Merge pull request #200 from mheon/seccomp_architecture
Add Architecture field to Seccomp configuration in Linux runtime
This commit is contained in:
commit
83e5943978
|
@ -319,11 +319,44 @@ For more information about Apparmor, see [Apparmor documentation](https://wiki.u
|
||||||
Seccomp provides application sandboxing mechanism in the Linux kernel.
|
Seccomp provides application sandboxing mechanism in the Linux kernel.
|
||||||
Seccomp configuration allows one to configure actions to take for matched syscalls and furthermore also allows matching on values passed as arguments to syscalls.
|
Seccomp configuration allows one to configure actions to take for matched syscalls and furthermore also allows matching on values passed as arguments to syscalls.
|
||||||
For more information about Seccomp, see [Seccomp kernel documentation](https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt)
|
For more information about Seccomp, see [Seccomp kernel documentation](https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt)
|
||||||
The actions and operators are strings that match the definitions in seccomp.h from [libseccomp](https://github.com/seccomp/libseccomp) and are translated to corresponding values.
|
The actions, architectures, and operators are strings that match the definitions in seccomp.h from [libseccomp](https://github.com/seccomp/libseccomp) and are translated to corresponding values.
|
||||||
|
A valid list of constants as of Libseccomp v2.2.3 is contained below.
|
||||||
|
|
||||||
|
Architecture Constants
|
||||||
|
* `SCMP_ARCH_X86`
|
||||||
|
* `SCMP_ARCH_X86_64`
|
||||||
|
* `SCMP_ARCH_X32`
|
||||||
|
* `SCMP_ARCH_ARM`
|
||||||
|
* `SCMP_ARCH_AARCH64`
|
||||||
|
* `SCMP_ARCH_MIPS`
|
||||||
|
* `SCMP_ARCH_MIPS64`
|
||||||
|
* `SCMP_ARCH_MIPS64N32`
|
||||||
|
* `SCMP_ARCH_MIPSEL`
|
||||||
|
* `SCMP_ARCH_MIPSEL64`
|
||||||
|
* `SCMP_ARCH_MIPSEL64N32`
|
||||||
|
|
||||||
|
Action Constants:
|
||||||
|
* `SCMP_ACT_KILL`
|
||||||
|
* `SCMP_ACT_TRAP`
|
||||||
|
* `SCMP_ACT_ERRNO`
|
||||||
|
* `SCMP_ACT_TRACE`
|
||||||
|
* `SCMP_ACT_ALLOW`
|
||||||
|
|
||||||
|
Operator Constants:
|
||||||
|
* `SCMP_CMP_NE`
|
||||||
|
* `SCMP_CMP_LT`
|
||||||
|
* `SCMP_CMP_LE`
|
||||||
|
* `SCMP_CMP_EQ`
|
||||||
|
* `SCMP_CMP_GE`
|
||||||
|
* `SCMP_CMP_GT`
|
||||||
|
* `SCMP_CMP_MASKED_EQ`
|
||||||
|
|
||||||
```json
|
```json
|
||||||
"seccomp": {
|
"seccomp": {
|
||||||
"defaultAction": "SCMP_ACT_ALLOW",
|
"defaultAction": "SCMP_ACT_ALLOW",
|
||||||
|
"architectures": [
|
||||||
|
"SCMP_ARCH_X86"
|
||||||
|
],
|
||||||
"syscalls": [
|
"syscalls": [
|
||||||
{
|
{
|
||||||
"name": "getcwd",
|
"name": "getcwd",
|
||||||
|
|
|
@ -235,15 +235,52 @@ type Device struct {
|
||||||
// Seccomp represents syscall restrictions
|
// Seccomp represents syscall restrictions
|
||||||
type Seccomp struct {
|
type Seccomp struct {
|
||||||
DefaultAction Action `json:"defaultAction"`
|
DefaultAction Action `json:"defaultAction"`
|
||||||
|
Architectures []Arch `json:"architectures"`
|
||||||
Syscalls []*Syscall `json:"syscalls"`
|
Syscalls []*Syscall `json:"syscalls"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Additional architectures permitted to be used for system calls
|
||||||
|
// By default only the native architecture of the kernel is permitted
|
||||||
|
type Arch string
|
||||||
|
|
||||||
|
const (
|
||||||
|
ArchX86 Arch = "SCMP_ARCH_X86"
|
||||||
|
ArchX86_64 Arch = "SCMP_ARCH_X86_64"
|
||||||
|
ArchX32 Arch = "SCMP_ARCH_X32"
|
||||||
|
ArchARM Arch = "SCMP_ARCH_ARM"
|
||||||
|
ArchAARCH64 Arch = "SCMP_ARCH_AARCH64"
|
||||||
|
ArchMIPS Arch = "SCMP_ARCH_MIPS"
|
||||||
|
ArchMIPS64 Arch = "SCMP_ARCH_MIPS64"
|
||||||
|
ArchMIPS64N32 Arch = "SCMP_ARCH_MIPS64N32"
|
||||||
|
ArchMIPSEL Arch = "SCMP_ARCH_MIPSEL"
|
||||||
|
ArchMIPSEL64 Arch = "SCMP_ARCH_MIPSEL64"
|
||||||
|
ArchMIPSEL64N32 Arch = "SCMP_ARCH_MIPSEL64N32"
|
||||||
|
)
|
||||||
|
|
||||||
// Action taken upon Seccomp rule match
|
// Action taken upon Seccomp rule match
|
||||||
type Action string
|
type Action string
|
||||||
|
|
||||||
|
const (
|
||||||
|
ActKill Action = "SCMP_ACT_KILL"
|
||||||
|
ActTrap Action = "SCMP_ACT_TRAP"
|
||||||
|
ActErrno Action = "SCMP_ACT_ERRNO"
|
||||||
|
ActTrace Action = "SCMP_ACT_TRACE"
|
||||||
|
ActAllow Action = "SCMP_ACT_ALLOW"
|
||||||
|
)
|
||||||
|
|
||||||
// Operator used to match syscall arguments in Seccomp
|
// Operator used to match syscall arguments in Seccomp
|
||||||
type Operator string
|
type Operator string
|
||||||
|
|
||||||
|
const (
|
||||||
|
OpNotEqual Operator = "SCMP_CMP_NE"
|
||||||
|
OpLessThan Operator = "SCMP_CMP_LT"
|
||||||
|
OpLessEqual Operator = "SCMP_CMP_LE"
|
||||||
|
OpEqualTo Operator = "SCMP_CMP_EQ"
|
||||||
|
OpGreaterEqual Operator = "SCMP_CMP_GE"
|
||||||
|
OpGreaterThan Operator = "SCMP_CMP_GT"
|
||||||
|
OpMaskedEqual Operator = "SCMP_CMP_MASKED_EQ"
|
||||||
|
)
|
||||||
|
|
||||||
// Arg used for matching specific syscall arguments in Seccomp
|
// Arg used for matching specific syscall arguments in Seccomp
|
||||||
type Arg struct {
|
type Arg struct {
|
||||||
Index uint `json:"index"`
|
Index uint `json:"index"`
|
||||||
|
|
Loading…
Reference in New Issue