From fec7085140ce1c5896d26b022d5146af60986c9e Mon Sep 17 00:00:00 2001 From: Jess Frazelle Date: Thu, 14 Apr 2016 23:42:40 -0700 Subject: [PATCH] init commit Signed-off-by: Jess Frazelle --- .gitignore | 47 ++ LICENSE | 22 + Makefile | 56 ++ VERSION | 1 + circle.yml | 15 + main.go | 120 ++++ rlimit_linux.go | 49 ++ seccomp.go | 1652 +++++++++++++++++++++++++++++++++++++++++++++++ seccomp.json | 1623 ++++++++++++++++++++++++++++++++++++++++++++++ signals.go | 116 ++++ spec.go | 133 ++++ tty.go | 126 ++++ utils.go | 245 +++++++ 13 files changed, 4205 insertions(+) create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 Makefile create mode 100644 VERSION create mode 100644 circle.yml create mode 100644 main.go create mode 100644 rlimit_linux.go create mode 100644 seccomp.go create mode 100755 seccomp.json create mode 100644 signals.go create mode 100644 spec.go create mode 100644 tty.go create mode 100644 utils.go diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d260704 --- /dev/null +++ b/.gitignore @@ -0,0 +1,47 @@ +###Go### + +# Compiled Object files, Static and Dynamic libs (Shared Objects) +*.o +*.a +*.so +*.swo +*.swp + +# Folders +_obj +_test + +# Architecture specific extensions/prefixes +*.[568vq] +[568vq].out + +*.cgo1.go +*.cgo2.c +_cgo_defun.c +_cgo_gotypes.go +_cgo_export.* + +_testmain.go + +*.exe +*.test + + +###OSX### + +.DS_Store +.AppleDouble +.LSOverride + +# Icon must ends with two \r. +Icon + + +# Thumbnails +._* + +# Files that might appear on external disk +.Spotlight-V100 +.Trashes + +binctr diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..ce39057 --- /dev/null +++ b/LICENSE @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2015 Jess Frazelle + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..e0eab9d --- /dev/null +++ b/Makefile @@ -0,0 +1,56 @@ +.PHONY: clean all fmt vet lint build test install static +PREFIX?=$(shell pwd) +BUILDTAGS=seccomp apparmor + +PROJECT := github.com/jfrazelle/binctr +VENDOR := vendor + +# Variable to get the current version. +VERSION := $(shell cat VERSION) + +# Variable to set the current git commit. +GITCOMMIT := $(shell git rev-parse --short HEAD) +GIT_BRANCH := $(shell git rev-parse --abbrev-ref HEAD) +GITUNTRACKEDCHANGES := $(shell git status --porcelain --untracked-files=no) +ifneq ($(GITUNTRACKEDCHANGES),) +GITCOMMIT := $(GITCOMMIT)-dirty +endif + +LDFLAGS := ${LDFLAGS} \ + -X $(PROJECT)/main.GITCOMMIT=${GITCOMMIT} \ + -X $(PROJECT)/main.VERSION=${VERSION} \ + +all: clean build fmt lint test vet install + +build: + @echo "+ $@" + go build -tags "$(BUILDTAGS)" -ldflags "${LDFLAGS}" . + +static: + @echo "+ $@" + CGO_ENABLED=1 go build -tags "$(BUILDTAGS) cgo static_build" \ + -ldflags "-w -extldflags -static ${LDFLAGS}" -o binctr . + +fmt: + @echo "+ $@" + @gofmt -s -l . | grep -v $(VENDOR) | tee /dev/stderr + +lint: + @echo "+ $@" + @golint ./... | grep -v $(VENDOR) | tee /dev/stderr + +test: fmt lint vet + @echo "+ $@" + @go test -v -tags "$(BUILDTAGS) cgo" $(shell go list ./... | grep -v $(VENDOR)) + +vet: + @echo "+ $@" + @go vet $(shell go list ./... | grep -v $(VENDOR)) + +clean: + @echo "+ $@" + @$(RM) binctr + +install: + @echo "+ $@" + @go install . diff --git a/VERSION b/VERSION new file mode 100644 index 0000000..6e8bf73 --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +0.1.0 diff --git a/circle.yml b/circle.yml new file mode 100644 index 0000000..f778147 --- /dev/null +++ b/circle.yml @@ -0,0 +1,15 @@ +machine: + environment: + GO15VENDOREXPERIMENT: 1 +dependencies: + post: + # install golint + - go get github.com/golang/lint/golint + +test: + pre: + - go vet $(go list ./... | grep -v vendor) + - test -z "$(golint ./... | grep -v vendor | tee /dev/stderr)" + - test -z "$(gofmt -s -l . | grep -v vendor | tee /dev/stderr)" + override: + - go test $(go list ./... | grep -v vendor) diff --git a/main.go b/main.go new file mode 100644 index 0000000..70a008e --- /dev/null +++ b/main.go @@ -0,0 +1,120 @@ +package main + +import ( + "bytes" + "encoding/base64" + "flag" + "fmt" + "os" + "runtime" + + "github.com/Sirupsen/logrus" + "github.com/docker/docker/pkg/archive" + "github.com/opencontainers/runc/libcontainer" +) + +const ( + // BANNER is what is printed for help/info output. + BANNER = ` _ _ _ +| |__ (_)_ __ ___| |_ _ __ +| '_ \| | '_ \ / __| __| '__| +| |_) | | | | | (__| |_| | +|_.__/|_|_| |_|\___|\__|_| + + Fully static self-contained container including the rootfs. + Version: %s + GitCommit: %s +` + + defaultRoot = "/run/binctr" +) + +var ( + console = os.Getenv("console") + containerID string + root string + + debug bool + version bool + + // GITCOMMIT is git commit the binary was compiled against. + GITCOMMIT = "" + + // VERSION is the binary version. + VERSION = "v0.1.0" + + // DATA is the rootfs tar that is added at compile time. + DATA = "" +) + +func init() { + // Parse flags + flag.StringVar(&containerID, "id", "jessiscool", "container ID") + flag.StringVar(&console, "console", console, "the pty slave path for use with the container") + flag.StringVar(&root, "root", defaultRoot, "root directory of container state, should be tmpfs") + flag.BoolVar(&version, "version", false, "print version and exit") + flag.BoolVar(&version, "v", false, "print version and exit (shorthand)") + flag.BoolVar(&debug, "d", false, "run in debug mode") + + flag.Usage = func() { + fmt.Fprint(os.Stderr, fmt.Sprintf(BANNER, VERSION, GITCOMMIT)) + flag.PrintDefaults() + } + + flag.Parse() + + if version { + fmt.Printf("%s, commit: %s", VERSION, GITCOMMIT) + os.Exit(0) + } + + // Set log level + if debug { + logrus.SetLevel(logrus.DebugLevel) + } +} + +func main() { + if len(os.Args) > 1 && os.Args[1] == "init" { + runInit() + return + } + + if err := unpackRootfs(); err != nil { + logrus.Fatal(err) + } + + status, err := startContainer(spec, containerID) + if err != nil { + logrus.Fatal(err) + } + + // exit with the container's exit status + os.Exit(status) +} + +func unpackRootfs() error { + data, err := base64.StdEncoding.DecodeString(DATA) + if err != nil { + return err + } + r := bytes.NewReader(data) + if err := os.Mkdir("container", 0755); err != nil { + return err + } + return archive.Untar(r, "container", nil) +} + +func runInit() { + if len(os.Args) > 1 && os.Args[1] == "init" { + runtime.GOMAXPROCS(1) + runtime.LockOSThread() + factory, _ := libcontainer.New("") + if err := factory.StartInitialization(); err != nil { + // as the error is sent back to the parent there is no need to log + // or write it to stderr because the parent process will handle this + os.Exit(1) + } + panic("libcontainer: container init failed to exec") + } +} diff --git a/rlimit_linux.go b/rlimit_linux.go new file mode 100644 index 0000000..0de8b0b --- /dev/null +++ b/rlimit_linux.go @@ -0,0 +1,49 @@ +package main + +import "fmt" + +const ( + RLIMIT_CPU = iota // CPU time in sec + RLIMIT_FSIZE // Maximum filesize + RLIMIT_DATA // max data size + RLIMIT_STACK // max stack size + RLIMIT_CORE // max core file size + RLIMIT_RSS // max resident set size + RLIMIT_NPROC // max number of processes + RLIMIT_NOFILE // max number of open files + RLIMIT_MEMLOCK // max locked-in-memory address space + RLIMIT_AS // address space limit + RLIMIT_LOCKS // maximum file locks held + RLIMIT_SIGPENDING // max number of pending signals + RLIMIT_MSGQUEUE // maximum bytes in POSIX mqueues + RLIMIT_NICE // max nice prio allowed to raise to + RLIMIT_RTPRIO // maximum realtime priority + RLIMIT_RTTIME // timeout for RT tasks in us +) + +var rlimitMap = map[string]int{ + "RLIMIT_CPU": RLIMIT_CPU, + "RLIMIT_FSIZE": RLIMIT_FSIZE, + "RLIMIT_DATA": RLIMIT_DATA, + "RLIMIT_STACK": RLIMIT_STACK, + "RLIMIT_CORE": RLIMIT_CORE, + "RLIMIT_RSS": RLIMIT_RSS, + "RLIMIT_NPROC": RLIMIT_NPROC, + "RLIMIT_NOFILE": RLIMIT_NOFILE, + "RLIMIT_MEMLOCK": RLIMIT_MEMLOCK, + "RLIMIT_AS": RLIMIT_AS, + "RLIMIT_LOCKS": RLIMIT_LOCKS, + "RLIMIT_SIGPENDING": RLIMIT_SIGPENDING, + "RLIMIT_MSGQUEUE": RLIMIT_MSGQUEUE, + "RLIMIT_NICE": RLIMIT_NICE, + "RLIMIT_RTPRIO": RLIMIT_RTPRIO, + "RLIMIT_RTTIME": RLIMIT_RTTIME, +} + +func strToRlimit(key