1 | 1 |
new file mode 100755 |
... | ... |
@@ -0,0 +1,77 @@ |
0 |
+#!/usr/bin/perl |
|
1 |
+# |
|
2 |
+# A simple helper script to help people build seccomp profiles for |
|
3 |
+# Docker/LXC. The goal is mostly to reduce the attack surface to the |
|
4 |
+# kernel, by restricting access to rarely used, recently added or not used |
|
5 |
+# syscalls. |
|
6 |
+# |
|
7 |
+# This script processes one or more files which contain the list of system |
|
8 |
+# calls to be allowed. See mkseccomp.sample for more information how you |
|
9 |
+# can configure the list of syscalls. When run, this script produces output |
|
10 |
+# which, when stored in a file, can be passed to docker as follows: |
|
11 |
+# |
|
12 |
+# docker run -lxc-conf="lxc.seccomp=$file" <rest of arguments> |
|
13 |
+# |
|
14 |
+# The included sample file shows how to cut about a quarter of all syscalls, |
|
15 |
+# which affecting most applications. |
|
16 |
+# |
|
17 |
+# For specific situations it is possible to reduce the list further. By |
|
18 |
+# reducing the list to just those syscalls required by a certain application |
|
19 |
+# you can make it difficult for unknown/unexpected code to run. |
|
20 |
+# |
|
21 |
+# Run this script as follows: |
|
22 |
+# |
|
23 |
+# ./mkseccomp.pl < mkseccomp.sample >syscalls.list |
|
24 |
+# or |
|
25 |
+# ./mkseccomp.pl mkseccomp.sample >syscalls.list |
|
26 |
+# |
|
27 |
+# Multiple files can be specified, in which case the lists of syscalls are |
|
28 |
+# combined. |
|
29 |
+# |
|
30 |
+# By Martijn van Oosterhout <kleptog@svana.org> Nov 2013 |
|
31 |
+ |
|
32 |
+# How it works: |
|
33 |
+# |
|
34 |
+# This program basically spawns two processes to form a chain like: |
|
35 |
+# |
|
36 |
+# <process data section to prefix __NR_> | cpp | <add header and filter unknown syscalls> |
|
37 |
+ |
|
38 |
+use strict; |
|
39 |
+use warnings; |
|
40 |
+ |
|
41 |
+if( -t ) { |
|
42 |
+ print STDERR "Helper script to make seccomp filters for Docker/LXC.\n"; |
|
43 |
+ print STDERR "Usage: mkseccomp.pl [files...]\n"; |
|
44 |
+ exit 1; |
|
45 |
+} |
|
46 |
+ |
|
47 |
+my $pid = open(my $in, "-|") // die "Couldn't fork1 ($!)\n"; |
|
48 |
+ |
|
49 |
+if($pid == 0) { # Child |
|
50 |
+ $pid = open(my $out, "|-") // die "Couldn't fork2 ($!)\n"; |
|
51 |
+ |
|
52 |
+ if($pid == 0) { # Child, which execs cpp |
|
53 |
+ exec "cpp" or die "Couldn't exec cpp ($!)\n"; |
|
54 |
+ exit 1; |
|
55 |
+ } |
|
56 |
+ |
|
57 |
+ # Process the DATA section and output to cpp |
|
58 |
+ print $out "#include <sys/syscall.h>\n"; |
|
59 |
+ while(<>) { |
|
60 |
+ if(/^\w/) { |
|
61 |
+ print $out "__NR_$_"; |
|
62 |
+ } |
|
63 |
+ } |
|
64 |
+ close $out; |
|
65 |
+ exit 0; |
|
66 |
+ |
|
67 |
+} |
|
68 |
+ |
|
69 |
+# Print header and then process output from cpp. |
|
70 |
+print "1\n"; |
|
71 |
+print "whitelist\n"; |
