From d1ca50d49e52338feb1d46b69725b9ac21cc3ccc Mon Sep 17 00:00:00 2001 From: Zhengyu He Date: Fri, 1 Jun 2018 13:39:53 -0700 Subject: Add SyscallRules that supports argument filtering PiperOrigin-RevId: 198919043 Change-Id: I7f1f0a3b3430cd0936a4ee4fc6859aab71820bdf --- pkg/seccomp/seccomp_test_victim.go | 141 +++++++++++++++++++------------------ 1 file changed, 73 insertions(+), 68 deletions(-) (limited to 'pkg/seccomp/seccomp_test_victim.go') diff --git a/pkg/seccomp/seccomp_test_victim.go b/pkg/seccomp/seccomp_test_victim.go index fe3f96901..4f2ae4dac 100644 --- a/pkg/seccomp/seccomp_test_victim.go +++ b/pkg/seccomp/seccomp_test_victim.go @@ -29,76 +29,81 @@ func main() { dieFlag := flag.Bool("die", false, "trips over the filter if true") flag.Parse() - syscalls := []uintptr{ - syscall.SYS_ACCEPT, - syscall.SYS_ARCH_PRCTL, - syscall.SYS_BIND, - syscall.SYS_BRK, - syscall.SYS_CLOCK_GETTIME, - syscall.SYS_CLONE, - syscall.SYS_CLOSE, - syscall.SYS_DUP, - syscall.SYS_DUP2, - syscall.SYS_EPOLL_CREATE1, - syscall.SYS_EPOLL_CTL, - syscall.SYS_EPOLL_WAIT, - syscall.SYS_EXIT, - syscall.SYS_EXIT_GROUP, - syscall.SYS_FALLOCATE, - syscall.SYS_FCHMOD, - syscall.SYS_FCNTL, - syscall.SYS_FSTAT, - syscall.SYS_FSYNC, - syscall.SYS_FTRUNCATE, - syscall.SYS_FUTEX, - syscall.SYS_GETDENTS64, - syscall.SYS_GETPEERNAME, - syscall.SYS_GETPID, - syscall.SYS_GETSOCKNAME, - syscall.SYS_GETSOCKOPT, - syscall.SYS_GETTID, - syscall.SYS_GETTIMEOFDAY, - syscall.SYS_LISTEN, - syscall.SYS_LSEEK, - syscall.SYS_MADVISE, - syscall.SYS_MINCORE, - syscall.SYS_MMAP, - syscall.SYS_MPROTECT, - syscall.SYS_MUNLOCK, - syscall.SYS_MUNMAP, - syscall.SYS_NANOSLEEP, - syscall.SYS_NEWFSTATAT, - syscall.SYS_OPEN, - syscall.SYS_POLL, - syscall.SYS_PREAD64, - syscall.SYS_PSELECT6, - syscall.SYS_PWRITE64, - syscall.SYS_READ, - syscall.SYS_READLINKAT, - syscall.SYS_READV, - syscall.SYS_RECVMSG, - syscall.SYS_RENAMEAT, - syscall.SYS_RESTART_SYSCALL, - syscall.SYS_RT_SIGACTION, - syscall.SYS_RT_SIGPROCMASK, - syscall.SYS_RT_SIGRETURN, - syscall.SYS_SCHED_YIELD, - syscall.SYS_SENDMSG, - syscall.SYS_SETITIMER, - syscall.SYS_SET_ROBUST_LIST, - syscall.SYS_SETSOCKOPT, - syscall.SYS_SHUTDOWN, - syscall.SYS_SIGALTSTACK, - syscall.SYS_SOCKET, - syscall.SYS_SYNC_FILE_RANGE, - syscall.SYS_TGKILL, - syscall.SYS_UTIMENSAT, - syscall.SYS_WRITE, - syscall.SYS_WRITEV, + syscalls := seccomp.SyscallRules{ + syscall.SYS_ACCEPT: {}, + syscall.SYS_ARCH_PRCTL: {}, + syscall.SYS_BIND: {}, + syscall.SYS_BRK: {}, + syscall.SYS_CLOCK_GETTIME: {}, + syscall.SYS_CLONE: {}, + syscall.SYS_CLOSE: {}, + syscall.SYS_DUP: {}, + syscall.SYS_DUP2: {}, + syscall.SYS_EPOLL_CREATE1: {}, + syscall.SYS_EPOLL_CTL: {}, + syscall.SYS_EPOLL_WAIT: {}, + syscall.SYS_EPOLL_PWAIT: {}, + syscall.SYS_EXIT: {}, + syscall.SYS_EXIT_GROUP: {}, + syscall.SYS_FALLOCATE: {}, + syscall.SYS_FCHMOD: {}, + syscall.SYS_FCNTL: {}, + syscall.SYS_FSTAT: {}, + syscall.SYS_FSYNC: {}, + syscall.SYS_FTRUNCATE: {}, + syscall.SYS_FUTEX: {}, + syscall.SYS_GETDENTS64: {}, + syscall.SYS_GETPEERNAME: {}, + syscall.SYS_GETPID: {}, + syscall.SYS_GETSOCKNAME: {}, + syscall.SYS_GETSOCKOPT: {}, + syscall.SYS_GETTID: {}, + syscall.SYS_GETTIMEOFDAY: {}, + syscall.SYS_LISTEN: {}, + syscall.SYS_LSEEK: {}, + syscall.SYS_MADVISE: {}, + syscall.SYS_MINCORE: {}, + syscall.SYS_MMAP: {}, + syscall.SYS_MPROTECT: {}, + syscall.SYS_MUNLOCK: {}, + syscall.SYS_MUNMAP: {}, + syscall.SYS_NANOSLEEP: {}, + syscall.SYS_NEWFSTATAT: {}, + syscall.SYS_OPEN: {}, + syscall.SYS_POLL: {}, + syscall.SYS_PREAD64: {}, + syscall.SYS_PSELECT6: {}, + syscall.SYS_PWRITE64: {}, + syscall.SYS_READ: {}, + syscall.SYS_READLINKAT: {}, + syscall.SYS_READV: {}, + syscall.SYS_RECVMSG: {}, + syscall.SYS_RENAMEAT: {}, + syscall.SYS_RESTART_SYSCALL: {}, + syscall.SYS_RT_SIGACTION: {}, + syscall.SYS_RT_SIGPROCMASK: {}, + syscall.SYS_RT_SIGRETURN: {}, + syscall.SYS_SCHED_YIELD: {}, + syscall.SYS_SENDMSG: {}, + syscall.SYS_SETITIMER: {}, + syscall.SYS_SET_ROBUST_LIST: {}, + syscall.SYS_SETSOCKOPT: {}, + syscall.SYS_SHUTDOWN: {}, + syscall.SYS_SIGALTSTACK: {}, + syscall.SYS_SOCKET: {}, + syscall.SYS_SYNC_FILE_RANGE: {}, + syscall.SYS_TGKILL: {}, + syscall.SYS_UTIMENSAT: {}, + syscall.SYS_WRITE: {}, + syscall.SYS_WRITEV: {}, } die := *dieFlag if !die { - syscalls = append(syscalls, syscall.SYS_OPENAT) + syscalls[syscall.SYS_OPENAT] = []seccomp.Rule{ + { + seccomp.AllowValue(10), + }, + } } if err := seccomp.Install(syscalls, false); err != nil { @@ -107,6 +112,6 @@ func main() { } fmt.Printf("Filters installed\n") - syscall.RawSyscall(syscall.SYS_OPENAT, 0, 0, 0) + syscall.RawSyscall(syscall.SYS_OPENAT, 10, 0, 0) fmt.Printf("Syscall was allowed!!!\n") } -- cgit v1.2.3