string) (int, error) { + rl, ok := rlimitMap[key] + if !ok { + return 0, fmt.Errorf("Wrong rlimit value: %s", key) + } + return rl, nil +} diff --git a/seccomp.go b/seccomp.go new file mode 100644 index 0000000..a86cbed --- /dev/null +++ b/seccomp.go @@ -0,0 +1,1652 @@ +package main + +import ( + "syscall" + + "github.com/opencontainers/runtime-spec/specs-go" + libseccomp "github.com/seccomp/libseccomp-golang" +) + +func arches() []specs.Arch { + var native, err = libseccomp.GetNativeArch() + if err != nil { + return []specs.Arch{} + } + var a = native.String() + switch a { + case "amd64": + return []specs.Arch{specs.ArchX86_64, specs.ArchX86, specs.ArchX32} + case "arm64": + return []specs.Arch{specs.ArchARM, specs.ArchAARCH64} + case "mips64": + return []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64, specs.ArchMIPS64N32} + case "mips64n32": + return []specs.Arch{specs.ArchMIPS, specs.ArchMIPS64, specs.ArchMIPS64N32} + case "mipsel64": + return []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64, specs.ArchMIPSEL64N32} + case "mipsel64n32": + return []specs.Arch{specs.ArchMIPSEL, specs.ArchMIPSEL64, specs.ArchMIPSEL64N32} + default: + return []specs.Arch{} + } +} + +// defaultProfile defines the whitelist for the default seccomp profile. +var defaultSeccompProfile = &specs.Seccomp{ + DefaultAction: specs.ActErrno, + Architectures: arches(), + Syscalls: []specs.Syscall{ + { + Name: "accept", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "accept4", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "access", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "alarm", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "arch_prctl", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "bind", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "brk", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "capget", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "capset", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "chdir", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "chmod", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "chown", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "chown32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "chroot", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "clock_getres", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "clock_gettime", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "clock_nanosleep", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "clone", + Action: specs.ActAllow, + Args: []specs.Arg{ + { + Index: 0, + Value: syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWIPC | syscall.CLONE_NEWUSER | syscall.CLONE_NEWPID | syscall.CLONE_NEWNET, + ValueTwo: 0, + Op: specs.OpMaskedEqual, + }, + }, + }, + { + Name: "close", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "connect", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "copy_file_range", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "creat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "dup", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "dup2", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "dup3", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "epoll_create", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "epoll_create1", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "epoll_ctl", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "epoll_ctl_old", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "epoll_pwait", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "epoll_wait", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "epoll_wait_old", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "eventfd", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "eventfd2", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "execve", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "execveat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "exit", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "exit_group", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "faccessat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fadvise64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fadvise64_64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fallocate", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fanotify_init", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fanotify_mark", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fchdir", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fchmod", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fchmodat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fchown", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fchown32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fchownat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fcntl", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fcntl64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fdatasync", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fgetxattr", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "flistxattr", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "flock", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fork", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fremovexattr", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fsetxattr", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fstat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fstat64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fstatat64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fstatfs", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fstatfs64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "fsync", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "ftruncate", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "ftruncate64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "futex", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "futimesat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getcpu", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getcwd", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getdents", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getdents64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getegid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getegid32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "geteuid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "geteuid32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getgid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getgid32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getgroups", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getgroups32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getitimer", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getpeername", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getpgid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getpgrp", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getpid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getppid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getpriority", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getrandom", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getresgid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getresgid32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getresuid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getresuid32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getrlimit", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "get_robust_list", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getrusage", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getsid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getsockname", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getsockopt", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "get_thread_area", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "gettid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "gettimeofday", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getuid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getuid32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "getxattr", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "inotify_add_watch", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "inotify_init", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "inotify_init1", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "inotify_rm_watch", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "io_cancel", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "ioctl", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "io_destroy", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "io_getevents", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "ioprio_get", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "ioprio_set", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "io_setup", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "io_submit", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "ipc", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "kill", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "lchown", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "lchown32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "lgetxattr", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "link", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "linkat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "listen", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "listxattr", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "llistxattr", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "_llseek", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "lremovexattr", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "lseek", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "lsetxattr", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "lstat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "lstat64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "madvise", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "memfd_create", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mincore", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mkdir", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mkdirat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mknod", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mknodat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mlock", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mlock2", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mlockall", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mmap", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mmap2", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mprotect", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mq_getsetattr", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mq_notify", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mq_open", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mq_timedreceive", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mq_timedsend", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mq_unlink", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "mremap", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "msgctl", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "msgget", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "msgrcv", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "msgsnd", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "msync", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "munlock", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "munlockall", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "munmap", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "nanosleep", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "newfstatat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "_newselect", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "open", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "openat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "pause", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "personality", + Action: specs.ActAllow, + Args: []specs.Arg{ + { + Index: 0, + Value: 0x0, + Op: specs.OpEqualTo, + }, + }, + }, + { + Name: "personality", + Action: specs.ActAllow, + Args: []specs.Arg{ + { + Index: 0, + Value: 0x0008, + Op: specs.OpEqualTo, + }, + }, + }, + { + Name: "personality", + Action: specs.ActAllow, + Args: []specs.Arg{ + { + Index: 0, + Value: 0xffffffff, + Op: specs.OpEqualTo, + }, + }, + }, + { + Name: "pipe", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "pipe2", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "poll", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "ppoll", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "prctl", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "pread64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "preadv", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "prlimit64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "pselect6", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "pwrite64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "pwritev", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "read", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "readahead", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "readlink", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "readlinkat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "readv", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "recv", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "recvfrom", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "recvmmsg", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "recvmsg", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "remap_file_pages", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "removexattr", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "rename", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "renameat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "renameat2", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "restart_syscall", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "rmdir", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "rt_sigaction", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "rt_sigpending", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "rt_sigprocmask", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "rt_sigqueueinfo", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "rt_sigreturn", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "rt_sigsuspend", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "rt_sigtimedwait", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "rt_tgsigqueueinfo", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sched_getaffinity", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sched_getattr", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sched_getparam", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sched_get_priority_max", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sched_get_priority_min", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sched_getscheduler", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sched_rr_get_interval", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sched_setaffinity", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sched_setattr", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sched_setparam", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sched_setscheduler", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sched_yield", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "seccomp", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "select", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "semctl", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "semget", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "semop", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "semtimedop", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "send", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