|
72 |
+ |
|
73 |
+while(<$in>) { |
|
74 |
+ print if( /^[0-9]/ ); |
|
75 |
+} |
|
76 |
+ |
0 | 77 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,444 @@ |
0 |
+/* This sample file is an example for mkseccomp.pl to produce a seccomp file |
|
1 |
+ * which restricts syscalls that are only useful for an admin but allows the |
|
2 |
+ * vast majority of normal userspace programs to run normally. |
|
3 |
+ * |
|
4 |
+ * The format of this file is one line per syscall. This is then processed |
|
5 |
+ * and passed to 'cpp' to convert the names to numbers using whatever is |
|
6 |
+ * correct for your platform. As such C-style comments are permitted. Note |
|
7 |
+ * this also means that C preprocessor macros are also allowed. So it is |
|
8 |
+ * possible to create groups surrounded by #ifdef/#endif and control their |
|
9 |
+ * inclusion via #define (not #include). |
|
10 |
+ * |
|
11 |
+ * Syscalls that don't exist on your architecture are silently filtered out. |
|
12 |
+ * Syscalls marked with (*) are required for a container to spawn a bash |
|
13 |
+ * shell successfully (not necessarily full featured). Listing the same |
|
14 |
+ * syscall multiple times is no problem. |
|
15 |
+ * |
|
16 |
+ * If you want to make a list specifically for one application the easiest |
|
17 |
+ * way is to run the application under strace, like so: |
|
18 |
+ * |
|
19 |
+ * $ strace -f -q -c -o strace.out application args... |
|
20 |
+ * |
|
21 |
+ * Once you have a reasonable sample of the execution of the program, exit |
|
22 |
+ * it. The file strace.out will have a summary of the syscalls used. Copy |
|
23 |
+ * that list into this file, comment out everything else except the starred |
|
24 |
+ * syscalls (which you need for the container to start) and you're done. |
|
25 |
+ * |
|
26 |
+ * To get the list of syscalls from the strace output this works well for |
|
27 |
+ * me |
|
28 |
+ * |
|
29 |
+ * $ cut -c52 < strace.out |
|
30 |
+ * |
|
31 |
+ * This sample list was compiled as a combination of all the syscalls |
|
32 |
+ * available on i386 and amd64 on Ubuntu Precise, as such it may not contain |
|
33 |
+ * everything and not everything may be relevent for your system. This |
|
34 |
+ * shouldn't be a problem. |
|
35 |
+ */ |
|
36 |
+ |
|
37 |
+// Filesystem/File descriptor related |
|
38 |
+access // (*) |
|
39 |
+chdir // (*) |
|
40 |
+chmod |
|
41 |
+chown |
|
42 |
+chown32 |
|
43 |
+close // (*) |
|
44 |
+creat |
|
45 |
+dup // (*) |
|
46 |
+dup2 // (*) |
|
47 |
+dup3 |
|
48 |
+epoll_create |
|
49 |
+epoll_create1 |
|
50 |
+epoll_ctl |
|
51 |
+epoll_ctl_old |
|
52 |
+epoll_pwait |
|
53 |
+epoll_wait |
|
54 |
+epoll_wait_old |
|
55 |
+eventfd |
|
56 |
+eventfd2 |
|
57 |
+faccessat // (*) |
|
58 |
+fadvise64 |
|
59 |
+fadvise64_64 |
|
60 |
+fallocate |
|
61 |
+fanotify_init |
|
62 |
