "RT_SIGQUEUEINFO": syscall.SYS_RT_SIGQUEUEINFO, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "SETPRIORITY": syscall.SYS_SETPRIORITY, + "GETPRIORITY": syscall.SYS_GETPRIORITY, + "REBOOT": syscall.SYS_REBOOT, + "SETREGID": syscall.SYS_SETREGID, + "SETGID": syscall.SYS_SETGID, + "SETREUID": syscall.SYS_SETREUID, + "SETUID": syscall.SYS_SETUID, + "SETRESUID": syscall.SYS_SETRESUID, + "GETRESUID": syscall.SYS_GETRESUID, + "SETRESGID": syscall.SYS_SETRESGID, + "GETRESGID": syscall.SYS_GETRESGID, + "SETFSUID": syscall.SYS_SETFSUID, + "SETFSGID": syscall.SYS_SETFSGID, + "TIMES": syscall.SYS_TIMES, + "SETPGID": syscall.SYS_SETPGID, + "GETPGID": syscall.SYS_GETPGID, + "GETSID": syscall.SYS_GETSID, + "SETSID": syscall.SYS_SETSID, + "GETGROUPS": syscall.SYS_GETGROUPS, + "SETGROUPS": syscall.SYS_SETGROUPS, + "UNAME": syscall.SYS_UNAME, + "SETHOSTNAME": syscall.SYS_SETHOSTNAME, + "SETDOMAINNAME": syscall.SYS_SETDOMAINNAME, + "GETRLIMIT": syscall.SYS_GETRLIMIT, + "SETRLIMIT": syscall.SYS_SETRLIMIT, + "GETRUSAGE": syscall.SYS_GETRUSAGE, + "UMASK": syscall.SYS_UMASK, + "PRCTL": syscall.SYS_PRCTL, + "GETCPU": syscall.SYS_GETCPU, + "GETTIMEOFDAY": syscall.SYS_GETTIMEOFDAY, + "SETTIMEOFDAY": syscall.SYS_SETTIMEOFDAY, + "ADJTIMEX": syscall.SYS_ADJTIMEX, + "GETPID": syscall.SYS_GETPID, + "GETPPID": syscall.SYS_GETPPID, + "GETUID": syscall.SYS_GETUID, + "GETEUID": syscall.SYS_GETEUID, + "GETGID": syscall.SYS_GETGID, + "GETEGID": syscall.SYS_GETEGID, + "GETTID": syscall.SYS_GETTID, + "SYSINFO": syscall.SYS_SYSINFO, + "MQ_OPEN": syscall.SYS_MQ_OPEN, + "MQ_UNLINK": syscall.SYS_MQ_UNLINK, + "MQ_TIMEDSEND": syscall.SYS_MQ_TIMEDSEND, + "MQ_TIMEDRECEIVE": syscall.SYS_MQ_TIMEDRECEIVE, + "MQ_NOTIFY": syscall.SYS_MQ_NOTIFY, + "MQ_GETSETATTR": syscall.SYS_MQ_GETSETATTR, + "MSGGET": syscall.SYS_MSGGET, + "MSGCTL": syscall.SYS_MSGCTL, + "MSGRCV": syscall.SYS_MSGRCV, + "MSGSND": syscall.SYS_MSGSND, + "SEMGET": syscall.SYS_SEMGET, + "SEMCTL": syscall.SYS_SEMCTL, + "SEMTIMEDOP": syscall.SYS_SEMTIMEDOP, + "SEMOP": syscall.SYS_SEMOP, + "SHMGET": syscall.SYS_SHMGET, + "SHMCTL": syscall.SYS_SHMCTL, + "SHMAT": syscall.SYS_SHMAT, + "SHMDT": syscall.SYS_SHMDT, + "SOCKET": syscall.SYS_SOCKET, + "SOCKETPAIR": syscall.SYS_SOCKETPAIR, + "BIND": syscall.SYS_BIND, + "LISTEN": syscall.SYS_LISTEN, + "ACCEPT": syscall.SYS_ACCEPT, + "CONNECT": syscall.SYS_CONNECT, + "GETSOCKNAME": syscall.SYS_GETSOCKNAME, + "GETPEERNAME": syscall.SYS_GETPEERNAME, + "SENDTO": syscall.SYS_SENDTO, + "RECVFROM": syscall.SYS_RECVFROM, + "SETSOCKOPT": syscall.SYS_SETSOCKOPT, + "GETSOCKOPT": syscall.SYS_GETSOCKOPT, + "SHUTDOWN": syscall.SYS_SHUTDOWN, + "SENDMSG": syscall.SYS_SENDMSG, + "RECVMSG": syscall.SYS_RECVMSG, + "READAHEAD": syscall.SYS_READAHEAD, + "BRK": syscall.SYS_BRK, + "MUNMAP": syscall.SYS_MUNMAP, + "MREMAP": syscall.SYS_MREMAP, + "ADD_KEY": syscall.SYS_ADD_KEY, + "REQUEST_KEY": syscall.SYS_REQUEST_KEY, + "KEYCTL": syscall.SYS_KEYCTL, + "CLONE": syscall.SYS_CLONE, + "EXECVE": syscall.SYS_EXECVE, + "MMAP": syscall.SYS_MMAP, + "FADVISE64": syscall.SYS_FADVISE64, + "SWAPON": syscall.SYS_SWAPON, + "SWAPOFF": syscall.SYS_SWAPOFF, + "MPROTECT": syscall.SYS_MPROTECT, + "MSYNC": syscall.SYS_MSYNC, + "MLOCK": syscall.SYS_MLOCK, + "MUNLOCK": syscall.SYS_MUNLOCK, + "MLOCKALL": syscall.SYS_MLOCKALL, + "MUNLOCKALL": syscall.SYS_MUNLOCKALL, + "MINCORE": syscall.SYS_MINCORE, + "MADVISE": syscall.SYS_MADVISE, + "REMAP_FILE_PAGES": syscall.SYS_REMAP_FILE_PAGES, + "MBIND": syscall.SYS_MBIND, + "GET_MEMPOLICY": syscall.SYS_GET_MEMPOLICY, + "SET_MEMPOLICY": syscall.SYS_SET_MEMPOLICY, + "MIGRATE_PAGES": syscall.SYS_MIGRATE_PAGES, + "MOVE_PAGES": syscall.SYS_MOVE_PAGES, + "RT_TGSIGQUEUEINFO": syscall.SYS_RT_TGSIGQUEUEINFO, + "PERF_EVENT_OPEN": syscall.SYS_PERF_EVENT_OPEN, + "ACCEPT4": syscall.SYS_ACCEPT4, + "RECVMMSG": syscall.SYS_RECVMMSG, + "ARCH_SPECIFIC_SYSCALL": syscall.SYS_ARCH_SPECIFIC_SYSCALL, + "WAIT4": syscall.SYS_WAIT4, + "PRLIMIT64": syscall.SYS_PRLIMIT64, + "FANOTIFY_INIT": syscall.SYS_FANOTIFY_INIT, + "FANOTIFY_MARK": syscall.SYS_FANOTIFY_MARK, + "NAME_TO_HANDLE_AT": syscall.SYS_NAME_TO_HANDLE_AT, + "OPEN_BY_HANDLE_AT": syscall.SYS_OPEN_BY_HANDLE_AT, + "CLOCK_ADJTIME": syscall.SYS_CLOCK_ADJTIME, + "SYNCFS": syscall.SYS_SYNCFS, + "SETNS": syscall.SYS_SETNS, + "SENDMMSG": syscall.SYS_SENDMMSG, + "PROCESS_VM_READV": syscall.SYS_PROCESS_VM_READV, + "PROCESS_VM_WRITEV": syscall.SYS_PROCESS_VM_WRITEV, + "KCMP": syscall.SYS_KCMP, + "FINIT_MODULE": syscall.SYS_FINIT_MODULE, + "SCHED_SETATTR": syscall.SYS_SCHED_SETATTR, + "SCHED_GETATTR": syscall.SYS_SCHED_GETATTR, + "RENAMEAT2": syscall.SYS_RENAMEAT2, + "SECCOMP": syscall.SYS_SECCOMP, + "GETRANDOM": syscall.SYS_GETRANDOM, + "MEMFD_CREATE": syscall.SYS_MEMFD_CREATE, + "BPF": syscall.SYS_BPF, + "EXECVEAT": syscall.SYS_EXECVEAT, +} + +var