summaryrefslogtreecommitdiffhomepage
path: root/runsc
diff options
context:
space:
mode:
Diffstat (limited to 'runsc')
-rw-r--r--runsc/boot/filter/config.go249
-rw-r--r--runsc/boot/filter/extra_filters.go6
-rw-r--r--runsc/boot/filter/extra_filters_msan.go10
-rw-r--r--runsc/boot/filter/extra_filters_race.go19
-rw-r--r--runsc/boot/filter/filter.go12
5 files changed, 154 insertions, 142 deletions
diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go
index 130e987df..86c256c5b 100644
--- a/runsc/boot/filter/config.go
+++ b/runsc/boot/filter/config.go
@@ -18,77 +18,78 @@ import (
"syscall"
"golang.org/x/sys/unix"
+ "gvisor.googlesource.com/gvisor/pkg/seccomp"
)
// allowedSyscalls is the set of syscalls executed by the Sentry
// to the host OS.
-var allowedSyscalls = []uintptr{
- syscall.SYS_ACCEPT,
- syscall.SYS_ARCH_PRCTL,
- syscall.SYS_CLOCK_GETTIME,
- syscall.SYS_CLONE,
- syscall.SYS_CLOSE,
- syscall.SYS_DUP,
- syscall.SYS_DUP2,
- syscall.SYS_EPOLL_CREATE1,
- syscall.SYS_EPOLL_CTL,
- syscall.SYS_EPOLL_PWAIT,
- syscall.SYS_EPOLL_WAIT,
- syscall.SYS_EVENTFD2,
- syscall.SYS_EXIT,
- syscall.SYS_EXIT_GROUP,
- syscall.SYS_FALLOCATE,
- syscall.SYS_FCHMOD,
- syscall.SYS_FCNTL,
- syscall.SYS_FSTAT,
- syscall.SYS_FSYNC,
- syscall.SYS_FTRUNCATE,
- syscall.SYS_FUTEX,
- syscall.SYS_GETDENTS64,
- syscall.SYS_GETPID,
- unix.SYS_GETRANDOM,
- syscall.SYS_GETSOCKOPT,
- syscall.SYS_GETTID,
- syscall.SYS_GETTIMEOFDAY,
- syscall.SYS_LISTEN,
- syscall.SYS_LSEEK,
- syscall.SYS_MADVISE,
- syscall.SYS_MINCORE,
- syscall.SYS_MMAP,
- syscall.SYS_MPROTECT,
- syscall.SYS_MUNMAP,
- syscall.SYS_NEWFSTATAT,
- syscall.SYS_POLL,
- syscall.SYS_PREAD64,
- syscall.SYS_PSELECT6,
- syscall.SYS_PWRITE64,
- syscall.SYS_READ,
- syscall.SYS_READLINKAT,
- syscall.SYS_READV,
- syscall.SYS_RECVMSG,
- syscall.SYS_RENAMEAT,
- syscall.SYS_RESTART_SYSCALL,
- syscall.SYS_RT_SIGACTION,
- syscall.SYS_RT_SIGPROCMASK,
- syscall.SYS_RT_SIGRETURN,
- syscall.SYS_SCHED_YIELD,
- syscall.SYS_SENDMSG,
- syscall.SYS_SETITIMER,
- syscall.SYS_SHUTDOWN,
- syscall.SYS_SIGALTSTACK,
- syscall.SYS_SYNC_FILE_RANGE,
- syscall.SYS_TGKILL,
- syscall.SYS_UTIMENSAT,
- syscall.SYS_WRITE,
- syscall.SYS_WRITEV,
+var allowedSyscalls = seccomp.SyscallRules{
+ syscall.SYS_ACCEPT: {},
+ syscall.SYS_ARCH_PRCTL: {},
+ syscall.SYS_CLOCK_GETTIME: {},
+ syscall.SYS_CLONE: {},
+ syscall.SYS_CLOSE: {},
+ syscall.SYS_DUP: {},
+ syscall.SYS_DUP2: {},
+ syscall.SYS_EPOLL_CREATE1: {},
+ syscall.SYS_EPOLL_CTL: {},
+ syscall.SYS_EPOLL_PWAIT: {},
+ syscall.SYS_EPOLL_WAIT: {},
+ syscall.SYS_EVENTFD2: {},
+ syscall.SYS_EXIT: {},
+ syscall.SYS_EXIT_GROUP: {},
+ syscall.SYS_FALLOCATE: {},
+ syscall.SYS_FCHMOD: {},
+ syscall.SYS_FCNTL: {},
+ syscall.SYS_FSTAT: {},
+ syscall.SYS_FSYNC: {},
+ syscall.SYS_FTRUNCATE: {},
+ syscall.SYS_FUTEX: {},
+ syscall.SYS_GETDENTS64: {},
+ syscall.SYS_GETPID: {},
+ unix.SYS_GETRANDOM: {},
+ syscall.SYS_GETSOCKOPT: {},
+ syscall.SYS_GETTID: {},
+ syscall.SYS_GETTIMEOFDAY: {},
+ syscall.SYS_LISTEN: {},
+ syscall.SYS_LSEEK: {},
+ syscall.SYS_MADVISE: {},
