diff options
-rw-r--r-- | runsc/boot/filter/config.go | 61 |
1 files changed, 32 insertions, 29 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go index 4e286c5da..fdc3e02c6 100644 --- a/runsc/boot/filter/config.go +++ b/runsc/boot/filter/config.go @@ -24,35 +24,38 @@ import ( // allowedSyscalls is the set of syscalls executed by the Sentry // to the host OS. var allowedSyscalls = seccomp.SyscallRules{ - syscall.SYS_ACCEPT: {}, - syscall.SYS_ARCH_PRCTL: {}, - syscall.SYS_CLOCK_GETTIME: {}, - syscall.SYS_CLONE: {}, - syscall.SYS_CLOSE: {}, - syscall.SYS_DUP: {}, - syscall.SYS_DUP2: {}, - syscall.SYS_EPOLL_CREATE1: {}, - syscall.SYS_EPOLL_CTL: {}, - syscall.SYS_EPOLL_PWAIT: {}, - syscall.SYS_EPOLL_WAIT: {}, - syscall.SYS_EVENTFD2: {}, - syscall.SYS_EXIT: {}, - syscall.SYS_EXIT_GROUP: {}, - syscall.SYS_FALLOCATE: {}, - syscall.SYS_FCHMOD: {}, - syscall.SYS_FCNTL: {}, - syscall.SYS_FSTAT: {}, - syscall.SYS_FSYNC: {}, - syscall.SYS_FTRUNCATE: {}, - syscall.SYS_FUTEX: {}, - syscall.SYS_GETDENTS64: {}, - syscall.SYS_GETPID: {}, - unix.SYS_GETRANDOM: {}, - syscall.SYS_GETSOCKOPT: {}, - syscall.SYS_GETTID: {}, - syscall.SYS_GETTIMEOFDAY: {}, - syscall.SYS_LISTEN: {}, - syscall.SYS_LSEEK: {}, + syscall.SYS_ACCEPT: {}, + syscall.SYS_ARCH_PRCTL: {}, + syscall.SYS_CLOCK_GETTIME: {}, + syscall.SYS_CLONE: {}, + syscall.SYS_CLOSE: {}, + syscall.SYS_DUP: {}, + syscall.SYS_DUP2: {}, + syscall.SYS_EPOLL_CREATE1: {}, + syscall.SYS_EPOLL_CTL: {}, + syscall.SYS_EPOLL_PWAIT: {}, + syscall.SYS_EPOLL_WAIT: {}, + syscall.SYS_EVENTFD2: {}, + syscall.SYS_EXIT: {}, + syscall.SYS_EXIT_GROUP: {}, + syscall.SYS_FALLOCATE: {}, + syscall.SYS_FCHMOD: {}, + syscall.SYS_FCNTL: {}, + syscall.SYS_FSTAT: {}, + syscall.SYS_FSYNC: {}, + syscall.SYS_FTRUNCATE: {}, + syscall.SYS_FUTEX: {}, + syscall.SYS_GETDENTS64: {}, + syscall.SYS_GETPID: {}, + unix.SYS_GETRANDOM: {}, + syscall.SYS_GETSOCKOPT: {}, + syscall.SYS_GETTID: {}, + syscall.SYS_GETTIMEOFDAY: {}, + syscall.SYS_LISTEN: {}, + syscall.SYS_LSEEK: {}, + // TODO: Remove SYS_LSTAT when executable lookup moves + // into the gofer. + syscall.SYS_LSTAT: {}, syscall.SYS_MADVISE: {}, syscall.SYS_MINCORE: {}, syscall.SYS_MMAP: {}, |