sendfile", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sendfile64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sendmmsg", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sendmsg", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sendto", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setdomainname", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setfsgid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setfsgid32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setfsuid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setfsuid32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setgid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setgid32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setgroups", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setgroups32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sethostname", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setitimer", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setpgid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setpriority", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setregid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setregid32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setresgid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setresgid32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setresuid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setresuid32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setreuid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setreuid32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setrlimit", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "set_robust_list", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setsid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setsockopt", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "set_thread_area", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "set_tid_address", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setuid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setuid32", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "setxattr", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "shmat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "shmctl", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "shmdt", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "shmget", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "shutdown", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sigaltstack", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "signalfd", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "signalfd4", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sigreturn", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "socket", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "socketpair", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "splice", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "stat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "stat64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "statfs", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "statfs64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "symlink", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "symlinkat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sync", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sync_file_range", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "syncfs", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "sysinfo", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "syslog", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "tee", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "tgkill", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "time", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "timer_create", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "timer_delete", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "timerfd_create", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "timerfd_gettime", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "timerfd_settime", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "timer_getoverrun", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "timer_gettime", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "timer_settime", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "times", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "tkill", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "truncate", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "truncate64", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "ugetrlimit", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "umask", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "uname", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "unlink", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "unlinkat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "utime", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "utimensat", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "utimes", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "vfork", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "vhangup", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "vmsplice", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "wait4", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "waitid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "waitpid", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "write", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "writev", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + // i386 specific syscalls + { + Name: "modify_ldt", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + // arm specific syscalls + { + Name: "breakpoint", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "cacheflush", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + { + Name: "set_tls", + Action: specs.ActAllow, + Args: []specs.Arg{}, + }, + }, +} diff --git a/seccomp.json b/seccomp.json new file mode 100755 index 0000000..c298009 --- /dev/null +++ b/seccomp.json @@ -0,0 +1,1623 @@ +G{ + "defaultAction": "SCMP_ACT_ERRNO", + "architectures": [ + "SCMP_ARCH_X86_64", + "SCMP_ARCH_X86", + "SCMP_ARCH_X32" + ], + "syscalls": [ + { + "name": "accept", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "accept4", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "access", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "alarm", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "arch_prctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "bind", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "brk", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "capget", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "capset", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chdir", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chmod", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chown32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chroot", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "clock_getres", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "clock_gettime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "clock_nanosleep", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "clone", + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 2080505856, + "valueTwo": 