+ syscall.SYS_MINCORE: {},
+ syscall.SYS_MMAP: {},
+ syscall.SYS_MPROTECT: {},
+ syscall.SYS_MUNMAP: {},
+ syscall.SYS_NEWFSTATAT: {},
+ syscall.SYS_POLL: {},
+ syscall.SYS_PREAD64: {},
+ syscall.SYS_PSELECT6: {},
+ syscall.SYS_PWRITE64: {},
+ syscall.SYS_READ: {},
+ syscall.SYS_READLINKAT: {},
+ syscall.SYS_READV: {},
+ syscall.SYS_RECVMSG: {},
+ syscall.SYS_RENAMEAT: {},
+ syscall.SYS_RESTART_SYSCALL: {},
+ syscall.SYS_RT_SIGACTION: {},
+ syscall.SYS_RT_SIGPROCMASK: {},
+ syscall.SYS_RT_SIGRETURN: {},
+ syscall.SYS_SCHED_YIELD: {},
+ syscall.SYS_SENDMSG: {},
+ syscall.SYS_SETITIMER: {},
+ syscall.SYS_SHUTDOWN: {},
+ syscall.SYS_SIGALTSTACK: {},
+ syscall.SYS_SYNC_FILE_RANGE: {},
+ syscall.SYS_TGKILL: {},
+ syscall.SYS_UTIMENSAT: {},
+ syscall.SYS_WRITE: {},
+ syscall.SYS_WRITEV: {},
}
// TODO: Ioctl is needed in order to support tty consoles.
// Once filters support argument-checking, we should only allow ioctl
// with tty-related arguments.
-func consoleFilters() []uintptr {
- return []uintptr{
- syscall.SYS_IOCTL,
+func consoleFilters() seccomp.SyscallRules {
+ return seccomp.SyscallRules{
+ syscall.SYS_IOCTL: {},
}
}
@@ -97,79 +98,79 @@ func consoleFilters() []uintptr {
// file operations that would otherwise be disabled by seccomp when a Gofer is
// used. When whitelistFS is not used, openning new FD in the Sentry is
// disallowed.
-func whitelistFSFilters() []uintptr {
- return []uintptr{
- syscall.SYS_ACCESS,
- syscall.SYS_FCHMOD,
- syscall.SYS_FSTAT,
- syscall.SYS_FSYNC,
- syscall.SYS_FTRUNCATE,
- syscall.SYS_GETCWD,
- syscall.SYS_GETDENTS,
- syscall.SYS_GETDENTS64,
- syscall.SYS_LSEEK,
- syscall.SYS_LSTAT,
- syscall.SYS_MKDIR,
- syscall.SYS_MKDIRAT,
- syscall.SYS_NEWFSTATAT,
- syscall.SYS_OPEN,
- syscall.SYS_OPENAT,
- syscall.SYS_PREAD64,
- syscall.SYS_PWRITE64,
- syscall.SYS_READ,
- syscall.SYS_READLINK,
- syscall.SYS_READLINKAT,
- syscall.SYS_RENAMEAT,
- syscall.SYS_STAT,
- syscall.SYS_SYMLINK,
- syscall.SYS_SYMLINKAT,
- syscall.SYS_SYNC_FILE_RANGE,
- syscall.SYS_UNLINK,
- syscall.SYS_UNLINKAT,
- syscall.SYS_UTIMENSAT,
- syscall.SYS_WRITE,
+func whitelistFSFilters() seccomp.SyscallRules {
+ return seccomp.SyscallRules{
+ syscall.SYS_ACCESS: {},
+ syscall.SYS_FCHMOD: {},
+ syscall.SYS_FSTAT: {},
+ syscall.SYS_FSYNC: {},
+ syscall.SYS_FTRUNCATE: {},
+ syscall.SYS_GETCWD: {},
+ syscall.SYS_GETDENTS: {},
+ syscall.SYS_GETDENTS64: {},
+ syscall.SYS_LSEEK: {},
+ syscall.SYS_LSTAT: {},
+ syscall.SYS_MKDIR: {},
+ syscall.SYS_MKDIRAT: {},
+ syscall.SYS_NEWFSTATAT: {},
+ syscall.SYS_OPEN: {},
+ syscall.SYS_OPENAT: {},
+ syscall.SYS_PREAD64: {},
+ syscall.SYS_PWRITE64: {},
+ syscall.SYS_READ: {},
+ syscall.SYS_READLINK: {},
+ syscall.SYS_READLINKAT: {},
+ syscall.SYS_RENAMEAT: {},
+ syscall.SYS_STAT: {},
+ syscall.SYS_SYMLINK: {},
+ syscall.SYS_SYMLINKAT: {},
+ syscall.SYS_SYNC_FILE_RANGE: {},
+ syscall.SYS_UNLINK: {},
+ syscall.SYS_UNLINKAT: {},
+ syscall.SYS_UTIMENSAT: {},
+ syscall.SYS_WRITE: {},
}
}
// hostInetFilters contains syscalls that are needed by sentry/socket/hostinet.