SyscallMapMin = map[string]int{ + "WRITE": syscall.SYS_WRITE, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "FUTEX": syscall.SYS_FUTEX, +} diff --git a/seccomp/syscall_linux_ppc64.go b/seccomp/syscall_linux_ppc64.go new file mode 100644 index 00000000..43af1bb2 --- /dev/null +++ b/seccomp/syscall_linux_ppc64.go @@ -0,0 +1,370 @@ +// +build linux +// +build ppc64 + +package seccomp + +import ( + "syscall" +) + +const ( + SECCOMP_RET_KILL = 0x00000000 + SECCOMP_RET_TRAP = 0x00030000 + SECCOMP_RET_ALLOW = 0x7fff0000 + SECCOMP_MODE_FILTER = 0x2 + PR_SET_NO_NEW_PRIVS = 0x26 +) + +var SyscallMap = map[string]uint32{ + "RESTART_SYSCALL": syscall.SYS_RESTART_SYSCALL, + "EXIT": syscall.SYS_EXIT, + "FORK": syscall.SYS_FORK, + "READ": syscall.SYS_READ, + "WRITE": syscall.SYS_WRITE, + "OPEN": syscall.SYS_OPEN, + "CLOSE": syscall.SYS_CLOSE, + "WAITPID": syscall.SYS_WAITPID, + "CREAT": syscall.SYS_CREAT, + "LINK": syscall.SYS_LINK, + "UNLINK": syscall.SYS_UNLINK, + "EXECVE": syscall.SYS_EXECVE, + "CHDIR": syscall.SYS_CHDIR, + "TIME": syscall.SYS_TIME, + "MKNOD": syscall.SYS_MKNOD, + "CHMOD": syscall.SYS_CHMOD, + "LCHOWN": syscall.SYS_LCHOWN, + "BREAK": syscall.SYS_BREAK, + "OLDSTAT": syscall.SYS_OLDSTAT, + "LSEEK": syscall.SYS_LSEEK, + "GETPID": syscall.SYS_GETPID, + "MOUNT": syscall.SYS_MOUNT, + "UMOUNT": syscall.SYS_UMOUNT, + "SETUID": syscall.SYS_SETUID, + "GETUID": syscall.SYS_GETUID, + "STIME": syscall.SYS_STIME, + "PTRACE": syscall.SYS_PTRACE, + "ALARM": syscall.SYS_ALARM, + "OLDFSTAT": syscall.SYS_OLDFSTAT, + "PAUSE": syscall.SYS_PAUSE, + "UTIME": syscall.SYS_UTIME, + "STTY": syscall.SYS_STTY, + "GTTY": syscall.SYS_GTTY, + "ACCESS": syscall.SYS_ACCESS, + "NICE": syscall.SYS_NICE, + "FTIME": syscall.SYS_FTIME, + "SYNC": syscall.SYS_SYNC, + "KILL": syscall.SYS_KILL, + "RENAME": syscall.SYS_RENAME, + "MKDIR": syscall.SYS_MKDIR, + "RMDIR": syscall.SYS_RMDIR, + "DUP": syscall.SYS_DUP, + "PIPE": syscall.SYS_PIPE, + "TIMES": syscall.SYS_TIMES, + "PROF": syscall.SYS_PROF, + "BRK": syscall.SYS_BRK, + "SETGID": syscall.SYS_SETGID, + "GETGID": syscall.SYS_GETGID, + "SIGNAL": syscall.SYS_SIGNAL, + "GETEUID": syscall.SYS_GETEUID, + "GETEGID": syscall.SYS_GETEGID, + "ACCT": syscall.SYS_ACCT, + "UMOUNT2": syscall.SYS_UMOUNT2, + "LOCK": syscall.SYS_LOCK, + "IOCTL": syscall.SYS_IOCTL, + "FCNTL": syscall.SYS_FCNTL, + "MPX": syscall.SYS_MPX, + "SETPGID": syscall.SYS_SETPGID, + "ULIMIT": syscall.SYS_ULIMIT, + "OLDOLDUNAME": syscall.SYS_OLDOLDUNAME, + "UMASK": syscall.SYS_UMASK, + "CHROOT": syscall.SYS_CHROOT, + "USTAT": syscall.SYS_USTAT, + "DUP2": syscall.SYS_DUP2, + "GETPPID": syscall.SYS_GETPPID, + "GETPGRP": syscall.SYS_GETPGRP, + "SETSID": syscall.SYS_SETSID, + "SIGACTION": syscall.SYS_SIGACTION, + "SGETMASK": syscall.SYS_SGETMASK, + "SSETMASK": syscall.SYS_SSETMASK, + "SETREUID": syscall.SYS_SETREUID, + "SETREGID": syscall.SYS_SETREGID, + "SIGSUSPEND": syscall.SYS_SIGSUSPEND, + "SIGPENDING": syscall.SYS_SIGPENDING, + "SETHOSTNAME": syscall.SYS_SETHOSTNAME, + "SETRLIMIT": syscall.SYS_SETRLIMIT, + "GETRLIMIT": syscall.SYS_GETRLIMIT, + "GETRUSAGE": syscall.SYS_GETRUSAGE, + "GETTIMEOFDAY": syscall.SYS_GETTIMEOFDAY, + "SETTIMEOFDAY": syscall.SYS_SETTIMEOFDAY, + "GETGROUPS": syscall.SYS_GETGROUPS, + "SETGROUPS": syscall.SYS_SETGROUPS, + "SELECT": syscall.SYS_SELECT, + "SYMLINK": syscall.SYS_SYMLINK, + "OLDLSTAT": syscall.SYS_OLDLSTAT, + "READLINK": syscall.SYS_READLINK, + "USELIB": syscall.SYS_USELIB, + "SWAPON": syscall.SYS_SWAPON, + "REBOOT": syscall.SYS_REBOOT, + "READDIR": syscall.SYS_READDIR, + "MMAP": syscall.SYS_MMAP, + "MUNMAP": syscall.SYS_MUNMAP, + "TRUNCATE": syscall.SYS_TRUNCATE, + "FTRUNCATE": syscall.SYS_FTRUNCATE, + "FCHMOD": syscall.SYS_FCHMOD, + "FCHOWN": syscall.SYS_FCHOWN, + "GETPRIORITY": syscall.SYS_GETPRIORITY, + "SETPRIORITY": syscall.SYS_SETPRIORITY, + "PROFIL": syscall.SYS_PROFIL, + "STATFS": syscall.SYS_STATFS, + "FSTATFS": syscall.SYS_FSTATFS, + "IOPERM": syscall.SYS_IOPERM, + "SOCKETCALL": syscall.SYS_SOCKETCALL, + "SYSLOG": syscall.SYS_SYSLOG, + "SETITIMER": syscall.SYS_SETITIMER, + "GETITIMER": syscall.SYS_GETITIMER, + "STAT": syscall.SYS_STAT, + "LSTAT": syscall.SYS_LSTAT, + "FSTAT": syscall.SYS_FSTAT, + "OLDUNAME": syscall.SYS_OLDUNAME, + "IOPL": syscall.SYS_IOPL, + "VHANGUP": syscall.SYS_VHANGUP, + "IDLE": syscall.SYS_IDLE, + "VM86": syscall.SYS_VM86, + "WAIT4": syscall.SYS_WAIT4, + "SWAPOFF": syscall.SYS_SWAPOFF, + "SYSINFO": syscall.SYS_SYSINFO, + "IPC": syscall.SYS_IPC, + "FSYNC": syscall.SYS_FSYNC, + "SIGRETURN": syscall.SYS_SIGRETURN, + "CLONE": syscall.SYS_CLONE, + "SETDOMAINNAME": syscall.SYS_SETDOMAINNAME, + "UNAME": syscall.SYS_UNAME, + "MODIFY_LDT": syscall.SYS_MODIFY_LDT, + "ADJTIMEX": syscall.SYS_ADJTIMEX, + "MPROTECT": syscall.SYS_MPROTECT, + "SIGPROCMASK": syscall.SYS_SIGPROCMASK, + "CREATE_MODULE": syscall.SYS_CREATE_MODULE, + "INIT_MODULE": syscall.SYS_INIT_MODULE, + "DELETE_MODULE": syscall.SYS_DELETE_MODULE, + "GET_KERNEL_SYMS": syscall.SYS_GET_KERNEL_SYMS, + "QUOTACTL": syscall.SYS_QUOTACTL, + "GETPGID": syscall.SYS_GETPGID, + "FCHDIR": syscall.SYS_FCHDIR, + "BDFLUSH": syscall.SYS_BDFLUSH, + "SYSFS": syscall.SYS_SYSFS, + "PERSONALITY": syscall.SYS_PERSONALITY, + "AFS_SYSCALL": syscall.SYS_AFS_SYSCALL, + "SETFSUID": syscall.SYS_SETFSUID, + "SETFSGID": syscall.SYS_SETFSGID, + "_LLSEEK": syscall.SYS__LLSEEK, + "GETDENTS": syscall.SYS_GETDENTS, + "_NEWSELECT": syscall.SYS__NEWSELECT, + "FLOCK": syscall.SYS_FLOCK, + "MSYNC": syscall.SYS_MSYNC, + "READV": syscall.SYS_READV, + "WRITEV": syscall.SYS_WRITEV, + "GETSID": syscall.SYS_GETSID, + "FDATASYNC": syscall.SYS_FDATASYNC, + "_SYSCTL": syscall.SYS__SYSCTL, + "MLOCK": syscall.SYS_MLOCK, + "MUNLOCK": syscall.SYS_MUNLOCK, + "MLOCKALL": syscall.SYS_MLOCKALL, + "MUNLOCKALL": syscall.SYS_MUNLOCKALL, + "SCHED_SETPARAM": syscall.SYS_SCHED_SETPARAM, + "SCHED_GETPARAM": syscall.SYS_SCHED_GETPARAM, + "SCHED_SETSCHEDULER": syscall.SYS_SCHED_SETSCHEDULER, + "SCHED_GETSCHEDULER": syscall.SYS_SCHED_GETSCHEDULER, + "SCHED_YIELD": syscall.SYS_SCHED_YIELD, + "SCHED_GET_PRIORITY_MAX": syscall.SYS_SCHED_GET_PRIORITY_MAX, + "SCHED_GET_PRIORITY_MIN": syscall.SYS_SCHED_GET_PRIORITY_MIN, + "SCHED_RR_GET_INTERVAL": syscall.SYS_SCHED_RR_GET_INTERVAL, + "NANOSLEEP": syscall.SYS_NANOSLEEP, + "MREMAP": syscall.SYS_MREMAP, + "SETRESUID": syscall.SYS_SETRESUID, + "GETRESUID": syscall.SYS_GETRESUID, + "QUERY_MODULE": syscall.SYS_QUERY_MODULE, + "POLL": syscall.SYS_POLL, + "NFSSERVCTL": syscall.SYS_NFSSERVCTL, + "SETRESGID": syscall.SYS_SETRESGID, + "GETRESGID": syscall.SYS_GETRESGID, + "PRCTL": syscall.SYS_PRCTL, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "RT_SIGACTION": syscall.SYS_RT_SIGACTION, + "RT_SIGPROCMASK": syscall.SYS_RT_SIGPROCMASK, + "RT_SIGPENDING": syscall.SYS_RT_SIGPENDING, + "RT_SIGTIMEDWAIT": syscall.SYS_RT_SIGTIMEDWAIT, + "RT_SIGQUEUEINFO": syscall.SYS_RT_SIGQUEUEINFO, + "RT_SIGSUSPEND": syscall.SYS_RT_SIGSUSPEND, + "PREAD64": syscall.SYS_PREAD64, + "PWRITE64": syscall.SYS_PWRITE64, + "CHOWN": syscall.SYS_CHOWN, + "GETCWD": syscall.SYS_GETCWD, + "CAPGET": syscall.SYS_CAPGET, + "CAPSET": syscall.SYS_CAPSET, + "SIGALTSTACK": syscall.SYS_SIGALTSTACK, + "SENDFILE": syscall.SYS_SENDFILE, + "GETPMSG": syscall.SYS_GETPMSG, + "PUTPMSG": syscall.SYS_PUTPMSG, + "VFORK": syscall.SYS_VFORK, + "UGETRLIMIT": syscall.SYS_UGETRLIMIT, + "READAHEAD": syscall.SYS_READAHEAD, + "PCICONFIG_READ": syscall.SYS_PCICONFIG_READ, + "PCICONFIG_WRITE": syscall.SYS_PCICONFIG_WRITE, + "PCICONFIG_IOBASE": syscall.SYS_PCICONFIG_IOBASE, + "MULTIPLEXER": syscall.SYS_MULTIPLEXER, + "GETDENTS64": syscall.SYS_GETDENTS64, + "PIVOT_ROOT": syscall.SYS_PIVOT_ROOT, + "MADVISE": syscall.SYS_MADVISE, + "MINCORE": syscall.SYS_MINCORE, + "GETTID": syscall.SYS_GETTID, + "TKILL": syscall.SYS_TKILL, + "SETXATTR": syscall.SYS_SETXATTR, + "LSETXATTR": syscall.SYS_LSETXATTR, + "FSETXATTR": syscall.SYS_FSETXATTR, + "GETXATTR": syscall.SYS_GETXATTR, + "LGETXATTR": syscall.SYS_LGETXATTR, + "FGETXATTR": syscall.SYS_FGETXATTR, + "LISTXATTR": syscall.SYS_LISTXATTR, + "LLISTXATTR": syscall.SYS_LLISTXATTR, + "FLISTXATTR": syscall.SYS_FLISTXATTR, + "REMOVEXATTR": syscall.SYS_REMOVEXATTR, + "LREMOVEXATTR": syscall.SYS_LREMOVEXATTR, + "FREMOVEXATTR": syscall.SYS_FREMOVEXATTR, + "FUTEX": syscall.SYS_FUTEX, + "SCHED_SETAFFINITY": syscall.SYS_SCHED_SETAFFINITY, + "SCHED_GETAFFINITY": syscall.SYS_SCHED_GETAFFINITY, + "TUXCALL": syscall.SYS_TUXCALL, + "IO_SETUP": syscall.SYS_IO_SETUP, + "IO_DESTROY": syscall.SYS_IO_DESTROY, + "IO_GETEVENTS": syscall.SYS_IO_GETEVENTS, + "IO_SUBMIT": syscall.SYS_IO_SUBMIT, + "IO_CANCEL": syscall.SYS_IO_CANCEL, + "SET_TID_ADDRESS": syscall.SYS_SET_TID_ADDRESS, + "FADVISE64": syscall.SYS_FADVISE64, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "LOOKUP_DCOOKIE": syscall.SYS_LOOKUP_DCOOKIE, + "EPOLL_CREATE": syscall.SYS_EPOLL_CREATE, + "EPOLL_CTL": syscall.SYS_EPOLL_CTL, + "EPOLL_WAIT": syscall.SYS_EPOLL_WAIT, + "REMAP_FILE_PAGES": syscall.SYS_REMAP_FILE_PAGES, + "TIMER_CREATE": syscall.SYS_TIMER_CREATE, + "TIMER_SETTIME": syscall.SYS_TIMER_SETTIME, + "TIMER_GETTIME": syscall.SYS_TIMER_GETTIME, + "TIMER_GETOVERRUN": syscall.SYS_TIMER_GETOVERRUN, + "TIMER_DELETE": syscall.SYS_TIMER_DELETE, + "CLOCK_SETTIME": syscall.SYS_CLOCK_SETTIME, + "CLOCK_GETTIME": syscall.SYS_CLOCK_GETTIME, + "CLOCK_GETRES": syscall.SYS_CLOCK_GETRES, + "CLOCK_NANOSLEEP": syscall.SYS_CLOCK_NANOSLEEP, + "SWAPCONTEXT": syscall.SYS_SWAPCONTEXT, + "TGKILL": syscall.SYS_TGKILL, + "UTIMES": syscall.SYS_UTIMES, + "STATFS64": syscall.SYS_STATFS64, + "FSTATFS64": syscall.SYS_FSTATFS64, + "RTAS": syscall.SYS_RTAS, + "SYS_DEBUG_SETCONTEXT": syscall.SYS_SYS_DEBUG_SETCONTEXT, + "MIGRATE_PAGES": syscall.SYS_MIGRATE_PAGES, + "MBIND": syscall.SYS_MBIND, + "GET_MEMPOLICY": syscall.SYS_GET_MEMPOLICY, + "SET_MEMPOLICY": syscall.SYS_SET_MEMPOLICY, + "MQ_OPEN": syscall.SYS_MQ_OPEN, + "MQ_UNLINK": syscall.SYS_MQ_UNLINK, + "MQ_TIMEDSEND": syscall.SYS_MQ_TIMEDSEND, + "MQ_TIMEDRECEIVE": syscall.SYS_MQ_TIMEDRECEIVE, + "MQ_NOTIFY": syscall.SYS_MQ_NOTIFY, + "MQ_GETSETATTR": syscall.SYS_MQ_GETSETATTR, + "KEXEC_LOAD": syscall.SYS_KEXEC_LOAD, + "ADD_KEY": syscall.SYS_ADD_KEY, + "REQUEST_KEY": syscall.SYS_REQUEST_KEY, + "KEYCTL": syscall.SYS_KEYCTL, + "WAITID": syscall.SYS_WAITID, + "IOPRIO_SET": syscall.SYS_IOPRIO_SET, + "IOPRIO_GET": syscall.SYS_IOPRIO_GET, + "INOTIFY_INIT": syscall.SYS_INOTIFY_INIT, + "INOTIFY_ADD_WATCH": syscall.SYS_INOTIFY_ADD_WATCH, + "INOTIFY_RM_WATCH": syscall.SYS_INOTIFY_RM_WATCH, + "SPU_RUN": syscall.SYS_SPU_RUN, + "SPU_CREATE": syscall.SYS_SPU_CREATE, + "PSELECT6": syscall.SYS_PSELECT6, + "PPOLL": syscall.SYS_PPOLL, + "UNSHARE": syscall.SYS_UNSHARE, + "SPLICE": syscall.SYS_SPLICE, + "TEE": syscall.SYS_TEE, + "VMSPLICE": syscall.SYS_VMSPLICE, + "OPENAT": syscall.SYS_OPENAT, + "MKDIRAT": syscall.SYS_MKDIRAT, + "MKNODAT": syscall.SYS_MKNODAT, + "FCHOWNAT": syscall.SYS_FCHOWNAT, + "FUTIMESAT": syscall.SYS_FUTIMESAT, + "NEWFSTATAT": syscall.SYS_NEWFSTATAT, + "UNLINKAT": syscall.SYS_UNLINKAT, + "RENAMEAT": syscall.SYS_RENAMEAT, + "LINKAT": syscall.SYS_LINKAT, + "SYMLINKAT": syscall.SYS_SYMLINKAT, + "READLINKAT": syscall.SYS_READLINKAT, + "FCHMODAT": syscall.SYS_FCHMODAT, + "FACCESSAT": syscall.SYS_FACCESSAT, + "GET_ROBUST_LIST": syscall.SYS_GET_ROBUST_LIST, + "SET_ROBUST_LIST": syscall.SYS_SET_ROBUST_LIST, + "MOVE_PAGES": syscall.SYS_MOVE_PAGES, + "GETCPU": syscall.SYS_GETCPU, + "EPOLL_PWAIT": syscall.SYS_EPOLL_PWAIT, + "UTIMENSAT": syscall.SYS_UTIMENSAT, + "SIGNALFD": syscall.SYS_SIGNALFD, + "TIMERFD_CREATE": syscall.SYS_TIMERFD_CREATE, + "EVENTFD": syscall.SYS_EVENTFD, + "SYNC_FILE_RANGE2": syscall.SYS_SYNC_FILE_RANGE2, + "FALLOCATE": syscall.SYS_FALLOCATE, + "SUBPAGE_PROT": syscall.SYS_SUBPAGE_PROT, + "TIMERFD_SETTIME": syscall.SYS_TIMERFD_SETTIME, + "TIMERFD_GETTIME": syscall.SYS_TIMERFD_GETTIME, + "SIGNALFD4": syscall.SYS_SIGNALFD4, + "EVENTFD2": syscall.SYS_EVENTFD2, + "EPOLL_CREATE1": syscall.SYS_EPOLL_CREATE1, + "DUP3": syscall.SYS_DUP3, + "PIPE2": syscall.SYS_PIPE2, + "INOTIFY_INIT1": syscall.SYS_INOTIFY_INIT1, + "PERF_EVENT_OPEN": syscall.SYS_PERF_EVENT_OPEN, + "PREADV": syscall.SYS_PREADV, + "PWRITEV": syscall.SYS_PWRITEV, + "RT_TGSIGQUEUEINFO": syscall.SYS_RT_TGSIGQUEUEINFO, + "FANOTIFY_INIT": syscall.SYS_FANOTIFY_INIT, + "FANOTIFY_MARK": syscall.SYS_FANOTIFY_MARK, + "PRLIMIT64": syscall.SYS_PRLIMIT64, + "SOCKET": syscall.SYS_SOCKET, + "BIND": syscall.SYS_BIND, + "CONNECT": syscall.SYS_CONNECT, + "LISTEN": syscall.SYS_LISTEN, + "ACCEPT": syscall.SYS_ACCEPT, + "GETSOCKNAME": syscall.SYS_GETSOCKNAME, + "GETPEERNAME": syscall.SYS_GETPEERNAME, + "SOCKETPAIR": syscall.SYS_SOCKETPAIR, + "SEND": syscall.SYS_SEND, + "SENDTO": syscall.SYS_SENDTO, + "RECV": syscall.SYS_RECV, + "RECVFROM": syscall.SYS_RECVFROM, + "SHUTDOWN": syscall.SYS_SHUTDOWN, + "SETSOCKOPT": syscall.SYS_SETSOCKOPT, + "GETSOCKOPT": syscall.SYS_GETSOCKOPT, + "SENDMSG": syscall.SYS_SENDMSG, + "RECVMSG": syscall.SYS_RECVMSG, + "RECVMMSG": syscall.SYS_RECVMMSG, + "ACCEPT4": syscall.SYS_ACCEPT4, + "NAME_TO_HANDLE_AT": syscall.SYS_NAME_TO_HANDLE_AT, + "OPEN_BY_HANDLE_AT": syscall.SYS_OPEN_BY_HANDLE_AT, + "CLOCK_ADJTIME": syscall.SYS_CLOCK_ADJTIME, + "SYNCFS": syscall.SYS_SYNCFS, + "SENDMMSG": syscall.SYS_SENDMMSG, + "SETNS": syscall.SYS_SETNS, + "PROCESS_VM_READV": syscall.SYS_PROCESS_VM_READV, + "PROCESS_VM_WRITEV": syscall.SYS_PROCESS_VM_WRITEV, + "FINIT_MODULE": syscall.SYS_FINIT_MODULE, + "KCMP": syscall.SYS_KCMP, +} + +var SyscallMapMin = map[string]int{ + "WRITE": syscall.SYS_WRITE, + "RT_SIGRETURN": syscall.SYS_RT_SIGRETURN, + "EXIT_GROUP": syscall.SYS_EXIT_GROUP, + "FUTEX": syscall.SYS_FUTEX, +} diff --git a/standard_init_linux.go b/standard_init_linux.go index 251c09f6..445c1fa2 100644 --- a/standard_init_linux.go +++ b/standard_init_linux.go @@ -99,5 +99,8 @@ func (l *linuxStandardInit) Init() error { if syscall.Getppid() != l.parentPid { return syscall.Kill(syscall.Getpid(), syscall.SIGKILL) } + if err := finalizeSeccomp(l.config); err != nil { + return err + } return system.Execv(l.config.Args[0], l.config.Args[0:], os.Environ()) }