kawipiko/sources/cmd/server/seccomp.go


package server


import "log"

import "github.com/volution/kawipiko/lib/seccomp"

import . "github.com/volution/kawipiko/lib/common"


var _seccompBaseSyscalls = []string {
		
		"brk",
		"mmap",
		"munmap",
		"madvise",
		"mprotect",
		
		"clone3",
		"getpid",
		"gettid",
		"tgkill",
		"exit_group",
		"sched_yield",
		"nanosleep",
		
		"sigaltstack",
		"rt_sigaction",
		"rt_sigprocmask",
		"rt_sigreturn",
		"restart_syscall",
		
		"futex",
		"set_robust_list",
		"rseq",
		
	}


// NOTE:  While serving.
var _seccompPhase3Syscalls = append ([]string {
		
		"accept4",
		"close",
		"getsockname",
		"getpeername",
		"getsockopt",
		"setsockopt",
		
		"read",
		"write",
		
		"pread64",
		"pwrite64",
		
		"recvmmsg",
		"sendmsg",
		
		"epoll_ctl",
		"epoll_pwait",
		
		"getrandom",
		
		"getrusage",
		
	}, _seccompBaseSyscalls ...)


// NOTE:  While listening.
var _seccompPhase2Syscalls = append ([]string {
		
		"socket",
		"bind",
		"listen",
		
		"pipe2",
		"fcntl",
		
		"epoll_create1",
		
		"seccomp",
		"prctl",
		
	}, _seccompPhase3Syscalls ...)


// NOTE:  While loading.
var _seccompPhase1Syscalls = append ([]string {
		
		"openat",
		"fstat",
		"newfstatat",
		
		"mmap",
		
		"setrlimit",
		
		"seccomp",
		"prctl",
		
	}, _seccompPhase2Syscalls ...)


func seccompApplyPhase1 () () {
	seccompApplied = true
	log.Printf ("[ii] [d53cf86e]  [seccomp.]  applying Linux seccomp filter (phase 1)...\n")
	if _error := seccomp.AllowOnlySyscalls (_seccompPhase1Syscalls); _error != nil {
		AbortError (_error, "[58d1492b]  failed to apply Linux seccomp filter (phase 1)!")
	}
}


func seccompApplyPhase2 () () {
	seccompApplied = true
	log.Printf ("[ii] [a338ddaf]  [seccomp.]  applying Linux seccomp filter (phase 2)...\n")
	if _error := seccomp.AllowOnlySyscalls (_seccompPhase2Syscalls); _error != nil {
		AbortError (_error, "[68283e68]  failed to apply Linux seccomp filter (phase 2)!")
	}
}


func seccompApplyPhase3 () () {
	seccompApplied = true
	log.Printf ("[ii] [a319ff21]  [seccomp.]  applying Linux seccomp filter (phase 3)...\n")
	if _error := seccomp.AllowOnlySyscalls (_seccompPhase3Syscalls); _error != nil {
		AbortError (_error, "[7c5a0f44]  failed to apply Linux seccomp filter (phase 3)!")
	}
}


var seccompApplied = false
var seccompSupported = seccomp.Supported
[sources] Add initial dummy `seccomp` module. 2022-09-11 09:07:12 +00:00
			`package server`

[server] Add `--seccomp-enable` flag and related logic (does not work for the moment). 2022-09-11 10:21:00 +00:00
[server] Add initial `seccomp` injection points. 2022-09-11 10:40:40 +00:00			`import "log"`

[server] Add `--seccomp-enable` flag and related logic (does not work for the moment). 2022-09-11 10:21:00 +00:00			`import "github.com/volution/kawipiko/lib/seccomp"`

[server] Add initial `seccomp` injection points. 2022-09-11 10:40:40 +00:00			`import . "github.com/volution/kawipiko/lib/common"`




[server] Add initial working Linux `seccomp` filter for the server. 2022-09-11 17:19:56 +00:00			`var _seccompBaseSyscalls = []string {`

			`"brk",`
			`"mmap",`
			`"munmap",`
			`"madvise",`
			`"mprotect",`

			`"clone3",`
			`"getpid",`
			`"gettid",`
			`"tgkill",`
			`"exit_group",`
			`"sched_yield",`
			`"nanosleep",`

			`"sigaltstack",`
			`"rt_sigaction",`
			`"rt_sigprocmask",`
			`"rt_sigreturn",`
			`"restart_syscall",`