+fanotify_mark |
|
63 |
+ioctl // (*) |
|
64 |
+fchdir |
|
65 |
+fchmod |
|
66 |
+fchmodat |
|
67 |
+fchown |
|
68 |
+fchown32 |
|
69 |
+fchownat |
|
70 |
+fcntl // (*) |
|
71 |
+fcntl64 |
|
72 |
+fdatasync |
|
73 |
+fgetxattr |
|
74 |
+flistxattr |
|
75 |
+flock |
|
76 |
+fremovexattr |
|
77 |
+fsetxattr |
|
78 |
+fstat // (*) |
|
79 |
+fstat64 |
|
80 |
+fstatat64 |
|
81 |
+fstatfs |
|
82 |
+fstatfs64 |
|
83 |
+fsync |
|
84 |
+ftruncate |
|
85 |
+ftruncate64 |
|
86 |
+getcwd // (*) |
|
87 |
+getdents // (*) |
|
88 |
+getdents64 |
|
89 |
+getxattr |
|
90 |
+inotify_add_watch |
|
91 |
+inotify_init |
|
92 |
+inotify_init1 |
|
93 |
+inotify_rm_watch |
|
94 |
+io_cancel |
|
95 |
+io_destroy |
|
96 |
+io_getevents |
|
97 |
+io_setup |
|
98 |
+io_submit |
|
99 |
+lchown |
|
100 |
+lchown32 |
|
101 |
+lgetxattr |
|
102 |
+link |
|
103 |
+linkat |
|
104 |
+listxattr |
|
105 |
+llistxattr |
|
106 |
+llseek |
|
107 |
+_llseek |
|
108 |
+lremovexattr |
|
109 |
+lseek // (*) |
|
110 |
+lsetxattr |
|
111 |
+lstat |
|
112 |
+lstat64 |
|
113 |
+mkdir |
|
114 |
+mkdirat |
|
115 |
+mknod |
|
116 |
+mknodat |
|
117 |
+newfstatat |
|
118 |
+_newselect |
|
119 |
+oldfstat |
|
120 |
+oldlstat |
|
121 |
+oldolduname |
|
122 |
+oldstat |
|
123 |
+olduname |
|
124 |
+oldwait4 |
|
125 |
+open // (*) |
|
126 |
+openat // (*) |
|
127 |
+pipe // (*) |
|
128 |
+pipe2 |
|
129 |
+poll |
|
130 |
+ppoll |
|
131 |
+pread64 |
|
132 |
+preadv |
|
133 |
+futimesat |
|
134 |
+pselect6 |
|
135 |
+pwrite64 |
|
136 |
+pwritev |
|
137 |
+read // (*) |
|
138 |
+readahead |
|
139 |
+readdir |
|
140 |
+readlink |
|
141 |
+readlinkat |
|
142 |
+readv |
|
143 |
+removexattr |
|
144 |
+rename |
|
145 |
+renameat |
|
146 |
+rmdir |
|
147 |
+select |
|
148 |
+sendfile |
|
149 |
+sendfile64 |
|
150 |
+setxattr |
|
151 |
+splice |
|
152 |
+stat // (*) |
|
153 |
+stat64 |
|
154 |
+statfs // (*) |
|
155 |
+statfs64 |
|
156 |
+symlink |
|
157 |
+symlinkat |
|
158 |
+sync |
|
159 |
+sync_file_range |
|
160 |
+sync_file_range2 |
|
161 |
+syncfs |
|
162 |
+tee |
|
163 |
+truncate |
|
164 |
+truncate64 |
|
165 |
+umask |
|
166 |
+unlink |
|
167 |
+unlinkat |
|
168 |
+ustat |
|
169 |
+utime |
|
170 |
+utimensat |
|
171 |
+utimes |
|
172 |
+write // (*) |
|
173 |
+writev |
|
174 |
+ |
|
175 |
+// Network related |
|
176 |
+accept |
|
177 |
+accept4 |
|
178 |
+bind // (*) |
|
179 |
+connect // (*) |
|
180 |
+getpeername |
|
181 |
+getsockname // (*) |
|
182 |
+getsockopt |
|
183 |
+listen |
|
184 |
+recv |
|
185 |
+recvfrom // (*) |
|
186 |
+recvmmsg |
|
187 |
+recvmsg |
|
188 |
+send |
|
189 |
+sendmmsg |
|
190 |
+sendmsg |
|
191 |
+sendto // (*) |
|
192 |
+setsockopt |
|
193 |
+shutdown |
|
194 |
+socket // (*) |
|
195 |
+socketcall |
|
196 |
+socketpair |
|
197 |
+ |
|
198 |
+// Signal related |
|
199 |
+pause |
|
200 |
+rt_sigaction // (*) |
|