-func hostInetFilters() []uintptr {
- return []uintptr{
- syscall.SYS_ACCEPT4,
- syscall.SYS_BIND,
- syscall.SYS_CONNECT,
- syscall.SYS_GETPEERNAME,
- syscall.SYS_GETSOCKNAME,
- syscall.SYS_GETSOCKOPT,
- syscall.SYS_IOCTL,
- syscall.SYS_LISTEN,
- syscall.SYS_READV,
- syscall.SYS_RECVFROM,
- syscall.SYS_RECVMSG,
- syscall.SYS_SENDMSG,
- syscall.SYS_SENDTO,
- syscall.SYS_SETSOCKOPT,
- syscall.SYS_SHUTDOWN,
- syscall.SYS_SOCKET,
- syscall.SYS_WRITEV,
+func hostInetFilters() seccomp.SyscallRules {
+ return seccomp.SyscallRules{
+ syscall.SYS_ACCEPT4: {},
+ syscall.SYS_BIND: {},
+ syscall.SYS_CONNECT: {},
+ syscall.SYS_GETPEERNAME: {},
+ syscall.SYS_GETSOCKNAME: {},
+ syscall.SYS_GETSOCKOPT: {},
+ syscall.SYS_IOCTL: {},
+ syscall.SYS_LISTEN: {},
+ syscall.SYS_READV: {},
+ syscall.SYS_RECVFROM: {},
+ syscall.SYS_RECVMSG: {},
+ syscall.SYS_SENDMSG: {},
+ syscall.SYS_SENDTO: {},
+ syscall.SYS_SETSOCKOPT: {},
+ syscall.SYS_SHUTDOWN: {},
+ syscall.SYS_SOCKET: {},
+ syscall.SYS_WRITEV: {},
}
}
// ptraceFilters returns syscalls made exclusively by the ptrace platform.
-func ptraceFilters() []uintptr {
- return []uintptr{
- syscall.SYS_PTRACE,
- syscall.SYS_WAIT4,
- unix.SYS_GETCPU,
- unix.SYS_SCHED_SETAFFINITY,
+func ptraceFilters() seccomp.SyscallRules {
+ return seccomp.SyscallRules{
+ syscall.SYS_PTRACE: {},
+ syscall.SYS_WAIT4: {},
+ unix.SYS_GETCPU: {},
+ unix.SYS_SCHED_SETAFFINITY: {},
}
}
// kvmFilters returns syscalls made exclusively by the KVM platform.
-func kvmFilters() []uintptr {
- return []uintptr{
- syscall.SYS_IOCTL,
- syscall.SYS_RT_SIGSUSPEND,
- syscall.SYS_RT_SIGTIMEDWAIT,
- 0xffffffffffffffff, // KVM uses syscall -1 to transition to host.
+func kvmFilters() seccomp.SyscallRules {
+ return seccomp.SyscallRules{
+ syscall.SYS_IOCTL: {},
+ syscall.SYS_RT_SIGSUSPEND: {},
+ syscall.SYS_RT_SIGTIMEDWAIT: {},
+ 0xffffffffffffffff: {}, // KVM uses syscall -1 to transition to host.
