IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
f5c8a71698d0a7a16c68be220e49fe64bfee7f5c
mattermost/plugin/rpcplugin/sandbox/seccomp_linux_amd64.go

302 lines
9.2 KiB
Go
Raw Normal View History

ABC-22: Plugin sandboxing for linux/amd64 (#8068) * plugin sandboxing * remove unused type * better symlink handling, better remounting, better test, whitespace fixes, and comment on the remounting * fix test compile error * big simplification for getting mount flags * mask statfs flags to the ones we're interested in
2018-01-15 11:21:06 -06:00
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
// See License.txt for license information.
package sandbox
import (
"golang.org/x/sys/unix"
)
const NATIVE_AUDIT_ARCH = AUDIT_ARCH_X86_64
var AllowedSyscalls = []SeccompSyscall{
{Syscall: unix.SYS_ACCEPT},
{Syscall: unix.SYS_ACCEPT4},
{Syscall: unix.SYS_ACCESS},
{Syscall: unix.SYS_ADJTIMEX},
{Syscall: unix.SYS_ALARM},
{Syscall: unix.SYS_ARCH_PRCTL},
{Syscall: unix.SYS_BIND},
{Syscall: unix.SYS_BRK},
{Syscall: unix.SYS_CAPGET},
{Syscall: unix.SYS_CAPSET},
{Syscall: unix.SYS_CHDIR},
{Syscall: unix.SYS_CHMOD},
{Syscall: unix.SYS_CHOWN},
{Syscall: unix.SYS_CLOCK_GETRES},
{Syscall: unix.SYS_CLOCK_GETTIME},
{Syscall: unix.SYS_CLOCK_NANOSLEEP},
{
Syscall: unix.SYS_CLONE,
Any: []SeccompConditions{{
All: []SeccompCondition{SeccompArgHasNoBits{
Arg: 0,
Mask: unix.CLONE_NEWCGROUP | unix.CLONE_NEWIPC | unix.CLONE_NEWNET | unix.CLONE_NEWNS | unix.CLONE_NEWPID | unix.CLONE_NEWUSER | unix.CLONE_NEWUTS,
}},
}},
},
{Syscall: unix.SYS_CLOSE},
{Syscall: unix.SYS_CONNECT},
{Syscall: unix.SYS_COPY_FILE_RANGE},
{Syscall: unix.SYS_CREAT},
{Syscall: unix.SYS_DUP},
{Syscall: unix.SYS_DUP2},
{Syscall: unix.SYS_DUP3},
{Syscall: unix.SYS_EPOLL_CREATE},
{Syscall: unix.SYS_EPOLL_CREATE1},
{Syscall: unix.SYS_EPOLL_CTL},
{Syscall: unix.SYS_EPOLL_CTL_OLD},
{Syscall: unix.SYS_EPOLL_PWAIT},
{Syscall: unix.SYS_EPOLL_WAIT},
{Syscall: unix.SYS_EPOLL_WAIT_OLD},
{Syscall: unix.SYS_EVENTFD},
{Syscall: unix.SYS_EVENTFD2},
{Syscall: unix.SYS_EXECVE},
{Syscall: unix.SYS_EXECVEAT},
{Syscall: unix.SYS_EXIT},
{Syscall: unix.SYS_EXIT_GROUP},
{Syscall: unix.SYS_FACCESSAT},
{Syscall: unix.SYS_FADVISE64},
{Syscall: unix.SYS_FALLOCATE},
{Syscall: unix.SYS_FANOTIFY_MARK},
{Syscall: unix.SYS_FCHDIR},
{Syscall: unix.SYS_FCHMOD},
{Syscall: unix.SYS_FCHMODAT},
{Syscall: unix.SYS_FCHOWN},
{Syscall: unix.SYS_FCHOWNAT},
{Syscall: unix.SYS_FCNTL},