201 |
+rt_sigpending |
|
202 |
+rt_sigprocmask // (*) |
|
203 |
+rt_sigqueueinfo |
|
204 |
+rt_sigreturn // (*) |
|
205 |
+rt_sigsuspend |
|
206 |
+rt_sigtimedwait |
|
207 |
+rt_tgsigqueueinfo |
|
208 |
+sigaction |
|
209 |
+sigaltstack // (*) |
|
210 |
+signal |
|
211 |
+signalfd |
|
212 |
+signalfd4 |
|
213 |
+sigpending |
|
214 |
+sigprocmask |
|
215 |
+sigreturn |
|
216 |
+sigsuspend |
|
217 |
+ |
|
218 |
+// Other needed POSIX |
|
219 |
+alarm |
|
220 |
+brk // (*) |
|
221 |
+clock_adjtime |
|
222 |
+clock_getres |
|
223 |
+clock_gettime |
|
224 |
+clock_nanosleep |
|
225 |
+//clock_settime |
|
226 |
+gettimeofday |
|
227 |
+nanosleep |
|
228 |
+nice |
|
229 |
+sysinfo |
|
230 |
+syslog |
|
231 |
+time |
|
232 |
+timer_create |
|
233 |
+timer_delete |
|
234 |
+timerfd_create |
|
235 |
+timerfd_gettime |
|
236 |
+timerfd_settime |
|
237 |
+timer_getoverrun |
|
238 |
+timer_gettime |
|
239 |
+timer_settime |
|
240 |
+times |
|
241 |
+uname // (*) |
|
242 |
+ |
|
243 |
+// Memory control |
|
244 |
+madvise |
|
245 |
+mbind |
|
246 |
+mincore |
|
247 |
+mlock |
|
248 |
+mlockall |
|
249 |
+mmap // (*) |
|
250 |
+mmap2 |
|
251 |
+mprotect // (*) |
|
252 |
+mremap |
|
253 |
+msync |
|
254 |
+munlock |
|
255 |
+munlockall |
|
256 |
+munmap // (*) |
|
257 |
+remap_file_pages |
|
258 |
+set_mempolicy |
|
259 |
+vmsplice |
|
260 |
+ |
|
261 |
+// Process control |
|
262 |
+capget |
|
263 |
+//capset |
|
264 |
+clone // (*) |
|
265 |
+execve // (*) |
|
266 |
+exit // (*) |
|
267 |
+exit_group // (*) |
|
268 |
+fork |
|
269 |
+getcpu |
|
270 |
+getpgid |
|
271 |
+getpgrp // (*) |
|
272 |
+getpid // (*) |
|
273 |
+getppid // (*) |
|
274 |
+getpriority |
|
275 |
+getresgid |
|
276 |
+getresgid32 |
|
277 |
+getresuid |
|
278 |
+getresuid32 |
|
279 |
+getrlimit // (*) |
|
280 |
+getrusage |
|
281 |
+getsid |
|
282 |
+getuid // (*) |
|
283 |
+getuid32 |
|
284 |
+getegid // (*) |
|
285 |
+getegid32 |
|
286 |
+geteuid // (*) |
|
287 |
+geteuid32 |
|
288 |
+getgid // (*) |
|
289 |
+getgid32 |
|
290 |
+getgroups |
|
291 |
+getgroups32 |
|
292 |
+getitimer |
|
293 |
+get_mempolicy |
|
294 |
+kill |
|
295 |
+//personality |
|
296 |
+prctl |
|
297 |
+prlimit64 |
|
298 |
+sched_getaffinity |
|
299 |
+sched_getparam |
|
300 |
+sched_get_priority_max |
|
301 |
+sched_get_priority_min |
|
302 |
+sched_getscheduler |
|
303 |
+sched_rr_get_interval |
|
304 |
+//sched_setaffinity |
|
305 |
+//sched_setparam |
|
306 |
+//sched_setscheduler |
|
307 |
+sched_yield |
|
308 |
+setfsgid |
|
309 |
+setfsgid32 |
|
310 |
+setfsuid |
|
311 |
+setfsuid32 |
|
312 |
+setgid |
|
313 |
+setgid32 |
|
314 |
+setgroups |
|
315 |
+setgroups32 |
|
316 |
+setitimer |
|
317 |
+setpgid // (*) |
|
318 |
+setpriority |
|
319 |
+setregid |
|
320 |
+setregid32 |
|
321 |
+setresgid |
|
322 |
+setresgid32 |
|
323 |
+setresuid |
|
324 |
