summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorKevin Krakauer <krakauer@google.com>2018-06-19 17:16:39 -0700
committerShentubot <shentubot@google.com>2018-06-19 17:17:41 -0700
commit3ebd0e35f43d9ca282886aabce52fbb7fc7e1fc5 (patch)
tree4e624e895fd66683b42e12f8d12bd5ea5029ce04
parent18d899245329daf472c322c81af356958b3e2613 (diff)
runsc: Whitelist lstat, as it is now used in specutils.
When running multi-container, child containers are added after the filters have been installed. Thus, lstat must be in the set of allowed syscalls. PiperOrigin-RevId: 201269550 Change-Id: I03f2e6675a53d462ed12a0f651c10049b76d4c52
-rw-r--r--runsc/boot/filter/config.go61
1 files changed, 32 insertions, 29 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go
index 4e286c5da..fdc3e02c6 100644
--- a/runsc/boot/filter/config.go
+++ b/runsc/boot/filter/config.go
@@ -24,35 +24,38 @@ import (
// allowedSyscalls is the set of syscalls executed by the Sentry
// to the host OS.
var allowedSyscalls = seccomp.SyscallRules{
- syscall.SYS_ACCEPT: {},
- syscall.SYS_ARCH_PRCTL: {},
- syscall.SYS_CLOCK_GETTIME: {},
- syscall.SYS_CLONE: {},
- syscall.SYS_CLOSE: {},
- syscall.SYS_DUP: {},
- syscall.SYS_DUP2: {},
- syscall.SYS_EPOLL_CREATE1: {},
- syscall.SYS_EPOLL_CTL: {},
- syscall.SYS_EPOLL_PWAIT: {},
- syscall.SYS_EPOLL_WAIT: {},
- syscall.SYS_EVENTFD2: {},
- syscall.SYS_EXIT: {},
- syscall.SYS_EXIT_GROUP: {},
- syscall.SYS_FALLOCATE: {},
- syscall.SYS_FCHMOD: {},
- syscall.SYS_FCNTL: {},
- syscall.SYS_FSTAT: {},
- syscall.SYS_FSYNC: {},
- syscall.SYS_FTRUNCATE: {},
- syscall.SYS_FUTEX: {},
- syscall.SYS_GETDENTS64: {},
- syscall.SYS_GETPID: {},
- unix.SYS_GETRANDOM: {},
- syscall.SYS_GETSOCKOPT: {},
- syscall.SYS_GETTID: {},
- syscall.SYS_GETTIMEOFDAY: {},
- syscall.SYS_LISTEN: {},
- syscall.SYS_LSEEK: {},
+ syscall.SYS_ACCEPT: {},
+ syscall.SYS_ARCH_PRCTL: {},
+ syscall.SYS_CLOCK_GETTIME: {},
+ syscall.SYS_CLONE: {},
+ syscall.SYS_CLOSE: {},
+ syscall.SYS_DUP: {},
+ syscall.SYS_DUP2: {},
+ syscall.SYS_EPOLL_CREATE1: {},
+ syscall.SYS_EPOLL_CTL: {},
+ syscall.SYS_EPOLL_PWAIT: {},
+ syscall.SYS_EPOLL_WAIT: {},
+ syscall.SYS_EVENTFD2: {},
+ syscall.SYS_EXIT: {},
+ syscall.SYS_EXIT_GROUP: {},
+ syscall.SYS_FALLOCATE: {},
+ syscall.SYS_FCHMOD: {},
+ syscall.SYS_FCNTL: {},
+ syscall.SYS_FSTAT: {},
+ syscall.SYS_FSYNC: {},
+ syscall.SYS_FTRUNCATE: {},
+ syscall.SYS_FUTEX: {},
+ syscall.SYS_GETDENTS64: {},
+ syscall.SYS_GETPID: {},
+ unix.SYS_GETRANDOM: {},
+ syscall.SYS_GETSOCKOPT: {},
+ syscall.SYS_GETTID: {},
+ syscall.SYS_GETTIMEOFDAY: {},
+ syscall.SYS_LISTEN: {},
+ syscall.SYS_LSEEK: {},
+ // TODO: Remove SYS_LSTAT when executable lookup moves
+ // into the gofer.
+ syscall.SYS_LSTAT: {},
syscall.SYS_MADVISE: {},
syscall.SYS_MINCORE: {},
syscall.SYS_MMAP: {},