}
}
diff --git a/runsc/boot/filter/extra_filters.go b/runsc/boot/filter/extra_filters.go
index e10d9bf4c..82cf00dfb 100644
--- a/runsc/boot/filter/extra_filters.go
+++ b/runsc/boot/filter/extra_filters.go
@@ -16,9 +16,13 @@
package filter
+import (
+ "gvisor.googlesource.com/gvisor/pkg/seccomp"
+)
+
// instrumentationFilters returns additional filters for syscalls used by
// Go intrumentation tools, e.g. -race, -msan.
// Returns empty when disabled.
-func instrumentationFilters() []uintptr {
+func instrumentationFilters() seccomp.SyscallRules {
return nil
}
diff --git a/runsc/boot/filter/extra_filters_msan.go b/runsc/boot/filter/extra_filters_msan.go
index a862340f6..76f3f6865 100644
--- a/runsc/boot/filter/extra_filters_msan.go
+++ b/runsc/boot/filter/extra_filters_msan.go
@@ -18,13 +18,15 @@ package filter
import (
"syscall"
+
+ "gvisor.googlesource.com/gvisor/pkg/seccomp"
)
// instrumentationFilters returns additional filters for syscalls used by MSAN.
-func instrumentationFilters() []uintptr {
+func instrumentationFilters() seccomp.SyscallRules {
Report("MSAN is enabled: syscall filters less restrictive!")
- return []uintptr{
- syscall.SYS_SCHED_GETAFFINITY,
- syscall.SYS_SET_ROBUST_LIST,
+ return seccomp.SyscallRules{
+ syscall.SYS_SCHED_GETAFFINITY: {},
+ syscall.SYS_SET_ROBUST_LIST: {},
}
}
diff --git a/runsc/boot/filter/extra_filters_race.go b/runsc/boot/filter/extra_filters_race.go
index b0c74a58a..c810773df 100644
--- a/runsc/boot/filter/extra_filters_race.go
+++ b/runsc/boot/filter/extra_filters_race.go
@@ -18,16 +18,21 @@ package filter
import (
"syscall"
+
+ "gvisor.googlesource.com/gvisor/pkg/seccomp"
)
// instrumentationFilters returns additional filters for syscalls used by TSAN.
-func instrumentationFilters() []uintptr {
+func instrumentationFilters() seccomp.SyscallRules {
Report("TSAN is enabled: syscall filters less restrictive!")
- return []uintptr{
- syscall.SYS_BRK,
- syscall.SYS_MUNLOCK,
- syscall.SYS_NANOSLEEP,
- syscall.SYS_OPEN,
- syscall.SYS_SET_ROBUST_LIST,
+ return seccomp.SyscallRules{
+ syscall.SYS_BRK: {},
+ syscall.SYS_CLONE: {},
+ syscall.SYS_FUTEX: {},
+ syscall.SYS_MMAP: {},
+ syscall.SYS_MUNLOCK: {},
+ syscall.SYS_NANOSLEEP: {},
+ syscall.SYS_OPEN: {},
+ syscall.SYS_SET_ROBUST_LIST: {},
}
}
diff --git a/runsc/boot/filter/filter.go b/runsc/boot/filter/filter.go
index 3ba56a318..6ea9c464e 100644
--- a/runsc/boot/filter/filter.go
+++ b/runsc/boot/filter/filter.go
@@ -33,26 +33,26 @@ func Install(p platform.Platform, whitelistFS, console, hostNetwork bool) error
// Set of additional filters used by -race and -msan. Returns empty
// when not enabled.
- s = append(s, instrumentationFilters()...)
+ s.Merge(instrumentationFilters())
if whitelistFS {
Report("direct file access allows unrestricted file access!")
- s = append(s, whitelistFSFilters()...)
+ s.Merge(whitelistFSFilters())
}
if console {
Report("console is enabled: syscall filters less restrictive!")
- s = append(s, consoleFilters()...)
+ s.Merge(consoleFilters())
}
if hostNetwork {
Report("host networking enabled: syscall filters less restrictive!")
- s = append(s, hostInetFilters()...)
+ s.Merge(hostInetFilters())
}
switch p := p.(type) {
case *ptrace.PTrace:
- s = append(s, ptraceFilters()...)
+ s.Merge(ptraceFilters())
case *kvm.KVM:
- s = append(s, kvmFilters()...)
+ s.Merge(kvmFilters())
default:
return fmt.Errorf("unknown platform type %T", p)
}