0, + "op": "SCMP_CMP_MASKED_EQ" + } + ] + }, + { + "name": "close", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "connect", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "copy_file_range", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "creat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "dup", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "dup2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "dup3", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_create", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_create1", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_ctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_ctl_old", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_pwait", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_wait", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_wait_old", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "eventfd", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "eventfd2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "execve", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "execveat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "exit", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "exit_group", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "faccessat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fadvise64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fadvise64_64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fallocate", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fanotify_init", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fanotify_mark", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchdir", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchmod", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchmodat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchown32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchownat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fcntl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fcntl64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fdatasync", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fgetxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "flistxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "flock", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fork", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fremovexattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fsetxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fstat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fstat64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fstatat64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fstatfs", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fstatfs64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fsync", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ftruncate", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ftruncate64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "futex", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "futimesat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getcpu", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getcwd", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getdents", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getdents64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getegid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getegid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "geteuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "geteuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getgid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getgroups", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getgroups32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getitimer", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getpeername", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getpgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getpgrp", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getpid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getppid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getpriority", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getrandom", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getresgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getresgid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getresuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getresuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getrlimit", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "get_robust_list", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getrusage", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getsid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getsockname", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getsockopt", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "get_thread_area", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "gettid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "gettimeofday", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "inotify_add_watch", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "inotify_init", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "inotify_init1", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "inotify_rm_watch", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "io_cancel", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ioctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "io_destroy", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "io_getevents", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ioprio_get", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ioprio_set", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "io_setup", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "io_submit", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ipc", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "kill", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lchown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lchown32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lgetxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "link", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "linkat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "listen", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "listxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "llistxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "_llseek", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lremovexattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lseek", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lsetxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lstat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lstat64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "madvise", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "memfd_create", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mincore", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mkdir", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mkdirat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mknod", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mknodat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mlock", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mlock2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mlockall", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mmap", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mmap2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mprotect", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_getsetattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_notify", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_open", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_timedreceive", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_timedsend", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_unlink", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mremap", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "msgctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "msgget", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "msgrcv", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "msgsnd", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "msync", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "munlock", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "munlockall", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "munmap", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "nanosleep", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "newfstatat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "_newselect", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "open", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "openat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pause", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "personality", + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 0, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ] + }, + { + "name": "personality", + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 8, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ] + }, + { + "name": "personality", + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 4294967295, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ] + }, + { + "name": "pipe", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pipe2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "poll", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ppoll", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "prctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pread64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "preadv", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "prlimit64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pselect6", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pwrite64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pwritev", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "read", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "readahead", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "readlink", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "readlinkat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "readv", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "recv", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "recvfrom", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "recvmmsg", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "recvmsg", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "remap_file_pages", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "removexattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rename", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "renameat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "renameat2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "restart_syscall", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rmdir", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigaction", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigpending", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigprocmask", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigqueueinfo", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigreturn", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigsuspend", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigtimedwait", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_tgsigqueueinfo", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_getaffinity", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_getattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_getparam", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_get_priority_max", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_get_priority_min", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_getscheduler", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_rr_get_interval", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_setaffinity", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_setattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_setparam", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_setscheduler", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_yield", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "seccomp", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "select", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "semctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "semget", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "semop", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "semtimedop", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "send", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sendfile", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sendfile64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sendmmsg", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sendmsg", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sendto", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setdomainname", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setfsgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setfsgid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setfsuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setfsuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setgid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setgroups", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setgroups32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sethostname", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setitimer", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setpgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setpriority", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setregid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setregid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setresgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setresgid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setresuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setresuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setreuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setreuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setrlimit", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "set_robust_list", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setsid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setsockopt", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "set_thread_area", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "set_tid_address", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "shmat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "shmctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "shmdt", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "shmget", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "shutdown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sigaltstack", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "signalfd", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "signalfd4", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sigreturn", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "socket", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "socketpair", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "splice", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "stat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "stat64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "statfs", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "statfs64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "symlink", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "symlinkat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sync", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sync_file_range", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "syncfs", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sysinfo", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "syslog", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "tee", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "tgkill", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "time", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timer_create", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timer_delete", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timerfd_create", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timerfd_gettime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timerfd_settime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timer_getoverrun", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