{Syscall: unix.SYS_FDATASYNC},
{Syscall: unix.SYS_FGETXATTR},
{Syscall: unix.SYS_FLISTXATTR},
{Syscall: unix.SYS_FLOCK},
{Syscall: unix.SYS_FORK},
{Syscall: unix.SYS_FREMOVEXATTR},
{Syscall: unix.SYS_FSETXATTR},
{Syscall: unix.SYS_FSTAT},
{Syscall: unix.SYS_FSTATFS},
{Syscall: unix.SYS_FSYNC},
{Syscall: unix.SYS_FTRUNCATE},
{Syscall: unix.SYS_FUTEX},
{Syscall: unix.SYS_FUTIMESAT},
{Syscall: unix.SYS_GETCPU},
{Syscall: unix.SYS_GETCWD},
{Syscall: unix.SYS_GETDENTS},
{Syscall: unix.SYS_GETDENTS64},
{Syscall: unix.SYS_GETEGID},
{Syscall: unix.SYS_GETEUID},
{Syscall: unix.SYS_GETGID},
{Syscall: unix.SYS_GETGROUPS},
{Syscall: unix.SYS_GETITIMER},
{Syscall: unix.SYS_GETPEERNAME},
{Syscall: unix.SYS_GETPGID},
{Syscall: unix.SYS_GETPGRP},
{Syscall: unix.SYS_GETPID},
{Syscall: unix.SYS_GETPPID},
{Syscall: unix.SYS_GETPRIORITY},
{Syscall: unix.SYS_GETRANDOM},
{Syscall: unix.SYS_GETRESGID},
{Syscall: unix.SYS_GETRESUID},
{Syscall: unix.SYS_GETRLIMIT},
{Syscall: unix.SYS_GET_ROBUST_LIST},
{Syscall: unix.SYS_GETRUSAGE},
{Syscall: unix.SYS_GETSID},
{Syscall: unix.SYS_GETSOCKNAME},
{Syscall: unix.SYS_GETSOCKOPT},
{Syscall: unix.SYS_GET_THREAD_AREA},
{Syscall: unix.SYS_GETTID},
{Syscall: unix.SYS_GETTIMEOFDAY},
{Syscall: unix.SYS_GETUID},
{Syscall: unix.SYS_GETXATTR},
{Syscall: unix.SYS_INOTIFY_ADD_WATCH},
{Syscall: unix.SYS_INOTIFY_INIT},
{Syscall: unix.SYS_INOTIFY_INIT1},
{Syscall: unix.SYS_INOTIFY_RM_WATCH},
{Syscall: unix.SYS_IO_CANCEL},
{Syscall: unix.SYS_IOCTL},
{Syscall: unix.SYS_IO_DESTROY},
{Syscall: unix.SYS_IO_GETEVENTS},
{Syscall: unix.SYS_IOPRIO_GET},
{Syscall: unix.SYS_IOPRIO_SET},
{Syscall: unix.SYS_IO_SETUP},
{Syscall: unix.SYS_IO_SUBMIT},
{Syscall: unix.SYS_KILL},
{Syscall: unix.SYS_LCHOWN},
{Syscall: unix.SYS_LGETXATTR},
{Syscall: unix.SYS_LINK},
{Syscall: unix.SYS_LINKAT},
{Syscall: unix.SYS_LISTEN},
{Syscall: unix.SYS_LISTXATTR},
{Syscall: unix.SYS_LLISTXATTR},
{Syscall: unix.SYS_LREMOVEXATTR},
{Syscall: unix.SYS_LSEEK},
{Syscall: unix.SYS_LSETXATTR},
{Syscall: unix.SYS_LSTAT},
{Syscall: unix.SYS_MADVISE},
{Syscall: unix.SYS_MEMFD_CREATE},
{Syscall: unix.SYS_MINCORE},
{Syscall: unix.SYS_MKDIR},
{Syscall: unix.SYS_MKDIRAT},
{Syscall: unix.SYS_MKNOD},
{Syscall: unix.SYS_MKNODAT},
{Syscall: unix.SYS_MLOCK},
{Syscall: unix.SYS_MLOCK2},
{Syscall: unix.SYS_MLOCKALL},
{Syscall: unix.SYS_MMAP},
{Syscall: unix.SYS_MODIFY_LDT},
{Syscall: unix.SYS_MPROTECT},
{Syscall: unix.SYS_MQ_GETSETATTR},