			`"futex",`
			`"set_robust_list",`
			`"rseq",`

			`}`


			`// NOTE: While serving.`
			`var _seccompPhase3Syscalls = append ([]string {`

			`"accept4",`
			`"close",`
			`"getsockname",`
			`"getpeername",`
			`"getsockopt",`
			`"setsockopt",`

			`"read",`
			`"write",`

			`"pread64",`
			`"pwrite64",`

			`"recvmmsg",`
			`"sendmsg",`

			`"epoll_ctl",`
			`"epoll_pwait",`

			`"getrandom",`

			`"getrusage",`

			`}, _seccompBaseSyscalls ...)`


			`// NOTE: While listening.`
			`var _seccompPhase2Syscalls = append ([]string {`

			`"socket",`
			`"bind",`
			`"listen",`

			`"pipe2",`
			`"fcntl",`

			`"epoll_create1",`

			`"seccomp",`
			`"prctl",`

			`}, _seccompPhase3Syscalls ...)`


			`// NOTE: While loading.`
			`var _seccompPhase1Syscalls = append ([]string {`

			`"openat",`
			`"fstat",`
			`"newfstatat",`

			`"mmap",`

[server] Add support for increasing (or decreasing) descriptors count. 2022-09-11 17:42:39 +00:00			`"setrlimit",`

[server] Add initial working Linux `seccomp` filter for the server. 2022-09-11 17:19:56 +00:00			`"seccomp",`
			`"prctl",`

			`}, _seccompPhase2Syscalls ...)`




[server] Add initial `seccomp` injection points. 2022-09-11 10:40:40 +00:00			`func seccompApplyPhase1 () () {`
[server] Add initial working Linux `seccomp` filter for the server. 2022-09-11 17:19:56 +00:00			`seccompApplied = true`
[server] Add initial `seccomp` injection points. 2022-09-11 10:40:40 +00:00			`log.Printf ("[ii] [d53cf86e] [seccomp.] applying Linux seccomp filter (phase 1)...\n")`
[server] Add initial working Linux `seccomp` filter for the server. 2022-09-11 17:19:56 +00:00			`if _error := seccomp.AllowOnlySyscalls (_seccompPhase1Syscalls); _error != nil {`
[server] Add initial `seccomp` injection points. 2022-09-11 10:40:40 +00:00			`AbortError (_error, "[58d1492b] failed to apply Linux seccomp filter (phase 1)!")`
			`}`
			`}`


			`func seccompApplyPhase2 () () {`
[server] Add initial working Linux `seccomp` filter for the server. 2022-09-11 17:19:56 +00:00			`seccompApplied = true`
[server] Add initial `seccomp` injection points. 2022-09-11 10:40:40 +00:00			`log.Printf ("[ii] [a338ddaf] [seccomp.] applying Linux seccomp filter (phase 2)...\n")`
[server] Add initial working Linux `seccomp` filter for the server. 2022-09-11 17:19:56 +00:00			`if _error := seccomp.AllowOnlySyscalls (_seccompPhase2Syscalls); _error != nil {`
[server] Add initial `seccomp` injection points. 2022-09-11 10:40:40 +00:00			`AbortError (_error, "[68283e68] failed to apply Linux seccomp filter (phase 2)!")`
			`}`
			`}`


			`func seccompApplyPhase3 () () {`
[server] Add initial working Linux `seccomp` filter for the server. 2022-09-11 17:19:56 +00:00			`seccompApplied = true`
[server] Add initial `seccomp` injection points. 2022-09-11 10:40:40 +00:00			`log.Printf ("[ii] [a319ff21] [seccomp.] applying Linux seccomp filter (phase 3)...\n")`
[server] Add initial working Linux `seccomp` filter for the server. 2022-09-11 17:19:56 +00:00			`if _error := seccomp.AllowOnlySyscalls (_seccompPhase3Syscalls); _error != nil {`
[server] Add initial `seccomp` injection points. 2022-09-11 10:40:40 +00:00			`AbortError (_error, "[7c5a0f44] failed to apply Linux seccomp filter (phase 3)!")`
			`}`
			`}`

[server] Add `--seccomp-enable` flag and related logic (does not work for the moment). 2022-09-11 10:21:00 +00:00


[server] Add initial working Linux `seccomp` filter for the server. 2022-09-11 17:19:56 +00:00			`var seccompApplied = false`
[server] Add `--seccomp-enable` flag and related logic (does not work for the moment). 2022-09-11 10:21:00 +00:00			`var seccompSupported = seccomp.Supported`
[sources] Add initial dummy `seccomp` module. 2022-09-11 09:07:12 +00:00