timer_gettime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timer_settime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "times", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "tkill", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "truncate", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "truncate64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ugetrlimit", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "umask", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "uname", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "unlink", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "unlinkat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "utime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "utimensat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "utimes", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "vfork", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "vhangup", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "vmsplice", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "wait4", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "waitid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "waitpid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "write", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "writev", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "modify_ldt", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "breakpoint", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "cacheflush", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "set_tls", + "action": "SCMP_ACT_ALLOW", + "args": [] + } + ] +} diff --git a/signals.go b/signals.go new file mode 100644 index 0000000..5eee44e --- /dev/null +++ b/signals.go @@ -0,0 +1,116 @@ +// +build linux + +package main + +import ( + "os" + "os/signal" + "syscall" + + "github.com/Sirupsen/logrus" + "github.com/opencontainers/runc/libcontainer" + "github.com/opencontainers/runc/libcontainer/system" + "github.com/opencontainers/runc/libcontainer/utils" +) + +const signalBufferSize = 2048 + +// newSignalHandler returns a signal handler for processing SIGCHLD and SIGWINCH signals +// while still forwarding all other signals to the process. +func newSignalHandler(tty *tty, enableSubreaper bool) *signalHandler { + if enableSubreaper { + // set us as the subreaper before registering the signal handler for the container + if err := system.SetSubreaper(1); err != nil { + logrus.Warn(err) + } + } + // ensure that we have a large buffer size so that we do not miss any signals + // incase we are not processing them fast enough. + s := make(chan os.Signal, signalBufferSize) + // handle all signals for the process. + signal.Notify(s) + return &signalHandler{ + tty: tty, + signals: s, + } +} + +// exit models a process exit status with the pid and +// exit status. +type exit struct { + pid int + status int +} + +type signalHandler struct { + signals chan os.Signal + tty *tty +} + +// forward handles the main signal event loop forwarding, resizing, or reaping depending +// on the signal received. +func (h *signalHandler) forward(process *libcontainer.Process) (int, error) { + // make sure we know the pid of our main process so that we can return + // after it dies. + pid1, err := process.Pid() + if err != nil { + return -1, err + } + // perform the initial tty resize. + h.tty.resize() + for s := range h.signals { + switch s { + case syscall.SIGWINCH: + h.tty.resize() + case syscall.SIGCHLD: + exits, err := h.reap() + if err != nil { + logrus.Error(err) + } + for _, e := range exits { + logrus.WithFields(logrus.Fields{ + "pid": e.pid, + "status": e.status, + }).Debug("process exited") + if e.pid == pid1 { + // call Wait() on the process even though we already have the exit + // status because we must ensure that any of the go specific process + // fun such as flushing pipes are complete before we return. + process.Wait() + return e.status, nil + } + } + default: + logrus.Debugf("sending signal to process %s", s) + if err := syscall.Kill(pid1, s.(syscall.Signal)); err != nil { + logrus.Error(err) + } + } + } + return -1, nil +} + +// reap runs wait4 in a loop until we have finished processing any existing exits +// then returns all exits to the main event loop for further processing. +func (h *signalHandler) reap() (exits []exit, err error) { + var ( + ws syscall.WaitStatus + rus syscall.Rusage + ) + for { + pid, err := syscall.Wait4(-1, &ws, syscall.WNOHANG, &rus) + if err != nil { + if err == syscall.ECHILD { + return exits, nil + } + return nil, err + } + if pid <= 0 { + return exits, nil + } + exits = append(exits, exit{ + pid: pid, + status: utils.ExitStatus(ws), + }) + } +} diff --git a/spec.go b/spec.go new file mode 100644 index 0000000..2ccf77d --- /dev/null +++ b/spec.go @@ -0,0 +1,133 @@ +package main + +import ( + "runtime" + + "github.com/opencontainers/runtime-spec/specs-go" +) + +var ( + spec = &specs.Spec{ + Version: specs.Version, + Platform: specs.Platform{ + OS: runtime.GOOS, + Arch: runtime.GOARCH, + }, + Root: specs.Root{ + Path: "rootfs", + Readonly: true, + }, + Process: specs.Process{ + Terminal: true, + User: specs.User{}, + Args: []string{ + "sh", + }, + Env: []string{ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "TERM=xterm", + }, + Cwd: "/", + NoNewPrivileges: true, + Capabilities: []string{ + "CAP_AUDIT_WRITE", + "CAP_KILL", + "CAP_NET_BIND_SERVICE", + }, + Rlimits: []specs.Rlimit{ + { + Type: "RLIMIT_NOFILE", + Hard: uint64(1024), + Soft: uint64(1024), + }, + }, + }, + Hostname: "ctr", + Mounts: []specs.Mount{ + { + Destination: "/proc", + Type: "proc", + Source: "proc", + Options: nil, + }, + { + Destination: "/dev", + Type: "tmpfs", + Source: "tmpfs", + Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"}, + }, + { + Destination: "/dev/pts", + Type: "devpts", + Source: "devpts", + Options: []string{"nosuid", "noexec", "newinstance", "ptmxmode=0666", "mode=0620", "gid=5"}, + }, + { + Destination: "/dev/shm", + Type: "tmpfs", + Source: "shm", + Options: []string{"nosuid", "noexec", "nodev", "mode=1777", "size=65536k"}, + }, + { + Destination: "/dev/mqueue", + Type: "mqueue", + Source: "mqueue", + Options: []string{"nosuid", "noexec", "nodev"}, + }, + { + Destination: "/sys", + Type: "sysfs", + Source: "sysfs", + Options: []string{"nosuid", "noexec", "nodev", "ro"}, + }, + { + Destination: "/sys/fs/cgroup", + Type: "cgroup", + Source: "cgroup", + Options: []string{"nosuid", "noexec", "nodev", "relatime", "ro"}, + }, + }, + Linux: specs.Linux{ + MaskedPaths: []string{ + "/proc/kcore", + "/proc/latency_stats", + "/proc/timer_stats", + "/proc/sched_debug", + }, + ReadonlyPaths: []string{ + "/proc/asound", + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger", + }, + Resources: &specs.Resources{ + Devices: []specs.DeviceCgroup{ + { + Allow: false, + Access: sPtr("rwm"), + }, + }, + }, + Namespaces: []specs.Namespace{ + { + Type: "pid", + }, + { + Type: "ipc", + }, + { + Type: "uts", + }, + { + Type: "user", + }, + { + Type: "mount", + }, + }, + Seccomp: defaultSeccompProfile, + }, + } +) diff --git a/tty.go b/tty.go new file mode 100644 index 0000000..80c6551 --- /dev/null +++ b/tty.go @@ -0,0 +1,126 @@ +// +build linux + +package main + +import ( + "fmt" + "io" + "os" + "sync" + + "github.com/docker/docker/pkg/term" + "github.com/opencontainers/runc/libcontainer" +) + +// setup standard pipes so that the TTY of the calling runc process +// is not inherited by the container. +func createStdioPipes(p *libcontainer.Process, rootuid int) (*tty, error) { + i, err := p.InitializeIO(rootuid) + if err != nil { + return nil, err + } + t := &tty{ + closers: []io.Closer{ + i.Stdin, + i.Stdout, + i.Stderr, + }, + } + // add the process's io to the post start closers if they support close + for _, cc := range []interface{}{ + p.Stdin, + p.Stdout, + p.Stderr, + } { + if c, ok := cc.