Codebase list slirp4netns / 5763e9d9-2172-4d82-9987-a81391111f82/upstream seccompfilter_rules.h
5763e9d9-2172-4d82-9987-a81391111f82/upstream

Tree @5763e9d9-2172-4d82-9987-a81391111f82/upstream (Download .tar.gz)

seccompfilter_rules.h @5763e9d9-2172-4d82-9987-a81391111f82/upstreamraw · history · blame 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
/* SPDX-License-Identifier: GPL-2.0-or-later */

/* We do not need ifndef _XXX_H guard: https://github.com/rootless-containers/slirp4netns/pull/238#discussion_r530214521 */

#ifndef BLOCK
#error "Included in an unexpected way?"
#endif

/*
  NOTE:
  - Run `sudo systemd-analyze syscall-filter` to show list of syscall groups.
  - Ideally we should also block open() and openat(), but these calls are required for opening resolv.conf
 */

/* group: @default */
BLOCK(execve);

/* group: @debug */
BLOCK(lookup_dcookie);
BLOCK(pidfd_getfd);
BLOCK(ptrace);

/* group: @ipc */
BLOCK(process_vm_readv);
BLOCK(process_vm_writev);

/* group: @module*/
BLOCK(delete_module);
BLOCK(finit_module);
BLOCK(init_module);

/* group: @mount */
BLOCK(chroot);
BLOCK(fsconfig);
BLOCK(fsmount);
BLOCK(fsopen);
BLOCK(fspick);
BLOCK(mount);
BLOCK(move_mount);
BLOCK(open_tree);
BLOCK(pivot_root);
BLOCK(umount);
BLOCK(umount2);

/* group: @privileged */
BLOCK(open_by_handle_at);

/* group: @process */
BLOCK(execveat);
BLOCK(pidfd_open);
BLOCK(pidfd_send_signal);
BLOCK(prctl);
BLOCK(setns);
BLOCK(unshare);

/* group: @reboot */
BLOCK(kexec_file_load);
BLOCK(kexec_load);
BLOCK(reboot);

/* group: @system-service */
BLOCK(name_to_handle_at);