diff options
| author | Kevin Krakauer <krakauer@google.com> | 2018-06-19 17:16:39 -0700 |
|---|---|---|
| committer | Shentubot <shentubot@google.com> | 2018-06-19 17:17:41 -0700 |
| commit | 3ebd0e35f43d9ca282886aabce52fbb7fc7e1fc5 (patch) | |
| tree | 4e624e895fd66683b42e12f8d12bd5ea5029ce04 /runsc/boot | |
| parent | 18d899245329daf472c322c81af356958b3e2613 (diff) | |
runsc: Whitelist lstat, as it is now used in specutils.
When running multi-container, child containers are added after the filters have
been installed. Thus, lstat must be in the set of allowed syscalls.
PiperOrigin-RevId: 201269550
Change-Id: I03f2e6675a53d462ed12a0f651c10049b76d4c52
Diffstat (limited to 'runsc/boot')
| -rw-r--r-- | runsc/boot/filter/config.go | 61 |
1 files changed, 32 insertions, 29 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go index 4e286c5da..fdc3e02c6 100644 --- a/runsc/boot/filter/config.go +++ b/runsc/boot/filter/config.go @@ -24,35 +24,38 @@ import ( // allowedSyscalls is the set of syscalls executed by the Sentry // to the host OS. var allowedSyscalls = seccomp.SyscallRules{ - syscall.SYS_ACCEPT: {}, - syscall.SYS_ARCH_PRCTL: {}, - syscall.SYS_CLOCK_GETTIME: {}, - syscall.SYS_CLONE: {}, - syscall.SYS_CLOSE: {}, - syscall.SYS_DUP: {}, - syscall.SYS_DUP2: {}, - syscall.SYS_EPOLL_CREATE1: {}, - syscall.SYS_EPOLL_CTL: {}, - syscall.SYS_EPOLL_PWAIT: {}, - syscall.SYS_EPOLL_WAIT: {}, - syscall.SYS_EVENTFD2: {}, - syscall.SYS_EXIT: {}, - syscall.SYS_EXIT_GROUP: {}, - syscall.SYS_FALLOCATE: {}, - syscall.SYS_FCHMOD: {}, - syscall.SYS_FCNTL: {}, - syscall.SYS_FSTAT: {}, - syscall.SYS_FSYNC: {}, - syscall.SYS_FTRUNCATE: {}, - syscall.SYS_FUTEX: {}, - syscall.SYS_GETDENTS64: {}, - syscall.SYS_GETPID: {}, - unix.SYS_GETRANDOM: {}, - syscall.SYS_GETSOCKOPT: {}, - syscall.SYS_GETTID: {}, - syscall.SYS_GETTIMEOFDAY: {}, - syscall.SYS_LISTEN: {}, - syscall.SYS_LSEEK: {}, + syscall.SYS_ACCEPT: {}, + syscall.SYS_ARCH_PRCTL: {}, + syscall.SYS_CLOCK_GETTIME: {}, + syscall.SYS_CLONE: {}, + syscall.SYS_CLOSE: {}, + syscall.SYS_DUP: {}, + syscall.SYS_DUP2: {}, + syscall.SYS_EPOLL_CREATE1: {}, + syscall.SYS_EPOLL_CTL: {}, + syscall.SYS_EPOLL_PWAIT: {}, + syscall.SYS_EPOLL_WAIT: {}, + syscall.SYS_EVENTFD2: {}, + syscall.SYS_EXIT: {}, + syscall.SYS_EXIT_GROUP: {}, + syscall.SYS_FALLOCATE: {}, + syscall.SYS_FCHMOD: {}, + syscall.SYS_FCNTL: {}, + syscall.SYS_FSTAT: {}, + syscall.SYS_FSYNC: {}, + syscall.SYS_FTRUNCATE: {}, + syscall.SYS_FUTEX: {}, + syscall.SYS_GETDENTS64: {}, + syscall.SYS_GETPID: {}, + unix.SYS_GETRANDOM: {}, + syscall.SYS_GETSOCKOPT: {}, + syscall.SYS_GETTID: {}, + syscall.SYS_GETTIMEOFDAY: {}, + syscall.SYS_LISTEN: {}, + syscall.SYS_LSEEK: {}, + // TODO: Remove SYS_LSTAT when executable lookup moves + // into the gofer. + syscall.SYS_LSTAT: {}, syscall.SYS_MADVISE: {}, syscall.SYS_MINCORE: {}, syscall.SYS_MMAP: {}, |