(io.Closer); ok { + t.postStart = append(t.postStart, c) + } + } + go func() { + io.Copy(i.Stdin, os.Stdin) + i.Stdin.Close() + }() + t.wg.Add(2) + go t.copyIO(os.Stdout, i.Stdout) + go t.copyIO(os.Stderr, i.Stderr) + return t, nil +} + +func (t *tty) copyIO(w io.Writer, r io.ReadCloser) { + defer t.wg.Done() + io.Copy(w, r) + r.Close() +} + +func createTty(p *libcontainer.Process, rootuid int, consolePath string) (*tty, error) { + if consolePath != "" { + if err := p.ConsoleFromPath(consolePath); err != nil { + return nil, err + } + return &tty{}, nil + } + console, err := p.NewConsole(rootuid) + if err != nil { + return nil, err + } + go io.Copy(console, os.Stdin) + go io.Copy(os.Stdout, console) + + state, err := term.SetRawTerminal(os.Stdin.Fd()) + if err != nil { + return nil, fmt.Errorf("failed to set the terminal from the stdin: %v", err) + } + return &tty{ + console: console, + state: state, + closers: []io.Closer{ + console, + }, + }, nil +} + +type tty struct { + console libcontainer.Console + state *term.State + closers []io.Closer + postStart []io.Closer + wg sync.WaitGroup +} + +// ClosePostStart closes any fds that are provided to the container and dup2'd +// so that we no longer have copy in our process. +func (t *tty) ClosePostStart() error { + for _, c := range t.postStart { + c.Close() + } + return nil +} + +// Close closes all open fds for the tty and/or restores the orignal +// stdin state to what it was prior to the container execution +func (t *tty) Close() error { + // ensure that our side of the fds are always closed + for _, c := range t.postStart { + c.Close() + } + // wait for the copy routines to finish before closing the fds + t.wg.Wait() + for _, c := range t.closers { + c.Close() + } + if t.state != nil { + term.RestoreTerminal(os.Stdin.Fd(), t.state) + } + return nil +} + +func (t *tty) resize() error { + if t.console == nil { + return nil + } + ws, err := term.GetWinsize(os.Stdin.Fd()) + if err != nil { + return err + } + return term.SetWinsize(t.console.Fd(), ws) +} diff --git a/utils.go b/utils.go new file mode 100644 index 0000000..150f59e --- /dev/null +++ b/utils.go @@ -0,0 +1,245 @@ +package main + +import ( + "fmt" + "os" + "path/filepath" + "syscall" + + "github.com/Sirupsen/logrus" + "github.com/opencontainers/runc/libcontainer" + "github.com/opencontainers/runc/libcontainer/configs" + "github.com/opencontainers/runc/libcontainer/specconv" + "github.com/opencontainers/runtime-spec/specs-go" +) + +// startContainer starts the container. Returns the exit status or -1 and an +// error. Signals sent to the current process will be forwarded to container. +func startContainer(spec *specs.Spec, id string) (int, error) { + // create the libcontainer config + config, err := specconv.CreateLibcontainerConfig(&specconv.CreateOpts{ + CgroupName: id, + Spec: spec, + }) + if err != nil { + return -1, err + } + + if _, err := os.Stat(config.Rootfs); err != nil { + if os.IsNotExist(err) { + return -1, fmt.Errorf("rootfs (%q) does not exist", config.Rootfs) + } + return -1, err + } + + factory, err := loadFactory() + if err != nil { + return -1, err + } + + ctr, err := factory.Create(id, config) + if err != nil { + return -1, err + } + + r := &runner{ + enableSubreaper: true, + shouldDestroy: true, + container: ctr, + console: console, + detach: false, + pidFile: "", + listenFDs: []*os.File{}, + } + return r.run(&spec.Process) +} + +// loadFactory returns the configured factory instance for execing containers. +func loadFactory() (libcontainer.Factory, error) { + abs, err := filepath.Abs(root) + if err != nil { + return nil, err + } + cgroupManager := libcontainer.Cgroupfs + return libcontainer.New(abs, cgroupManager, func(l *libcontainer.LinuxFactory) error { + return nil + }) +} + +// newProcess returns a new libcontainer Process with the arguments from the +// spec and stdio from the current process. +func newProcess(p specs.Process) (*libcontainer.Process, error) { + lp := &libcontainer.Process{ + Args: p.Args, + Env: p.Env, + // TODO: fix libcontainer's API to better support uid/gid in a typesafe way. + User: fmt.Sprintf("%d:%d", p.User.UID, p.User.GID), + Cwd: p.Cwd, + Capabilities: p.Capabilities, + Label: p.SelinuxLabel, + NoNewPrivileges: &p.NoNewPrivileges, + AppArmorProfile: p.ApparmorProfile, + } + for _, rlimit := range p.Rlimits { + rl, err := createLibContainerRlimit(rlimit) + if err != nil { + return nil, err + } + lp.Rlimits = append(lp.Rlimits, rl) + } + return lp, nil +} + +func dupStdio(process *libcontainer.Process, rootuid int) error { + process.Stdin = os.Stdin + process.Stdout = os.Stdout + process.Stderr = os.Stderr + for _, fd := range []uintptr{ + os.Stdin.Fd(), + os.Stdout.Fd(), + os.Stderr.Fd(), + } { + if err := syscall.Fchown(int(fd), rootuid, rootuid); err != nil { + return err + } + } + return nil +} + +func destroy(container libcontainer.Container) { + if err := container.Destroy(); err != nil { + logrus.Error(err) + } +} + +// setupIO sets the proper IO on the process depending on the configuration +// If there is a nil error then there must be a non nil tty returned +func setupIO(process *libcontainer.Process, rootuid int, console string, createTTY, detach bool) (*tty, error) { + // detach and createTty will not work unless a console path is passed + // so error out here before changing any terminal settings + if createTTY && detach && console == "" { + return nil, fmt.Errorf("cannot allocate tty if runc will detach") + } + if createTTY { + return createTty(process, rootuid, console) + } + if detach { + if err := dupStdio(process, rootuid); err != nil { + return nil, err + } + return &tty{}, nil + } + return createStdioPipes(process, rootuid) +} + +// createPidFile creates a file with the processes pid inside it atomically +// it creates a temp file with the paths filename + '.' infront of it +// then renames the file +func createPidFile(path string, process *libcontainer.Process) error { + pid, err := process.Pid() + if err != nil { + return err + } + var ( + tmpDir = filepath.Dir(path) + tmpName = filepath.Join(tmpDir, fmt.Sprintf(".%s", filepath.Base(path))) + ) + f, err := os.OpenFile(tmpName, os.O_RDWR|os.O_CREATE|os.O_EXCL|os.O_SYNC, 0666) + if err != nil { + return err + } + _, err = fmt.Fprintf(f, "%d", pid) + f.Close() + if err != nil { + return err + } + return os.Rename(tmpName, path) +} + +type runner struct { + enableSubreaper bool + shouldDestroy bool + detach bool + listenFDs []*os.File + pidFile string + console string + container libcontainer.Container +} + +func (r *runner) run(config *specs.Process) (int, error) { + process, err := newProcess(*config) + if err != nil { + r.destroy() + return -1, err + } + if len(r.listenFDs) > 0 { + process.Env = append(process.Env, fmt.Sprintf("LISTEN_FDS=%d", len(r.listenFDs)), "LISTEN_PID=1") + process.ExtraFiles = append(process.ExtraFiles, r.listenFDs...) + } + rootuid, err := r.container.Config().HostUID() + if err != nil { + r.destroy() + return -1, err + } + tty, err := setupIO(process, rootuid, r.console, config.Terminal, r.detach) + if err != nil { + r.destroy() + return -1, err + } + handler := newSignalHandler(tty, r.enableSubreaper) + if err := r.container.Start(process); err != nil { + r.destroy() + tty.Close() + return -1, err + } + if err := tty.ClosePostStart(); err != nil { + r.terminate(process) + r.destroy() + tty.Close() + return -1, err + } + if r.pidFile != "" { + if err := createPidFile(r.pidFile, process); err != nil { + r.terminate(process) + r.destroy() + tty.Close() + return -1, err + } + } + if r.detach { + tty.Close() + return 0, nil + } + status, err := handler.forward(process) + if err != nil { + r.terminate(process) + } + r.destroy() + tty.Close() + return status, err +} + +func (r *runner) destroy() { + if r.shouldDestroy { + destroy(r.container) + } +} + +func (r *runner) terminate(p *libcontainer.Process) { + p.Signal(syscall.SIGKILL) + p.Wait() +} + +func sPtr(s string) *string { return &s } + +func createLibContainerRlimit(rlimit specs.Rlimit) (configs.Rlimit, error) { + rl, err := strToRlimit(rlimit.Type) + if err != nil { + return configs.Rlimit{}, err + } + return configs.Rlimit{ + Type: rl, + Hard: uint64(rlimit.Hard), + Soft: uint64(rlimit.Soft), + }, nil +}