{Syscall: unix.SYS_MQ_NOTIFY},
{Syscall: unix.SYS_MQ_OPEN},
{Syscall: unix.SYS_MQ_TIMEDRECEIVE},
{Syscall: unix.SYS_MQ_TIMEDSEND},
{Syscall: unix.SYS_MQ_UNLINK},
{Syscall: unix.SYS_MREMAP},
{Syscall: unix.SYS_MSGCTL},
{Syscall: unix.SYS_MSGGET},
{Syscall: unix.SYS_MSGRCV},
{Syscall: unix.SYS_MSGSND},
{Syscall: unix.SYS_MSYNC},
{Syscall: unix.SYS_MUNLOCK},
{Syscall: unix.SYS_MUNLOCKALL},
{Syscall: unix.SYS_MUNMAP},
{Syscall: unix.SYS_NANOSLEEP},
{Syscall: unix.SYS_NEWFSTATAT},
{Syscall: unix.SYS_OPEN},
{Syscall: unix.SYS_OPENAT},
{Syscall: unix.SYS_PAUSE},
{
Syscall: unix.SYS_PERSONALITY,
Any: []SeccompConditions{
{All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0}}},
{All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 8}}},
{All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0x20000}}},
{All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0x20008}}},
{All: []SeccompCondition{SeccompArgEquals{Arg: 0, Value: 0xffffffff}}},
},
},
{Syscall: unix.SYS_PIPE},
{Syscall: unix.SYS_PIPE2},
{Syscall: unix.SYS_POLL},
{Syscall: unix.SYS_PPOLL},
{Syscall: unix.SYS_PRCTL},
{Syscall: unix.SYS_PREAD64},
{Syscall: unix.SYS_PREADV},
{Syscall: unix.SYS_PREADV2},
{Syscall: unix.SYS_PRLIMIT64},
{Syscall: unix.SYS_PSELECT6},
{Syscall: unix.SYS_PWRITE64},
{Syscall: unix.SYS_PWRITEV},
{Syscall: unix.SYS_PWRITEV2},
{Syscall: unix.SYS_READ},
{Syscall: unix.SYS_READAHEAD},
{Syscall: unix.SYS_READLINK},
{Syscall: unix.SYS_READLINKAT},
{Syscall: unix.SYS_READV},
{Syscall: unix.SYS_RECVFROM},
{Syscall: unix.SYS_RECVMMSG},
{Syscall: unix.SYS_RECVMSG},
{Syscall: unix.SYS_REMAP_FILE_PAGES},
{Syscall: unix.SYS_REMOVEXATTR},
{Syscall: unix.SYS_RENAME},
{Syscall: unix.SYS_RENAMEAT},
{Syscall: unix.SYS_RENAMEAT2},
{Syscall: unix.SYS_RESTART_SYSCALL},
{Syscall: unix.SYS_RMDIR},
{Syscall: unix.SYS_RT_SIGACTION},
{Syscall: unix.SYS_RT_SIGPENDING},
{Syscall: unix.SYS_RT_SIGPROCMASK},
{Syscall: unix.SYS_RT_SIGQUEUEINFO},
{Syscall: unix.SYS_RT_SIGRETURN},
{Syscall: unix.SYS_RT_SIGSUSPEND},
{Syscall: unix.SYS_RT_SIGTIMEDWAIT},
{Syscall: unix.SYS_RT_TGSIGQUEUEINFO},
{Syscall: unix.SYS_SCHED_GETAFFINITY},
{Syscall: unix.SYS_SCHED_GETATTR},
{Syscall: unix.SYS_SCHED_GETPARAM},
{Syscall: unix.SYS_SCHED_GET_PRIORITY_MAX},
{Syscall: unix.SYS_SCHED_GET_PRIORITY_MIN},
{Syscall: unix.SYS_SCHED_GETSCHEDULER},
{Syscall: unix.SYS_SCHED_RR_GET_INTERVAL},
{Syscall: unix.SYS_SCHED_SETAFFINITY},
{Syscall: unix.SYS_SCHED_SETATTR},
