mirror of
https://github.com/netbirdio/gvisor.git
synced 2026-05-22 17:12:49 -07:00
Etienne Perot
f098b9b06e
This wraps the `map[uintptry]SyscallRule` into an unexported field of a struct so that it cannot be accessed directly. This is helpful for the `runsc` and `fsgofer` seccomp filters which are quite complex and built across multiple files and multiple functions, where it is not always clear which order they are executed in. By forcing mutations to be more explicit about their intent (especially "merge with this new rule" vs "override what happens for this syscall with this new rule"), we can crash if that intent isn't what's actually happening. PiperOrigin-RevId: 572361619
62 lines
1.8 KiB
Go
62 lines
1.8 KiB
Go
// Copyright 2021 The gVisor Authors.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package systrap
|
|
|
|
import (
|
|
"golang.org/x/sys/unix"
|
|
"gvisor.dev/gvisor/pkg/abi/linux"
|
|
"gvisor.dev/gvisor/pkg/seccomp"
|
|
)
|
|
|
|
func appendSysThreadArchSeccompRules(rules []seccomp.RuleSet) []seccomp.RuleSet {
|
|
return append(rules, []seccomp.RuleSet{
|
|
{
|
|
// Rules for trapping vsyscall access.
|
|
Rules: seccomp.MakeSyscallRules(map[uintptr]seccomp.SyscallRule{
|
|
unix.SYS_GETTIMEOFDAY: seccomp.MatchAll{},
|
|
unix.SYS_TIME: seccomp.MatchAll{},
|
|
unix.SYS_GETCPU: seccomp.MatchAll{}, // SYS_GETCPU was not defined in package syscall on amd64.
|
|
}),
|
|
Action: linux.SECCOMP_RET_TRAP,
|
|
Vsyscall: true,
|
|
},
|
|
{
|
|
Rules: seccomp.MakeSyscallRules(map[uintptr]seccomp.SyscallRule{
|
|
unix.SYS_ARCH_PRCTL: seccomp.Or{
|
|
seccomp.PerArg{
|
|
seccomp.EqualTo(linux.ARCH_SET_FS),
|
|
seccomp.AnyValue{},
|
|
seccomp.AnyValue{},
|
|
seccomp.AnyValue{},
|
|
seccomp.AnyValue{},
|
|
seccomp.AnyValue{},
|
|
seccomp.GreaterThan(stubStart), // rip
|
|
},
|
|
seccomp.PerArg{
|
|
seccomp.EqualTo(linux.ARCH_GET_FS),
|
|
seccomp.AnyValue{},
|
|
seccomp.AnyValue{},
|
|
seccomp.AnyValue{},
|
|
seccomp.AnyValue{},
|
|
seccomp.AnyValue{},
|
|
seccomp.GreaterThan(stubStart), // rip
|
|
},
|
|
},
|
|
}),
|
|
Action: linux.SECCOMP_RET_ALLOW,
|
|
},
|
|
}...)
|
|
}
|