+setresuid32 |
|
325 |
+setreuid |
|
326 |
+setreuid32 |
|
327 |
+setrlimit |
|
328 |
+setsid |
|
329 |
+setuid |
|
330 |
+setuid32 |
|
331 |
+ugetrlimit |
|
332 |
+vfork |
|
333 |
+wait4 // (*) |
|
334 |
+waitid |
|
335 |
+waitpid |
|
336 |
+ |
|
337 |
+// IPC |
|
338 |
+ipc |
|
339 |
+mq_getsetattr |
|
340 |
+mq_notify |
|
341 |
+mq_open |
|
342 |
+mq_timedreceive |
|
343 |
+mq_timedsend |
|
344 |
+mq_unlink |
|
345 |
+msgctl |
|
346 |
+msgget |
|
347 |
+msgrcv |
|
348 |
+msgsnd |
|
349 |
+semctl |
|
350 |
+semget |
|
351 |
+semop |
|
352 |
+semtimedop |
|
353 |
+shmat |
|
354 |
+shmctl |
|
355 |
+shmdt |
|
356 |
+shmget |
|
357 |
+ |
|
358 |
+// Linux specific, mostly needed for thread-related stuff |
|
359 |
+arch_prctl // (*) |
|
360 |
+get_robust_list |
|
361 |
+get_thread_area |
|
362 |
+gettid |
|
363 |
+futex // (*) |
|
364 |
+restart_syscall // (*) |
|
365 |
+set_robust_list // (*) |
|
366 |
+set_thread_area |
|
367 |
+set_tid_address // (*) |
|
368 |
+tgkill |
|
369 |
+tkill |
|
370 |
+ |
|
371 |
+// Admin syscalls, these are blocked |
|
372 |
+//acct |
|
373 |
+//adjtimex |
|
374 |
+//bdflush |
|
375 |
+//chroot |
|
376 |
+//create_module |
|
377 |
+//delete_module |
|
378 |
+//get_kernel_syms // Obsolete |
|
379 |
+//idle // Obsolete |
|
380 |
+//init_module |
|
381 |
+//ioperm |
|
382 |
+//iopl |
|
383 |
+//ioprio_get |
|
384 |
+//ioprio_set |
|
385 |
+//kexec_load |
|
386 |
+//lookup_dcookie // oprofile only? |
|
387 |
+//migrate_pages // NUMA |
|
388 |
+//modify_ldt |
|
389 |
+//mount |
|
390 |
+//move_pages // NUMA |
|
391 |
+//name_to_handle_at // NFS server |
|
392 |
+//nfsservctl // NFS server |
|
393 |
+//open_by_handle_at // NFS server |
|
394 |
+//perf_event_open |
|
395 |
+//pivot_root |
|
396 |
+//process_vm_readv // For debugger |
|
397 |
+//process_vm_writev // For debugger |
|
398 |
+//ptrace // For debugger |
|
399 |
+//query_module |
|
400 |
+//quotactl |
|
401 |
+//reboot |
|
402 |
+//setdomainname |
|
403 |
+//sethostname |
|
404 |
+//setns |
|
405 |
+//settimeofday |
|
406 |
+//sgetmask // Obsolete |
|
407 |
+//ssetmask // Obsolete |
|
408 |
+//stime |
|
409 |
+//swapoff |
|
410 |
+//swapon |
|
411 |
+//_sysctl |
|
412 |
+//sysfs |
|
413 |
+//sys_setaltroot |
|
414 |
+//umount |
|
415 |
+//umount2 |
|
416 |
+//unshare |
|
417 |
+//uselib |
|
418 |
+//vhangup |
|
419 |
+//vm86 |
|
420 |
+//vm86old |
|
421 |
+ |
|
422 |
+// Kernel key management |
|
423 |
+//add_key |
|
424 |
+//keyctl |
|
425 |
+//request_key |
|
426 |
+ |
|
427 |
+// Unimplemented |
|
428 |
+//afs_syscall |
|
429 |
+//break |
|
430 |
+//ftime |
|
431 |
+//getpmsg |
|
432 |
+//gtty |
|
433 |
+//lock |
|
434 |
+//madvise1 |
|
435 |
+//mpx |
|
436 |
+//prof |
|
437 |
+//profil |
|
438 |
+//putpmsg |
|
439 |
+//security |
|
440 |
+//stty |
|
441 |
+//tuxcall |
|
442 |
+//ulimit |
|
443 |
+//vserver |