{Syscall: unix.SYS_SCHED_SETPARAM},
{Syscall: unix.SYS_SCHED_SETSCHEDULER},
{Syscall: unix.SYS_SCHED_YIELD},
{Syscall: unix.SYS_SECCOMP},
{Syscall: unix.SYS_SELECT},
{Syscall: unix.SYS_SEMCTL},
{Syscall: unix.SYS_SEMGET},
{Syscall: unix.SYS_SEMOP},
{Syscall: unix.SYS_SEMTIMEDOP},
{Syscall: unix.SYS_SENDFILE},
{Syscall: unix.SYS_SENDMMSG},
{Syscall: unix.SYS_SENDMSG},
{Syscall: unix.SYS_SENDTO},
{Syscall: unix.SYS_SETFSGID},
{Syscall: unix.SYS_SETFSUID},
{Syscall: unix.SYS_SETGID},
{Syscall: unix.SYS_SETGROUPS},
{Syscall: unix.SYS_SETITIMER},
{Syscall: unix.SYS_SETPGID},
{Syscall: unix.SYS_SETPRIORITY},
{Syscall: unix.SYS_SETREGID},
{Syscall: unix.SYS_SETRESGID},
{Syscall: unix.SYS_SETRESUID},
{Syscall: unix.SYS_SETREUID},
{Syscall: unix.SYS_SETRLIMIT},
{Syscall: unix.SYS_SET_ROBUST_LIST},
{Syscall: unix.SYS_SETSID},
{Syscall: unix.SYS_SETSOCKOPT},
{Syscall: unix.SYS_SET_THREAD_AREA},
{Syscall: unix.SYS_SET_TID_ADDRESS},
{Syscall: unix.SYS_SETUID},
{Syscall: unix.SYS_SETXATTR},
{Syscall: unix.SYS_SHMAT},
{Syscall: unix.SYS_SHMCTL},
{Syscall: unix.SYS_SHMDT},
{Syscall: unix.SYS_SHMGET},
{Syscall: unix.SYS_SHUTDOWN},
{Syscall: unix.SYS_SIGALTSTACK},
{Syscall: unix.SYS_SIGNALFD},
{Syscall: unix.SYS_SIGNALFD4},
{Syscall: unix.SYS_SOCKET},
{Syscall: unix.SYS_SOCKETPAIR},
{Syscall: unix.SYS_SPLICE},
{Syscall: unix.SYS_STAT},
{Syscall: unix.SYS_STATFS},
{Syscall: unix.SYS_SYMLINK},
{Syscall: unix.SYS_SYMLINKAT},
{Syscall: unix.SYS_SYNC},
{Syscall: unix.SYS_SYNC_FILE_RANGE},
{Syscall: unix.SYS_SYNCFS},
{Syscall: unix.SYS_SYSINFO},
{Syscall: unix.SYS_SYSLOG},
{Syscall: unix.SYS_TEE},
{Syscall: unix.SYS_TGKILL},
{Syscall: unix.SYS_TIME},
{Syscall: unix.SYS_TIMER_CREATE},
{Syscall: unix.SYS_TIMER_DELETE},
{Syscall: unix.SYS_TIMERFD_CREATE},
{Syscall: unix.SYS_TIMERFD_GETTIME},
{Syscall: unix.SYS_TIMERFD_SETTIME},
{Syscall: unix.SYS_TIMER_GETOVERRUN},
{Syscall: unix.SYS_TIMER_GETTIME},
{Syscall: unix.SYS_TIMER_SETTIME},
{Syscall: unix.SYS_TIMES},
{Syscall: unix.SYS_TKILL},
{Syscall: unix.SYS_TRUNCATE},
{Syscall: unix.SYS_UMASK},
{Syscall: unix.SYS_UNAME},
{Syscall: unix.SYS_UNLINK},
{Syscall: unix.SYS_UNLINKAT},
{Syscall: unix.SYS_UTIME},
{Syscall: unix.SYS_UTIMENSAT},
{Syscall: unix.SYS_UTIMES},
{Syscall: unix.SYS_VFORK},
{Syscall: unix.SYS_VMSPLICE},
{Syscall: unix.SYS_WAIT4},
{Syscall: unix.SYS_WAITID},
{Syscall: unix.SYS_WRITE},
{Syscall: unix.SYS_WRITEV},
}
Reference in New Issue Copy Permalink